Who is behind ransomware attacks?

Looking at cybercriminals' motivations, recruiting tactics, and targets. How did ransomware come to operate like a software business? Plus a deep dive into who joins ransomware criminal gangs. Learn why teenage boys are often recruited.

Who is behind ransomware attacks?

When I was a teen, MP3s were the revolution. I was raised in a small country town. Our music store large as a closet sold non-Celine Dion CDs for $25 (if you want to get depressed, Google how much that does today with 25 years of inflation). Before Napster, we would trade ripped MP3s and bootleg concerts off the Internet Relay Chat (IRC). People who shared a lot were invited to private "warez" forums.

Warez was the frontier. See, you were on these channels, you became a pirate. Warez fed urban legends, the type of "I know a guy who got busted by the feds". It was for people who were serious, "breaking bad" style.

Knowing what I know now, I'm amazed we, small-town teens, got so close to the hacking groups who, twenty-something years later, would evolve into breeding grounds for cybercrime gangs. This is not about downloading Metallica music anymore, we're talking full-blown ransomware.

Make no mistake, cybercrime built a business on top of our bad information security habits and, still to this day, is luring teenagers into doing its bidding. This week, we explore the underbelly of these gangs which, hopefully, will better help us protect ourselves. I'll answer these questions, explained like you're five:

  • Who is behind ransomware attacks?
  • How do they operate?
  • Why do people join them?
  • What are the signs a teenager has "crossed the line" into illegal activities?

Ransomware gangs are a business, plain and simple

In their latest podcast, Risky Biz identified earnings from popular ransomware groups in the past 5 years. Rising group LockBit is reportedly close to joining Ryuk and REvil in the $100 million club of "official" gains (as in: victims that declared payments to the FBI).

What's so stunning about these highly organized gangs is their business-like structure. The "Research & Development" departments, located in Russia, Eastern Europe, or Iran, manage the malware's source code. The most advanced strains work like modern applications, complete with user interfaces and "one button exploits". A "customer support" department handles communications with victims and negotiators. A "finances" team takes care of cryptocurrency transactions and money laundering, which can be integrated into broader illegal trades such as arms dealing. Some gangs also work in a "contractor" fashion: you pay us to breach a certain target, and you take it from there!

Not impressed yet? How about an affiliate program? To scale their operations, criminals found out they couldn't rely on attacking all targets themselves. Enter partnerships! The R&D provides the application for a percentage (20%-30%) while the partners take care of the targets, and the attacks themselves, and they keep the rest.

The affiliate program carries the most risk for our young ones, as we'll see.


The recruiting funnel

Cybernews "infiltrated" a recruiting process from a cybercrime gang. The security researchers responded to an ad in a hacking forum. They had to prove speaking native Russian and passed a skills test. The opening was effective for an "affiliate" who conducts more or less "rogue" attacks using pre-made tools.

The big takeaway here is these ads were posted in hacking forums. Most of these are "invite only". So, how do you get an invite, huh? Just like our teenage selves got invited to warez forums 25 years ago: by providing reliable services to some low-level "warez", gaining trust and escalating.

These days, gaming is the gateway. I wrote about how the Mirai botnet was built by a gamer who saw the commercial potential of denial of service for hire in Minecraft. Hackers will figure out cheats. Then they'll find out how to make a buck by hijacking a dodgy subscription system... until somebody notices them.


Who are these people?

I'm not a criminologist and I cannot describe the gangs' mafia affiliations. Orange cyberdefense established detailed a map of the main actors. The patterns come from the "style" of their code, the way they express themselves, the forums they hang out in, and the messages they leave to victims. Most research focuses on such behaviours and technology. I'm more interested in their psychology.

Paras Jha, who created the Mirai botnet, embodies the typical recruit. Ditto for the famous black hat turned white hat Marcus Hutchins who stopped the Wannacry ransomware that he, unbeknownst to him, helped create. More recently, two boys aged 16 and 17 were arrested for belonging to the Lapsu$ ransomware gang.

This is the story of lonely boys with untreated ADHD who turn to computers as a refuge from their solitude. Using the computing skills that make them nerds in high school, they finally find worthiness and a sense of purpose.

The distance facilitates recruitment. It's a cliché, but still true: many do start out in their mama's basement! It does not feel dangerous. Plus, ransomware is planted far away. Most attacks do not result in physical harm to the victims. It's easy to feel as in a video game. And finally, when your victim is a large corporation, most of which have their fair share of skeletons in their closet, it's easy to convince yourself they "had it coming".


How to spot if your teen has fallen into a bad situation?

I'm a dad of four boys, so I can probably imagine what you're thinking! How to spot if your son's computer habits are leading him astray? The answer is complex, as many legitimate programmers get their start with video game modding and hacking. I reviewed some sites, many of which were cartoonish. Here are some sings I would look out for:

  • Sudden wealth with unclear sources;
  • Friends only use a pseudonym;
  • Never communicates on a headset (only chat);
  • Possession of gift cards, distribution of Steam video game keys, or pre-paid cards.

These are the distinctive ones I could identify. Sure, you might wonder about your teen hiding away his internet traffic from you. But let's be real, they're more likely to hide porn than hacking activities...

If you have reasonable suspicions, I think the solution is to engage with your teen by letting them know about:

  • How ransomware is still making victims. Individuals suffer emotional or psychological harm from job losses or loss of privacy;
  • How it is now possible to earn a decent living as an ethical hacker;
  • How their online "friends" are, one way or another, using them.

It's just not MP3s anymore.


🥊 Latest In InfoSec

How do advertisers target you? The Markup analyzed Microsoft's Xandr ad platform to gather 650,000 ways advertisers target you. Some segments such as "depression-prone" and "heavy purchasers of pregnancy tests" sort of destroyed my fate in humanity. Story

Did you know you can recover more data from a computer's volatile memory by freezing it? Volatile memory, or RAM, needs power to persist. However, the data does not disappear as soon as the computer is powered off, it merely degrades. Freezing slows down the decay. A company has built a prototype of a robot that can perform this "cold boot" using $2,000 worth of material, including an "elastomer" with a gummy bear texture. I have no idea how this can work, but it's pretty impressive. Government agencies are the likely customers of this new type of recovery robot. Story

See all the deceptive attempts from Microsoft to make people use Edge. Some tricks include forcing emails in Outlook to be opened in Edge, disallowing IT administrators the right to disable Edge centrally, sending all visited websites to the Bing API, and passive-aggressive ads when you download Chrome. It's really sad to see such tactics, especially when they are borderline privacy rights violations. It feels like the Edge team was given unrealistic metrics and now they're destroying the brand to meet the arbitrary numbers. Story


❓ Question of the Week

Do you know anybody who ever visited a warez forum?


🥳

Thank you for reading!

If you like my content, subscribe to the newsletter with the form below.

Cheers,
Pierre Paul