Ransomware: From Code to Crisis
Written by Scott Mistler-Ferguson
With Special Contributions from
Steph Shample, Allan Liska, and Zoë Brammer
Edited by Michael Hilliard
Just a few years ago, ransomware actors barely cropped up in most press releases
coming from the U.S. government. Now fast forward a few years and the FBI’s Cyber’s Most Wanted list is absolutely riddled with them. The State Department has even on multiple occasions, offered multimillion-dollar rewards for simple information on these criminals, and the Treasury Department has taken to sanctioning them with a concentrated vengeance. Particularly after reported ransomware payments reached a new high of $765 million USD in 2021, and untold billions more in related damages.
However, as a slight upside to this upswing in activity, the issues of data theft, encryption, and ransoming have finally gained widespread recognition as a criminal national security risk. With many in the national security sphere conferring an exasperated “better late than never” attitude, as ransomware represents more than just illegal financial gain. As many working in this theater are fully aware that in the right larger foes like the EU or the United States.
Source: U.S. Federal Bureau of Investigation Most Wanted Cyber List
Going from Gift Cards to Bitcoin
First witnessed in 1989 as malware attached on floppy disks, ransomware is in many ways a more old-school crime than most assume. However, given that the crime takes place in the cyberspace, it has become a warfighting theater that evolves far quicker than other forms of organized crime, or conventional combat, and actors in this area now engage in a never-ending arms race with both law enforcement and cybersecurity researchers.
Once upon a time, these criminals usually demanded no more than $200 USD from their victims for the return of their stolen files, often requesting gift cards as payment. Today, top paid ransomware outfits pocket multi-million sums, and cripple entire government services, as the UK witnessed against its NHS a few years ago.
This increase in actors and ransoms being paid has lent itself to a sort of revolving door in the market, where criminal organizations rise, fall, and get replaced by similarly-equipped actors seemingly overnight. In fact, the blockchain research firm Chainalysis reported that the average lifespan of a ransomware strain in 2020 was just 70 days, less than half that of 2021 and a world away from the 3,907-day average typical of ransomware strains in 2012. Forcing these actors to constantly innovate and rearm in order to stay competitive.
Most of the more well-organized ransomware gangs these days operate out of Russia, and its immediate periphery, but the nations of the Commonwealth of Independent States (CIS) aren’t alone. North Korea, Iran, China, Cuba, Turkey, and even Vietnam all have highly competent ransomware gangs active within their borders, and whilst their methods vary depending on skills, resources, and targeting, there is still a whole raft of consistencies between their methods that continue to emerge.
Tactics, Techniques, and Procedures
To oversimplify, a modern ransomware attack can be divided into the five stages displayed below.
STEP-BY-STEP EXPLANATION STAGE #1 - Initial Access
The Initial Access Stage is the first breach of a network, akin to a thief sneaking into an apartment building through the backdoor. The key to break in typically comes in the form of compromised credentials (leaked usernames,passwords, etc.), finding vulnerabilities in one’s software, or the infamous phishing message that tricks users into unknowingly letting the thief in themselves.
STAGE #2 - Snooping
Once the thief has gained access, they will begin digging around, moving laterally through the network and searching for privileged information or administrative access. The weapon of choice in this Snooping Stage is usually Cobalt Strike, ironically, a tool designed for commercial network penetration testing. Ransomware gangs often seek out cracked versions of the tool or purchase licenses through front companies.
STAGE #3 - Exfiltration
Once the thief has gained access to as many rooms as possible within the building, it’s time to steal the valuables. In the network of a large company these are usually accounting information, finance documents, and any sensitive data the company may keep on its clients. Rclone is a common tool in this Exfiltration Stage as it allows actors to remove data from the network quietly, and flies under the radar of most security software.
STAGE #4 - Activation
At Stage Four, the cybergang releases the hounds. The gang will find any potential backups of the data they’ve exfiltrated to disrupt those as well, before releasing the ransomware across the network. The job of the ransomware in this Activation Stage is to encrypt data and network systems, effectively locking the victim’s own valuables in a new safe so the thief can extort them for the key.
STAGE #5 - Extortion
Getting that key involves paying the final ransom. The most basic form of the Extortion Stage is for the ransomware gang to notify the victim directly that their data has been compromised, warn them against taking any action attempting to recover the data, restart their systems, or reach out to law enforcement, and request payment for the decryption key, almost invariably in the form of cryptocurrency.
Source: A Lockbit Lock Screen
The final stage however, often becomes prolonged should the victims resist paying. A common tactic for ransomware gangs is to maintain a leak site for double extortion where they can threaten to take the data of unwilling victims and sell or publish it all, hoping to coerce victims into protecting sensitive data from a more public affair
If the victim remains stubborn some gangs will escalate to triple extortion where they disrupt services within the victim’s network. A Distributed Denial-of-Service (DDoS) attack is the classic criminal modus operandi for triple extortion as prolonged attacks can freeze a company’s website or services completely, massively raising the cost of resistance.
More recently, quadruple extortion has gained more prominence in the ransomware arms
race as cybercriminals look for a new edge. These attacks threaten third-party
associates of a victim, such as their clients, spreading the pain even further. Just recently Bloomberg reported on the REvil ransomware gang employing this tactic against Apple itself back in 2021 in an effort to pressure Quanta Services, for whom Apple is a client, into paying a hefty ransom.
Ransomware Evolved: Everything-as-a-Service
As a crime fueled by interconnectivity, ransomware adapts at a much faster rate than say, drug trafficking or physical extortion. Already, the ransomware landscape has mostly shed the existence of large, hulking gangs monopolising the process from end to end in lieu of a more granular, specialised approach and gone are the days when only the most prolific hackers could engage in ransomware.
Today, different service providers can be rented for essentially every leg of the ransomware journey. These problem only being further exacerbated by the rise of Initial Access Brokers (IABs), who sell illegal entry through compromised credentials, phishing kits are made pre-packaged for beginners, and of course even the deployment of ransomware itself can be rented by those who lack the skills or resources to develop their own malware.
The rise of this Ransomware-as-a-Service (RaaS), ushered in by gangs like GandCrab, Conti, and LockBit, is opening the floodgates for this business as the barriers to entry drop lower and lower. LockBit especially, provides a window into the strengths and weaknesses of this model as the group has become the most active ransomware actor in the world, judging by reported attack incidents. LockBit, now known as LockBit 3.0, in a nod to its own evolution, now allows fledgling cybercriminals to simply rent its ransomware and conduct their own attacks, cleaving off a portion of the proceeds for itself should the renter succeed in obtaining ransom.
Source: BetterCyber cybersecurity firm Twitter Account
These renters who show real promise, and usually invest roughly $5,000—$10,000 USD can become affiliates of LockBit and, even work their way up to membership, at each phase seeing a higher promise of returns in a system that looks suspiciously like a pyramid scheme. LockBit’s RaaS structure is critical, as their accolade “most active” is often conflated with “most successful”, but the amount of proceeds LockBit actually rakes in is a debated issue. Given that the gang’s affiliates range from highly skilled criminal outfits to wannabe hackers, their payment success rate is similarly stretched.
Crypto-Payments and Money Laundering
Regardless of just how paid LockBit 3.0 really is, it’s indisputable that the organization, and ransomware as a whole, still derives profits. Like any criminal activity, those profits must be laundered. Overwhelmingly favoring cryptocurrencies as their payment of choice, with ransomware gangs often farm this leg out to the pros.
The job of the specialists is to take the victim’s cryptocurrency payment, often in Bitcoin, and convert it into fiat currency with enough layering and obfuscation in between that researchers and law enforcement will not be able to trace it to its original source on the blockchain. This can involve putting the payment through mixing services that pool the payment with a swath of currencies originating from other wallets, and redistribute the currency randomly so that an individual portion of a coin is that much harder to trace to its initial wallet.
Additionally, money launderers can also convert a payment into several different cryptocurrencies in the form of “chain hopping”, the aim of which being to extend the breadcrumb trail an outside observer would have to follow to find its original source as a Bitcoin payment can be converted to Ethereum, then to Monero, and so on. These strategies are growing, but are still less prevalent than good, old-fashioned centralised exchanges. Here, a third party joins buyers and sellers, ideally with larger volume trading that minimises volatility. Using these platforms is bold, most tend to keep compliance measures that may sniff out illicit transactions, but they are ultimately easier, better-equipped for off-chain transactions to switch from crypto to fiat currency, and set up for bulk arrangements.
