The last two years have witnessed a hefty uptick in crypto-centric ransomware attacks. Not only are bad actors becoming more refined, but they are facilitating access to other, less sophisticated ones. According to experts, crypto crime of this nature has been especially prevalent amid the coronavirus pandemic. But how does it all connect, and what can the industry do to stamp it out?
As with all groups, the cryptocurrency sector has its portion of bad apples. Since 2018, ransomware attacks worldwide have increased by 200%. To make matters worse, the software required to carry out such attacks is widely available on the darknet.
In Singapore, the situation is arguably at a fever pitch. Instances of so-called “crypto-jacking” — a ransomware method in which criminals commandeer devices to mine cryptocurrency — spiked 300% year-on-year in Q1 2020. Per cybersecurity firm Kaspersky, the increasing difficulty of mining coupled with the subsequent hike in electricity costs is at the root of the problem. As for why Singapore is so disproportionately affected, Kaspersky suggested the country’s high-performance internet may be attracting bad actors.
But this is by no means a localized phenomenon. According to the “2020 Incident Response and Data Breach Report” from cybersecurity firm Crypsis Group, ransomware attacks have more than doubled in the last two years.
It seems COVID-19 has been a boon for cybercriminals. During a recent United States house meeting, the FBI revealed a 75% rise in daily cyber crimes since the onset of the coronavirus. Expert witness Tom Kellermann, head of cybersecurity strategy for VMware, also cited an inconceivable 900% uptick in ransomware attacks between January and May 2020.
Speaking to Cointelegraph, Thomas Glucksmann, vice president of global business development at the blockchain analytics firm Merkle Science, explained that the escalation in ransomware and cryptojacking attacks could be attributed to the exploitation of pandemic-related anxiety through targeted COVID-19 themed campaigns.
“Such campaigns include emails or websites advertising treatments, government information and fake apps which prompt users to download malicious software that infects devices and can be used to compromise data and networks (via ransomware) and computing power (cryptojacking).”
The finessing of ransomware attacks
Along with an uptick in attacks came refined techniques and modifications. This includes Ryuk and Sodinokibi — also known as “REvil.” These particularly insidious ransomware variants deny users access to their device, system or file until a ransom is paid. Both Ryuk and REvil are designed to prey on enterprise networks. Law firms Fraser, Wheeler & Courtney LLP and Vierra Magen Marcus LLP found this out the hard way.
Both firms were victims of the REvil ransomware attack from the threat group of the same name. On June 6, REvil’s official darknet blog announced the auctioning of over 1.7 TB of data seized from the firms’ databases. The listing was described as containing both private company and client information, including business plans and patent agreements of companies ranging from Asus to LG. The starting bid price of Fraser, Wheeler & Courtney’s data was set at $30,000 — to be paid solely in Bitcoin (BTC). REvil noted that if the price reserve wasn’t met, the files would be publicized nonetheless.
This is not the first time REvil has caught headline news. The group previously struck Grubman Shire Meiselas & Sacks — the law firm connected to music stars such as Madonna, Lady Gaga and Nicki Minaj. However, after failing to extract payment, they seemingly switched up their modus operandi, raising the stakes on their victims via public auctions.
Another ransomware gang, known as “Maze,” took things one step further, targeting the government-affiliated aeronautics firm, ST Engineering Aerospace. Maze plucked around 1.5 TB of data from the organization — 50 GB of which found its way onto the darknet shortly after. One notable aspect of this attack was that the ransomware was initially undetectable. Another particularly nasty and near-imperceptible breed of ransomware, aptly dubbed “STOP,” encrypts the victim’s entire system, demanding payment in return for decryption.
It’s perhaps no surprise, then, that ransomware detection and decryption software are becoming commonplace, offering a means to fight back and decrypt files made inaccessible by attackers.
Nevertheless, bad actors are twisting this to their advantage by disguising ransomware as ransomware decryption software. Rather than decrypting ransomware-infected files, the fake software encrypts them further, ensuring that victims have no choice but to pay up or face losing data permanently.
It isn’t just sophisticated cybergangs who have access to these tools, either. To make matters worse, ransomware is openly sold on the darknet. Officially termed ransomware-as-a-service, or RaaS, threat actors are peddling their franchises to less-than-tech-savvy miscreants.
Glucksmann noted that while the majority of RaaS offerings are duds, this new commerce-based criminality is nevertheless aiding the ransomware epidemic: “Not all of this malware for sale is actually usable but the existence of such services shows how malware has become commoditized and such a common threat.” Taking a similar line, blockchain analytics firm Chainalysis went as far as to position RaaS as a reason for the recent rise in attacks. Kim Grauer, head of research at Chainalysis, told Cointelegraph:
“We suspect that the proliferation of Ransomware as a Service (RaaS) is contributing to the increase in ransomware attacks, many attackers who develop ransomware technology now allow less sophisticated attackers to rent access to it, just as a business would pay a monthly fee for software like Google’s G-Suite. The key difference is that the builders of the Ransomware also get a cut of the money from any successful attack.”
Fortunately, law enforcement agencies are starting to gain an edge. According to data from cybersecurity firm Trend Micro, official takedowns of multiple darknet marketplaces have cast doubt in criminal minds. With darknet data in the hands of law enforcement, protecting anonymity stood as a primary concern among criminals — causing darknet sales to drop significantly as a result.
However, Grauer believes the drop still wasn’t big enough as market revenue generated by the darknet has already reached $790 million, adding: “We haven’t quite reached halfway through 2020 yet, but the amount of darknet market revenue is already over half of the 2019 value.”
Are things really that bad?
Cryptocurrencies are often over stigmatized as tools for corruption. This stereotype has dominated the crypto narrative throughout the years, warped as a convenient attack vector for crypto detractors. As evidence suggests, this narrative isn’t altogether accurate.
The industry’s association with unlawful activity started — as everything in crypto has — with Bitcoin. According to Tom Robinson, co-founder and chief scientist of blockchain analytics firm Elliptic, in the early days of crypto, around 2012, criminal activity accounted for over a third of all Bitcoin transactions. This figure has dramatically shifted since, as Robinson told Cointelegraph:
“The absolute amount of criminal usage of crypto might have increased, but the overall use of crypto has increased faster. According to Elliptic figures, back in 2012, 35% of all Bitcoin transactions by value were associated with criminal activity — at that time it was mostly illicit trade on the Silk Road dark market. Today, illicit Bitcoin transactions account for less than 1% of all Bitcoin transactions.”
Still, a report from Ciphertrace suggests that 2020 could become a record year for cryptocurrency-related thefts, hacks and fraud. For Grauer, it’s still far too early to call. “Looking at total illicit activity so far this year, we see it is actually trending low compared to last year,” said Kennedy, adding that, “It’s possible we’ll see a dramatic increase in scamming in the second half of the year.”
Avoiding ransomware attacks
So, with ransomware attacks more rampant than ever, there are several methods people can use to avoid getting caught out. “It’s important for people and organizations to stay informed on emerging threats and techniques,” Kennedy explained. “We can help cyber teams quantify and prioritize the threat landscape and identify emerging players and actors dominating the scene.” Providing some practical advice, Glucksmann advocated for a degree of paranoia to any suspicious-looking email, website, app or contact request.
“Ensuring all your personal and company online services are protected with multi-factor authentication can also make it more difficult for a threat actor to obtain your data or cryptocurrency funds even if they are somehow able to compromise your device. For stronger multi-factor authentication set-up I would strongly recommend a hardware token instead of a mobile device.”
“Don’t pay the ransom as this could be deemed illegal by law enforcement in many jurisdictions,” Glucksmann hastened to add.