HT Interview | Paying up to ransomware attackers bad strategy…: Dmitry Volkov
Dmitry Volkov, the CEO of cyber threat intelligence firm Group-IB says, ransomware remains a threat number one for public and private companies around the world. They have a strong focus on big enterprises that can afford to pay ransom and cannot afford any downtime.
Behind incidents of hacking and ransomware attacks, such as the one that crippled services at India’s leading government hospital All India Institute of Medical Sciences (AIIMS) and wiped out years’ worth of patient data, lies a cybercrime industry. Powering this industry are a wide variety of threat actors — nation-states, cyber crime rings and the occasional lone-wolf hacker. In an interview to HT, Dmitry Volkov, the CEO of cyber threat intelligence firm Group-IB, lays out the landscape of this underworld, and what really happens when individuals and organisations are hacked.
Tell us a little about the cybercrime landscape.
First, one of the most common types of digital crimes are scams and phishing attacks, just because they affect too many people. The damage for every single user may not be very high, but the scale and number of people that scams affect make them a major problem. Threat actors now invest a lot in technologies that allow them to scale their illicit business and automate operations. They band together in the so-called affiliate programs – platforms that offer other less skilled cybercriminals the opportunity to easily earn money. These affiliates create phishing and scam pages based on templates provided by the platform organisers, and distribute the links on social media, via email, messengers, and SMS. These affiliate platforms can generate links, help scammers communicate with each other, track transactions to see how much money they made and how many people they defrauded, and so on.
ALSO READ: Text, sext, sextort: Inside Entrapment Inc.
And then there is the problem of ransomware?
Yes, ransomware remains a threat number one for public and private companies around the world. It uses a very different approach. Unlike scam programs, ransomware threat actors are not looking for scale. Their goal is not to target many companies. Instead, they have a strong focus on big enterprises that can afford to pay ransom and cannot afford any downtime.
Ransom demands keep growing too. When MediaMarkt (one of Europe’s largest electronics chains) was hit, the attackers demanded $240 million, which is a record-high initial ransom demand.
According to the recently published Hi-Tech Crime Trends 22/23 report, the number of companies whose data was uploaded to ransomware Dedicated Leak Sites increased by 22% to 2,371 companies in H2 2021 - H2 2022 period. India had the second highest (38) number of companies listed on DLS in the Asia-Pacific region.
ALSO READ: Gurugram police to use volunteer cyber experts to probe fraud cases
Does paying up the ransom help victims recover or is that a bad strategy?
The short answer is that it’s a bad strategy. Paying the ransom encourages further attacks. But, in reality, it’s not as easy as that. Affected companies always assess whether they can accept the cost of downtime. If they cannot decrypt their network and the downtime leads to critical losses, they choose to pay.
Even if you pay up, is there a risk your data will still be leaked? Especially if it is sensitive data like the patient records breached during the attack at AIIMS (All India Institute of Medical Sciences) Delhi?
Yes, there is always such a risk because ransomware gangs also run affiliate programs with multiple members on board -- it’s not a one-person show. Hence, even if you pay, there can be a conflict of interest between gang members. We have seen cybercriminals (who leak data even when paid) and we have also seen souring relationships between affiliates, say over disputes like profit margins. In such cases, if one or the other is not happy, they can leak the data for free or sell it for even more money.
The politics within ransomware groups you mention is interesting. One of the things people tracking such actors often compare them to a mafia. What is your take?
We can split them into two groups, one type is a huge organisation with a popular ransomware-as-a-service program. Conti is a good example. They became the second most aggressive ransomware gang in the world in H2 2021 – H1 2022, according to our threat intelligence team. Conti essentially created a well-structured “IT company” with its own HR, R&D, and OSINT departments. There are team leads, salary payments, and an incentive program. They give jobs to hundreds of cybercriminals who provide them with initial access to companies and help develop technology (such as malware).
And then, there are smaller groups. They will focus just on big targets -- they will slowly develop attacks. Such groups usually consist of a few key members: one or two of them would be developers, another would be responsible for money laundering, and maybe a few more who are experts at developing attacks.
You mentioned about people who provide initial access to corporate networks. Tell us a little about initial access brokers and where they fit in?
Initial access brokers are those who sell credentials, like user IDs, passwords, or security tokens, access to servers and website administration panels. There are two types of initial access brokers (IABs) in the underground. The first ones are not very skilled and mature, and know how to use simple techniques to get initial access but are not able to develop attacks, so they just make money by selling this information. The price for this type of access is not very high. Another group of brokers is the one who knows if they spend more time, they can make higher profits.