Source: A Bitcoin Payment Page Demanding Payment
Finally, while cryptocurrency is not truly anonymous, it is pseudonymous, providing a useful layer of cover for ransomware gangs. Increasingly though, ransomware actors are looking to automate more of the process to ease negotiations with victims, and reduce human error in the money laundering process. A top member of Conti, once the most prolific ransomware gang in the world, actively pursued the use of “smart contracts” which only carry out payments when preset conditions are satisfied. In the tug of war between cybercops and cybercriminals, these disruptions never go out of fashion.
One realm where cyber criminals may be ahead is in artificial intelligence. The advent of AI in cybercrime broadly helps both attackers and defenders. Opportunities for human error can be mitigated, especially as AI systems become more effective at creating decent code. For Zoë Brammer though, a cybersecurity researcher at the Institute for Security and Technology, AI may advantage the attacker more
“My concern is that without pretty comprehensive changes to the processes we have in place, especially around vulnerability management and mitigation, the defensive gains from AI may be significantly lower than the increased offensive capability,” Brammer told the Red Line
Ransomware groups by-and-large prefer rich, large-scale entities. This “Big Game Hunting” ensures that their targets will have not only the means to pay, but the motivation as they typically deal in higher volumes of sensitive data. Put simply, going after small fish in the aggregate, rarely pays. However, with AI and machine learning, ransomware gangs could ditch the Big Game model as the resources required to strike at smaller entities would be fewer. AI could very well spread the attack surface area to mom-and-pop shops utterly unprepared for a cyberattack. As ransomware increasingly moulds criminality with geostrategic competition, this could deliver serious headaches.
Conti vs Costa Rica: Cybercrime's Best and Brightest?
In May 2022, the world saw a glimpse of the devastation a criminal-geostrategic marriage can bring in the ransomware landscape. Rodrigo Chaves offered this glimpse when the newly-inaugurated president of Costa Rica declared that the country was at war with cybercriminals.
Never before had a country claimed to be at war with a cyber gang, but then, neither had any country been forced to declare a nationwide state of emergency as a result of ransomware. The country’s Ministry of Finance, Ministry of Science, Innovation, Technology and Telecommunications, and National Meteorological Institute were among a slew of government entities to fall victim to an attack perpetrated by the infamous Conti ransomware group. Conti, at the time the world’s premier ransomware gang, which at the time seemed unstoppable.
President Chavez of Costa Rica Declaring War on Cyber Gangs
Source: Ezequiel Becrra/AFP
Its attack was brazen, hobbling the government’s ability to carry out basic functions such as maintaining health care systems and tax collection. The government however, refused to pay Conti’s $10 million ransom, holding steadfast when Conti doubled their demands.
Later, the Costa Rican Social Security Fund (CCSS) was targeted by another group, Hive, though the attackers seemed to be colluding and it was later ascertained that Hive had simply absorbed some members of Conti’s leadership. This would prove to be a recurring trend in the months surrounding the fiasco. Powerful as it seemed, Conti’s downfall was already well underway, having started on February 25, 2022. Conti, a Russian-speaking criminal syndicate that looked more like an IT company than a gang, was composed primarily of workers in Russia and Ukraine. Barely a day into Russia’s invasion of the latter, Conti posted a statement declaring “full support of the Russian government” and threatening to deploy “all possible resources to strike back at the critical infrastructures of an enemy”.
Leadership’s subsequent attempts to walk back this stance with a more neutral anti-war statement proved worthless as the group became inextricably linked to the Russian government in the eyes of the world. Just two days later, a Ukrainian security researcher began releasing Conti’s internal chat logs on Twitter, laying bare the syndicate’s inner workings for the world to see. When the dust settled, years of communications from within the group were available to the broader cybersecurity community, victims became increasingly weary of paying out to Conti lest they incur the wrath of the U.S. Treasury Department, and the organisation’s leadership was forced to disperse into smaller groups in a kind of rapid self-atomization. Conti’s very public bout with Costa Rica, a longstanding ally of the United States, demonstrated what many cybersecurity officials had long understood. Cybercriminality, just like any other form of organised crime, does not exist in a vacuum. Geopolitical calculation, political cover, and ethnonationalism all played heavily on Conti’s final act.
