Inside the shadowy world of Ransomware payouts

Marc Bleicher

Source: CNBC

Marc Bleicher is a hostage negotiator — but he’s not trying to rescue human hostages, he’s trying to rescue data.

Bleicher, managing director at cybersecurity consulting firm Arete Advisors, is a specialist who helps companies deal with ransomware — the type of cyberattack in which hackers lock up a company’s computers and then demand payment to undo the encryption.

He has given CNBC a rare and exclusive look inside a shadowy world where American companies find themselves paying millions of dollars to known criminals.

It’s a corner of the criminal underworld that has seen explosive growth. According to a report by Chainalysis, the total amount paid by ransomware victims increased by 336% in 2020 to reach nearly $370 million worth of cryptocurrency.

And some big players are scoring huge gains: The report found the digital hostage-takers are dominated by large players who are raking in millions of dollars a year. Just 199 cryptocurrency deposit addresses receive 80 percent of all funds sent by ransomware addresses in 2020, Chainalysis found.

All those payments have created an underground marketplace where criminals and their victims in corporate America must come together to reach terms and exchange funds.

Ransomware has bedeviled small and large companies alike and is causing increasingly costly shutdowns at county governments, schools and even hospitals. In June, for example, Magellan Health announced it had been hit by an attack that ultimately impacted more than 300,000 people. The Clark County, Nevada, school district revealed an attack in August that may have exposed student data. And in July, the city of Lafayette, Colorado, paid a $45,000 ransom to regain control of its systems. 

Call it the extortion economy

The heist

The negotiation

The haggling takes place in a chat room on the dark web. Belicher said he doesn’t know who’s on the other side of his screen, but they already know a lot about his clients. For publicly traded companies, the hackers know annual revenues and calculate a ransom demand from there.

And the hackers have total visibility into the organization: “They may have access to that company’s financials from being inside their network,” Bleicher said.

But it’s not just size that sets price — it’s the sensitivity of the data: “That 10-person law firm may have, you know, politicians as clients, and therefore that ransom may be extremely high versus, you may have a Fortune 50 company where the ransom is lower, and because they only got to a certain portion of their data.”

Bleicher didn’t want to go into detail about how he negotiates. But an official at another cybersecurity firm, who spoke on condition of anonymity, offered some insight. “We create fake profiles, so they don’t know they are dealing with professional negotiators,” the official told CNBC. “The profiles are usually midlevel employees, allowing us to delay and go back to a manager for approvals.”

And even as the negotiation is going on, the official said, the cybersecurity firm’s goal may be to delay long enough to conduct an investigation or to extract information from the hackers about what they have and how much they know. “In some cases, we’ve been able to get full directory listings during the negotiations without paying,” the official said. “Which helps us understand what systems the attacker has access to.”

 Jason Kotler, founder and CEO of a cyber-negotiation company called Cypfer, said the criminals know what to expect. “They expect a negotiation,” he said. “For billion dollar companies, they expect multimillion dollar payments.” There’s even something of an industry standard: “It’s roughly a percentage of their published net revenues — a half a percent for billion dollar companies.”

 “I wish I wasn’t in the business I’m in,” Kotler said. “It’s really war. This is warfare.” 

The bad guys

 Sometimes warfare is not just a metaphor. Bleicher said companies can get comfortable with paying off crooks — but they don’t want to pay terrorists or run afoul of US or Western sanctions. So the most important thing his company does is check with the U.S. Treasury’s Office of Foreign Assets Control to see if the entities they are paying have any connection to known sanctioned organizations.

The goal is to make sure the victim companies don’t accidentally break U.S. or European laws. The challenge is that on the dark web you can’t always know for sure who you’re dealing with. The North Korean military, Iranian intelligence and Russian oligarch connected cybercriminals are all vigorously involved in ransomware attacks.

 In February, for example, the Department of Justice unsealed charges against three North Korean programmers alleging that they participated in a wide-ranging criminal conspiracy to conduct a series of destructive cyberattacks and to steal and extort more than $1.3 billion of money and cryptocurrency from financial institutions and companies.

 The U.S. said the three men, Jon Chang Hyok, 31, Kim Il, 27 and Park Jin Hyok, 36, were members of an elite hacking unit of the North Korean military intelligence organization known as the Reconnaissance General Bureau. The U.S. charged the men with creating the destructive WannaCry 2.0 ransomware software in 2017 and “the extortion and attempted extortion of victim companies from 2017 through 2020 involving the theft of sensitive data.”

 In late 2019, the U.S. government indicted the Lamborghini-driving Russian leader of a hacking group calling itself “Evil Corp,” and the FBI announced a reward of up  to $5 million for information leading to the arrest or conviction of Maksim Yakubets, 32, of Moscow. It was the largest such offer for a cybercriminal so far. The government said versions of the malware designed by Evil Corp helped criminals install ransomware.

 At the same time British authorities released a trove of videos and social media postings by Yakubets and other alleged members of Evil Corp doing doughnuts in expensive sports cars on Moscow streets, posing with large amounts of cash and even cuddling up with a pet lion cub.

 Inevitably, it would seem, at least some American corporate funds are being transferred directly into the cryptocurrency wallets of America’s enemies. 

The payoff

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: