Rich Vining

Cyber-Crime as a Service

Blog Post created by Rich Vining Employee on Jan 11, 2018

I attended a fascinating webcast today hosted by security firms Carbon Black and Red Canary. Their guest speaker, cyber security researcher Jamison Utter, told the story of his experience setting up a ransomware campaign for research purposes. Jamison purchased everything he needed to build and execute the campaign, including the ransomware payload (e.g. cryptolocker), an infection mechanism (spam, botnet, ad injection), and traffic (victim) acquisition from the Internet and did not need to write any code of his own, and paying for it all with untraceable bitcoin.


The people that Jamison worked with are in Ukraine, but these services are available from a number of countries including Romania, Bulgaria and Hungary. The key is that the creation of malware is not considered to be criminal in these countries. The analogy that Jamison used is gun laws in the US: when someone commits a crime using a gun, the gun manufacturer is not criminally or civilly liable. My problem with this analogy is that guns can be used for socially-acceptable purposes (sports, hunting, deterrence and defense); I am struggling to come up with an acceptable use for malware.


The motivation for the innovators and maintainers of this malware is, of course, money. They can make as much as 20 times selling this software as other types of software, and far exceed the normal income levels found in their home countries. And since they are set up as legitimate businesses, Jamison found them open and easy to communicate with (via Google translation).


What really fascinated me was the sophistication of these software operations. Customer support and code support are available 24/7, and considered to be table-stakes. For the attack vector, such as email phishing or website ad infection, the buyer pays for a guaranteed number of infections, just like a traditional digital marketing campaign.


In Jamison's research project, the total cost of his campaign was less than US$6000. His anticipated return on that investment was $90,000/month for the 3 months that the campaign should be effective - after that, anti-virus software should have caught up with his malware variant and greatly reduced its effectiveness. His calculation included an infection rate of 10% and a conservative ransom payment rate of 0.5%. Symantec says the payment rate is really 3%, while the FBI says 6% is more accurate. Whatever the number, that is a staggering return on investment.


So, it's no surprise that the rate of ransomware attacks is growing exponentially. Barkly reports that ransomware attacks tripled last year, and 60% of all malware attacks were ransomware. Anyone can get into it, and if they are good at covering their tracks, can make a lot of money.


Enterprise Strategy Group provided this disheartening data point:


The moral of the story, provided by Michael Haag, Director of Advanced Threat Detection and Research at Red Canary, is that the only real way to end ransomware is to eliminate the payments for it. Michael detailed 5 things that can be done to protect against a ransomware attack, some of which can have a negative impact on business productivity:

  • Adding controls to gateways
  • Blocking macros
  • Implementing Microsoft Applocker
  • Screening for certain types of files
  • User education


However, these preventative steps need to be coupled with recovery measures in case a ransomware attack does get through your defenses. At the top of that list is an effective backup and recovery capability.


This is where Hitachi Vantara can help, with effective ransomware recovery capabilities across structured (HDID), unstructured (HCP) and end-point (HCP-Anywhere) data. You can learn more about that in my previous blog: Ransomware: Fending off the "DataNappers".


Rich Vining is a Sr. Product Marketing Manager for Data Protection Solutions at Hitachi Vantara and has been publishing his thoughts on data storage and data management since the mid-1990s. The contents of this blog are his own.