Not only did Conti operate, for the most part, in a country that cultivates an environment where cybercriminals fear few repercussions, but leaders of the organization also bragged about enjoying direct lines of communication with Russian intelligence services. Those claims are unconfirmed but ring true of past interactions between the Russian state and cybercriminals.
Organised crime lives and dies by these connections in Russia. The strategic choice of the Federal Security Service (FSB) and the Military Intelligence Service (GRU) to monitor, employ, and at times weaponise organised crime is a technique that dates back to a time when the former was still known as the KGB. The cybersecurity firm Recorded Future has reported on clear links between the FSB and prominent Russian cybercriminals like Dmitry Dokuchaev, Konstantin Kozlovsky, Maksim Yakubets, Pavel Vrublevsky, and many more
A Russian Policeman Speaking with Maksim Yakubets, One of the Operators of Evil Corps Ransomware, Next to his Lamborghini
Source: The US. Sun
Big Theives Hang Little Ones No More?
Conti’s disappearing act heralded a shift in the market. Fueled by the proliferation of Everything-as-a-Service and cybersecurity’s burgeoning capacity to hunt threat actors down, the whales increasingly came to be replaced by swarms of minnows. Moving forward to today, four- to five-person teams employing repurposed malware code seems to be the way to go. This means that the field is bigger, and the range in skill widens. Behemoth organisations like LockBit 3.0 still roam the ransomware landscape, routinely occupying the largest proportion of reported ransomware attacks into 2023, but experts like Allan Liska believe their days are numbered.
“We are definitely seeing a trend toward many smaller groups,” said Liska, a threat intelligence analyst at Recorded Future and author of several books on ransomware. “You’re seeing increasingly more and more small groups and greater diversity in the ransomware ecosystem,” he told The Red Line.
Regarding the whales like LockBit, Liska maintained that it is getting harder and harder for organizations that balloon to such massive volumes to remain afloat. Eventually, they collapse under the own weight, though LockBit 3.0’s longevity has so far bucked that trend. Liska added “every intelligence organization in the world wants to take down LockBit at this point,” yet still they keep the lights on. It’s been speculated that LockBit, which purports to be “apolitical”, owes its resilience to FSB support, but such accusations are still just rumors in the open-source realm.
As previously stated, political cover is indeed oxygen for Russian organized crime. Without connections to political elites, or ideally higher-ups within the security apparatus, larger organizations run the risk of falling victim to a state show of force. Organized cybercrime is no exception to this rule, a fact Conti’s predecessor, REvil, learned the hard way in January 2022 when 14 of its members were arrested by the FSB. The group was forced to splinter and regroup under new gang affiliations in a classic trope of ransomware.When asked whether the infamous cybercriminal, Pavel Vrublevsky, was recruited by the FSB, the Russian State Duma Deputy Ilya Ponomarev told Novaya Gazeta that he did not know, but that Vrublevsky was an important player in the market.
Tellingly, Ponomarev added “this market cannot exist without the strong support from those in power. If you do not have cover from the Ministry of Internal Affairs or from the FSB, you will not be able to work in this market.”
UAC-0098: War Masked in Criminality
Political cover is afforded to criminals serving the interests of Russia, but ransomware is more versatile than that. Preceding Russia’s full-scale invasion, ransomware attacks against Ukraine heated up. In a real first for the crime, anti-Russian attacks surged as well, demonstrating the lengths to which the war had upset an ecosystem that previously left most CIS nations unscathed and given the specialized nature of ransomware today, both sides inherited a whole host of tools and actors to turn a criminal racket into a geostrategic one.
Russia’s UAC-0098 best exemplifies this. An IAB syndicate composed of former members of Conti, the cybergang has taken to repurposing common tools of the ransomware trade as weapons against Ukraine’s government, hospitality industry and critical infrastructure. UAC-0098 employs industry classics like Cobalt Strike, and mass email phishing to hit Ukrainian targets. The group has posed as the State Tax Service of Ukraine, the National Cyber Police, and even Elon Musk’s StarLink to wreak havoc on enemy systems. Throughout 2022, Google’s Threat Analysis Group (TAG) tracked dozens of campaigns by the threat actor alongside other cases of ransomware weaponization like Cuba Ransomware’s attacks on Ukraine’s battlefield management system, Delta.
