How the Ransomware Economy Has Grown
The breadth and magnitude of ransomware attacks occurring today suggest that the cyber extortion industry has evolved exponentially over the past 12 months. It is as difficult to keep up with the headlines as the security advice that follows. In the face of this media firehose, it is important to step back and understand how we got to the state. We feel there are three primary elements that have lead to the current state of cyber extortion, and ransomware in particular.
Element #1: Socio-economic conditions for STEM Educated Citizens of Eastern European Countries
Cyber criminals and hackers are almost universally portrayed as hooded criminals, operating in the shadows. In reality, most cyber criminals likely resemble your average office worker, vs. a deviant cyber criminal. So who are these people, and why do they commit these crimes?
During the 1990’s and 2000’s, CIS Republics worked to migrate from planned economies, rooted in natural resources to a more open economy where private industry contributed more to domestic production. During this period, a large population of young, STEM educated CIS citizens joined the labor pool without corresponding job opportunities that complemented their technical abilities. These individuals desired a better life and the material things that come with it. Jonathan Lusthaus, author of Industry of Anonymity probably wrote it best in a recent New York Times Op-Ed:
“Unfortunately, many of the economies in former Soviet countries cannot legitimately support the glut of technical talent produced by this high-quality education system. There is a lack of government and private financing to help entrepreneurs start their own businesses and not enough well-paid jobs for skilled people such as programmers. With limited opportunities, many highly capable Eastern Europeans are carving out careers in cybercrime, leading to the creation of what is effectively a criminal Silicon Valley.”
To be sure, there are stereotypical cyber criminals that seek the image of a drug kingpin. In reality, the median cyber criminal probably earns the equivalent of a well paid US based software engineer every year.
How do these individuals justify being a criminal AND avoid jail time? There are two elements that allow cyber criminals to become criminals and remain criminals for a long period of time. The first is a cultural ambivalence towards the west. Theft from US companies or Western Europe is not considered an egregious offence in many of these countries. This ambivalence has been passed down from a generation that battled the US during the Cold War. The mentality allows these persons to make a career out of crime without succumbing to a crisis of identity. The jurisdictions where most cyber criminals reside are beyond the subpoena power of the US and Western Europe. Moreover, because these states can’t gainfully employ these individuals, they are incentivised to offer protection from western law enforcement. Local economies of these states benefit from the consumer spending that cyber crime fuels after the proceeds from ransomware and other crimes are cashed out and brought back into the local economy. The state wins, the criminals win and the crime continues. There is no incentive for either to break the partnership.
Element #2: Mainstream Development of the Cryptocurrency Ecosystem
Before crypto currency, cyber criminals would target the theft of two things: fiat currency, or data that could be sold on a dark market for currency. Theft of currency via social engineering, business email compromise or direct hacks has one prickly drawback - time. In order for fiat currency to be stolen, it must escape the traditional banking system. This escape takes time, and if the victim is able to thwart the movement of currency before it escapes, the funds can be recovered. Roughly 75% of currency based theft (like Business Email Compromise) is recovered by law enforcement before it disappears off the grid of the banking system. Stolen data suffers from a different type of monetization problem. First, stealing large amounts of valuable data is very hard and a highly specialized skill. Second, finding a willing purchaser of stolen data can be time consuming and dillutive. Stolen currency has concrete value. Stolen data is only as valuable as what the marginal buyer is willing to pay for it. Enter crypto currency.
While cryptocurrency payments are traceable, the ownership is anonymous and easily obfuscated. The second is zero friction transfer. Sending 1 million dollars from a US bank to an overseas bank will take multiple people, signatures, banks, intermediary banks and days to arrive. A similar transfer of bitcoin will take seconds and cost almost nothing. The boom of speculative interest in bitcoin and subsequent development of other privacy coins has spawned a robust ecosystem of financial services and tools meant for legitimate cryptocurrency users, but which are also utilized cyber criminals. Crypto currency exchanges in jurisdictions that don’t uphold western standards of anti-money laundering are a haven for criminal activity. The advent of privacy coins like Dash and Monero that, unlike Bitcoin, are not traceable also aid money laundering and the conversion of cryptocurrency to fiat currency.
All of this innovation has greatly benefited cyber criminals. The COO of Stripe, Claire Hughes Johnson presciently noted that “Bitcoin’s killer App has been ransomware, not payments.” While we are big fans of cryptocurrency for mainstream good, it is hard to argue with her perspective.
Element #3: Mass Availability of cheap Malware and Free Hacking Tools
While the ransomware payload that, when detonated, encrypts files is often the focal point of a ransomware attack, it is actually the least spectacular and easiest to spot piece of malicious software involved. The malware that allowed the actor to get inside is much more sophisticated pervasive and troubling. Even more problematic than eradicating malware or persistence from a network, is the mass availability of free or cheap malware to anyone with a few dollars and criminal intent. So where did all of this malware come from? Well, a large volume of it was built by western governments, breached by hacking groups of various origins, and spilled into the wilderness for anyone to consume. Today, breached RDP credentials to a midsized US company can be purchased for less than one hundred dollars on numerous dark marketplaces, making the unit economics of a ransomware attack highly compelling. The open availability of ransomware as a service kits have also dramatically lowered the bar to entry. One does not need to be technical to distribute ransomware anymore. There is also an odd relationship between free availability of pen-testing tools like Empire, Mimikatz, Kali Linux, and Metasploit and use of these same tools for criminal tradecraft. There are even calls from the white-hat security ecosystem to regulate the use of these tools given how powerful they are, and how prevalent their use is in cyber crime. The end result is that your average dark marketplace has more malware SKU’s than a Home Depot has construction SKUs.
These three elements (labor, currency, and raw materials) form the fundamental ingredients that fuel the cyber extortion industry. The combination of a large, highly talented labor pool, using cheap raw material and finished malware products, with logistics, communications and financing running at zero friction have created the environment we find ourselves in today. Note one ingredient that we have not mentioned, insurance. Cyber insurance is neither a fundamental element, enabler or accelerant to cyber crime. Its existence neither causes cyber crime, nor is the answer to preventing it. Cyber insurance is a risk mitigation tool. Investment in basic security operations, tools, and staff and risk mitigants like insurance is something every company should consider.
Changing the momentum of cyber extortion activity requires tilting the economics of the industry. Cyber extortion is simply too profitable for criminals right now. Pushing the industry into a less profitable position is the first step. If we can change the economics, we can change the game.