The past two years have seen a surge in attacks from cryptocentric ransomware. Not only do bad actors become more refined, but they facilitate access to other less sophisticated actors. Experts believe that crypto crime of this nature was particularly prevalent in the midst of the coronavirus pandemic. But how does it all connect and what can the industry do to shut it down?
As with all groups, the cryptocurrency industry has its share of bad apples. Since 2018, ransomware attacks worldwide have increased by 200%. To make matters worse, the software required to carry out such attacks is widely available on the darknet.
In Singapore, the situation is probably at its peak. Examples of so-called "crypto-jacking" - a method of rancongiciel in which criminals commandeer devices to exploit the cryptocurrency - have increased 300% year on year in the first quarter 2020. Office cybersecurity Kaspersky, the growing difficulty of mining coupled with the subsequent hike in electricity costs is at the root of the problem. As to why Singapore is so disproportionately affected, Kaspersky suggested that the country's high-performance Internet could attract bad players.
But this is by no means a localized phenomenon. According to the "2020 Incident Response and Data Breach Report" from the cybersecurity firm Crypsis Group, ransomware attacks have more than doubled in the past two years.
COVID-19 seems to have been a boon for cybercriminals. At a recent home meeting in the United States, the FBI revealed a 75% increase in daily cybercrimes since the appearance of the coronavirus. Expert witness Tom Kellermann, head of cybersecurity strategy for VMware, also cited an inconceivable 900% increase in ransomware attacks between January and May 2020.
Thomas Glucksmann, vice president of global business development for blockchain analytics company Merkle Science, explained that the escalation of ransomware and cryptojacking attacks could be attributed to the exploitation of anxiety related to pandemic thanks to targeted COVID-19 campaigns.
“Such campaigns include emails or advertising websites, government information and fake apps that prompt users to download malware that infects devices and can be used to compromise data and networks (via ransomware ) and computing power (cryptojacking). ”
The end of ransomware attacks
Along with an increase in attacks, sophisticated techniques and modifications have been made. This includes Ryuk and Sodinokibi - also known as "REvil". These particularly insidious ransomware variants deny users access to their device, system, or file until a ransom is paid. Ryuk and REvil are both designed to tackle corporate networks. The law firm Fraser, Wheeler & Courtney LLP Vierra Magen Marcus LLP 's have discovered the hard way.
The two companies were victims of the REvil ransomware attack by the threat group of the same name. On June 6, REvil's official darknet blog announced the auction of more than 1.7 TB of data entered into companies' databases. The list has been described as containing both private company and customer information, including business plans and patent agreements from Asus to LG. The initial bid price for Fraser, Wheeler & Courtney's data has been set at $ 30,000 - payable only in Bitcoin ( BTC ). REvil noted that if the price reserve was not respected, the files would nevertheless be made public.
This is not the first time that REvil has made the headlines. The group previously hit Grubman Shire Meiselas & Sacks - the law firm linked to music stars such as Madonna, Lady Gaga and Nicki Minaj. However, after failing to retrieve the payment, they have apparently changed their mode of operation, increasing the stakes of their victims through public auction.
Another ransomware gang, known as the "Maze", went even further by targeting the government-affiliated aeronautical company, ST Engineering Aerospace. Maze recovered about 1.5 TB of the organization's data - 50 GB of which found its way to the darknet soon after. One notable aspect of this attack was that the ransomware was initially undetectable. Another particularly nasty and almost imperceptible ransomware breed, aptly nicknamed "STOP", encrypts the entire system of the victim, demanding payment in exchange for decryption.
It is therefore perhaps not surprising that ransomware detection and decryption software is becoming commonplace, offering a way to retaliate and decrypt files made inaccessible by attackers.
However, bad actors tweak this to their advantage by disguising ransomware as ransomware decryption software. Rather than decrypt files infected with ransomware, fake software encrypts them more, ensuring that victims have no choice but to pay or permanently lose data.
Ransomware-as-a-service
It's not just sophisticated cybergangs who have access to these tools. To make matters worse, ransomware is openly sold on the darknet. Officially called ransomware-as-a-service, or RaaS, the threat actors peddle their franchises to unsophisticated disbelievers.
Glucksmann noted that while the majority of RaaS offerings are duds, this new commercial-based crime is still helping the ransomware epidemic: "Not all of this malware for sale is actually usable, but the existence of these services shows how malware became commodities and the like a common threat. ”In the same vein, blockchain analytics company Chainalysis has gone so far as to position RaaS as a reason for the recent increase in attacks. Kim Grauer, research manager at Chainalysis, told Cointelegraph:
"We believe that the proliferation of Ransomware as a Service (RaaS) is contributing to the increase in ransomware attacks, many attackers who develop ransomware technology now allow less sophisticated attackers to rent access to it, all like a business would pay a monthly fee for software like Google's G-Suite. The main difference is that the manufacturers of the Ransomware also get a reduction in the money for any successful attack. "
Fortunately, law enforcement agencies are starting to take an advantage. According to data from the cybersecurity firm Trend Micro, the official suppressions of several darknet markets have sown doubt in the minds of criminals. With darknet data in the hands of law enforcement, protecting anonymity was a major concern among criminals - resulting in a significant drop in sales of darknet.
However, Grauer thinks the decline was not yet large enough as the market revenues generated by the darknet have already reached $ 790 million, adding: "We haven't quite reached half of 2020 yet, but the amount of income from the darknet market is already more than half of the 2019 value. “
Are things really that bad?
Cryptocurrencies are often overly stigmatized as tools of corruption. This stereotype has dominated the crypto narrative over the years, distorted as a practical attack vector for crypto detractors. As the evidence suggests, this account is not entirely accurate.
Industry association with illegal activity started - like everything else in cryptography - with Bitcoin . According to Tom Robinson, co-founder and chief scientist of blockchain analytics company Elliptic, in the early days of crypto, around 2012, criminal activity accounted for more than a third of all Bitcoin transactions . That figure has changed considerably since then, as Robinson told Cointelegraph:
"The absolute amount of criminal use of cryptography may have increased, but the overall use of cryptography has grown faster. According to Elliptic figures, in 2012, 35% of all Bitcoin transactions in value were associated with criminal activity - at the time, it was mainly illicit trade on the Black Market of the Silk Road. Today, illegal Bitcoin transactions account for less than 1% of all Bitcoin transactions . "
Still, a Ciphertrace report suggests that 2020 could become a record year for thefts, hacks, and fraud related to cryptocurrencies. For Grauer, it is still far too early to call. “Looking at the total illegal activity so far this year, we find that the trend is actually weak compared to last year,” said Kennedy, adding: “It is possible that we are seeing a dramatic increase scams in the second half. “
Avoid ransomware attacks
So, with ransomware attacks more widespread than ever, there are several methods people can use to avoid getting caught. "It is important that people and organizations stay informed about new threats and techniques," said Kennedy. "We can help cyber teams to quantify and prioritize the threat landscape and identify the emerging players and players that dominate the scene." By providing practical advice, Glucksmann pleaded for some degree of paranoia at any suspicious email, website, application, or contact request.
"Ensuring that all of your personal and corporate online services are protected by multi-factor authentication can also make it more difficult for a threat actor to obtain your cryptocurrency data or funds, even if they are in able to compromise your device. For a more powerful multi-factor authentication configuration, I would highly recommend a hardware token instead of a mobile device. "
"Do not pay the ransom because it could be considered illegal by the police in many jurisdictions," was quick to add Glucksmann.