Maui Ransomware: Feeding the DPRK Piggy Bank
At the other end of the spectrum sit groups who likely blend geopolitical maneuvering and crime, but whose nexus remains unconfirmed and murky. The Maui Ransomware Group perfectly fits this mold. Allegedly backed by the North Korean state, this relatively young ransomware gang has been linked to the better-known Andariel threat actor by the FBI, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and several top cybersecurity firms. In fact, Kapersky reported an 84% code similarity in the DTrack malware deployed by Andariel and Maui, consistent dwell times on victim networks, and a general overlap in the Tactics, Techniques, and Procedures (TTP) of both actors. The theory of their link gains traction considering North Korea’s long standing reliance on cybercrime as a means of regime security. Cyber-espionage, crypto-crime, and ransomware, all contribute in tandem to the state’s broader strategy in cyberspace. Each of these tools boosts the regime's accruement of intelligence, technology, and of course revenues.
With the country being severely outgunned, outnumbered, and isolated, North Korea has been a pioneer of this exact brand of asymmetrical striking. Atlantic Council researcher Jenny Jun described ransomware as a natural weapon for states and non-state actors alike, engaged in hybrid conflict with more powerful foes.
Jun argued in Politico that “it’s only a matter of time before encryption is used for geopolitical gains. The incentives built into ransomware attacks — for both the
attacker and the victim — will make it easier for smaller, poorer players to extract concessions from more powerful adversaries.”
For North Korea, Andariel is a well-established threat actor demonstrating the truth of this strategy for the regime. The hacking gang has a $10 million bounty on its head from the U.S. State Department. Alongside powerhouses like the Lazarus Group and Bluenoroff, Andariel’s rap sheet includes data theft, malware attacks, campaigns targeting South Korean government officials, and “perpetrating cyber attacks to support illicit weapon and missile programs,” according to the U.S. Treasury Department.
If true, Andariel’s use of the Maui ransomware to rake in cash wouldn’t be a first for the Impossible State. The Lazarus Group, likely the mother organization of Andariel, was blamed for the WannaCry ransomware plague that hit roughly 150 countries in 2017. If one believes that Maui ransomware is indeed linked to Andariel, and that Andariel forms a part of the Lazarus Group umbrella, then ransomware isn’t so novel a geopolitical weapon, it’s just picking up its pace. The Lazarus Group’s origins date back to around 2009, eons for a threat actor in the cybersphere.
The Usual Suspects?
As the bar for ransomware sinks lower, more infamous state sponsors of cyber-criminality could also seek to spread the practice to like-minded state or indeed non-state actors who share common foes, but lack the resources to engage in such criminal activity without a helping hand. The Red Line spoke to Steph Shample, a cybersecurity expert at the firm Dark Owl, about the likelihood of such mergers,
“North Korea, Iran, and Russia are all active in this sphere and the likelihood of that spreading with their help is really high,” she affirmed.
For Shample, the threat of state-sponsored ransomware is not relegated to these three powerhouses. Rather, it’s on a path to further dilution as resources, technical expertise, and even basic internet connectivity spread further, often by those same powerhouses. “In Africa, Latin America, the Middle East, all these areas are getting the tools for cybercrime. That doesn’t mean they’re going to have a huge cyber warrior presence like Iran or Russia do, but we need to keep our eyes on that.”
This is a theater that was once dominated by petty criminals looking for $200, and now in a short space of time has become a genuine threat to full nation states. It's hard to predict where the frontlines on this issue will lie in 20 years time, but at this rate of innovation, its certain to be increasingly front and centre on most people's radar.
Scott Mistler-Ferguson is a researcher specializing in organized crime and non-state threats. He reports on corruption, multiple forms of trafficking, and cyber-criminality. Scott is currently completing a Masters Degree at Johns Hopkins School of Advanced International Studies, focusing primarily on Latin American politics and armed groups.