ALSO READ: Two cyber frauds held from Bihar, Rs1.01 crore cash seized
So that is like the difference between me getting hacked and my IT administrator being hacked? (An IT administrator will have wider access to a network than a regular user).
Yes, exactly. If a cybercriminal has privileged access, the price of such access on the market will be higher. Initial access brokers built an entire underground market segment now worth $6.5 million, according to our estimates. The IAB market has evolved over the years. A year, or maybe two years ago, threat actors had limited resources. They may have hacked hundreds of thousands of machines from which they have logs of logins and passwords and security access tokens, but they do not know what to do with it. So now, they come together and create marketplaces – it’s like Amazon, but you are shopping for different types of access into computer networks. Such marketplaces are called clouds of logs. Any cybercriminal can buy access, including nation-state threat actors.
Let’s talk a little about the threat from nation-state hackers. Do non-State and State-backed attackers collaborate often?
One type of collaboration, as I just mentioned, is when advanced persistent threat actors buy access to corporate networks. Another is when threat actors band together if their goals overlap – ransomware operators will attack a target for ransom and a nation-state actor for sensitive data exfiltration, for example. The interesting thing here is that such collaboration helps nation-state threat actors remain unnoticed and complicates attribution (identifying a culprit) to a particular nation. They tend to select well-known ransomware strains, so when a researcher starts analysing the attack, the chances are they would blame a bunch of cybercriminals, but in reality, the attack was carried out by a nation-state adversary.
The cybercriminal world is highly interconnected. That’s why it’s important to have visibility across different layers, including the dark web, technical infrastructure, phishing and ransomware affiliate programs, etc. That’s what threat intelligence provides.
Some countries, like the United States, EU, and India have created an international counter ransomware task force. Do you see such efforts making a difference?
Any effort aimed at arresting cybercriminals is crucial for a safer cyberspace. Unfortunately, it takes a lot of time to gather technical and legal evidence, to synchronise all parties involved in cross-border operations to finally make arrests. Since cybercrime knows no borders and gangs are spread across different countries, some may escape and start to regroup. So usually, if you’re able to identify the core of the group and arrest them, that actually causes a lot of damage to the gang. For them to rebuild after that is difficult and the number of attacks will inevitably decrease. The problem however is that many of these groups are located in countries that are not involved in such coordinated anti-cybercrime actions. Group-IB is an active collaborator in global investigations led by international law enforcement and cyber police forces in the Asia-Pacific and Europe.
What sort of role do you think cryptocurrency plays here? Because never before has there been a mechanism to move such large sums of money as ransom is moved.
I wouldn’t say that’s a problem of cryptocurrency. Money laundering has existed for a long time. The difference here is that in the old days if you were involved in illegal activity, you had to launder money in a given jurisdiction which made it easier for local law enforcement to investigate. With cryptocurrency, it is in nobody’s jurisdiction and that’s a problem. At the same, with cryptocurrency, you can also trace funds more quickly and effectively. All this crypto money must be stored and landed somewhere and usually, the gateway for cryptocurrency is a cryptocurrency exchange. So that’s why law enforcement bodies have good relationships with crypto exchanges to be able to get additional information that helps them to investigate cybercrime.
How can companies and law enforcement stay ahead of these threats?
First of all, when an incident occurs companies need to do proper incident response. What is incident response? It is a set of procedures that allow us to identify, contain and, most importantly, analyse a cyberattack: how the network was compromised and what assets were accessed and stolen. High-quality human expertise and real-life knowledge about the attacks play an important role here. Good incident response also gives you information and knowledge about threat actors based on different tools, techniques, and bits of behavior patterns.
The second part is information sharing with law enforcement and regulators, to help protect other potential victims. Prompt threat intelligence exchange is essential for cybersecurity as you can stop the attackers only if you know how they operate.
Third, of course, is legislation. But we must be careful here because penalising companies can have the opposite effect and it can draw in more attackers. But legislation is important because it creates understanding. A business must understand that these threats exist and be aware of the potential damage. And legislation is a clear statement of what the government recommends you do to protect against such threats.
Finally, what more would you like to see done in the cybersecurity field.
The cybersecurity community also should invest more in, I would say, a non-commercial activity that benefits everyone. Private sector companies are usually the ones who are called on to respond to incidents. They hold a lot of the most recent and relevant information about cyber threats and potential victims. When we see a leak or a network access offer in the dark web, we do our best to reach out to the victims and notify them as soon as possible. If we find a vulnerable application, we also notify the company where it was found without asking for money for this information. It’s important to create an ecosystem, or I would say culture, of giving back in cybersecurity.