ISMG Editors: How the Ransomware Ecosystem Is FracturingAlso: Rise of Online Scams; ISMG Crypto and Payments Summit
In the latest weekly update, four editors at Information Security Media Group discuss important cybersecurity and privacy issues, including how amateur tactics employed by ransomware gangs are leading fewer victims to pay ransoms, why traditional identity controls can't protect against growing authorized payment scams, and highlights from ISMG's Crypto and Payments Summit.
The panelists - Anna Delaney, director, productions; Mathew Schwartz, executive editor of DataBreachToday and Europe; Rashmi Ramesh, senior subeditor, global news desk; and Suparna Goswami, associate editor, ISMG Asia - discuss:
- How ransomware victims who opt to pay a ransom have been seeing a "decline in quality and reliability" when it comes to quickly restoring affected systems, according to ransomware incident response firm Coveware;
- Highlights from an interview with Omega FinCrime's Ian Mitchell on the rise of online scams and why financial institutions' defenses must change;
- Key takeaways from ISMG's Crypto and Payments Summit, including questions around how to secure the rapid expansion of the cryptoverse.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the Oct. 14 edition assessing the proposed EU-US data flow plan and the Oct. 21 edition discussing what CISOs can learn from the ex-Uber CSO verdict.
Anna Delaney: Hi, welcome to the ISMG Editors' Panel. I'm Anna Delaney and here we share this week's top cybersecurity news and analysis. Very pleased this week to be joined by colleagues Suparna Goswami, associate editor at ISMG Asia; Rashmi Ramesh, senior sub editor for ISMG's global news desk; and Mathew Schwartz, executive editor of DataBreachToday and Europe. Matt, why are so many ransomware-wielding attackers collectively shooting themselves in the foot?
Mathew Schwartz: We've been seeing some changes, as we always do in the ransomware ecosystem. What some of the firms that help victims respond to these attacks have been saying is that fewer victims recently have been choosing to pay. Now, that's great news for any of us who aren't ransomware wielding attackers, because anything that makes it less interesting, less lucrative, I should say, is the main factor here. Hopefully, will lead fewer criminals to want to wield ransomware. I'm being optimistic because criminals keep coming back to ransomware. If they can get the formula right, if they can get innovative, and figure out ways of getting victims to pay, it can be extremely lucrative to use ransomware. Unfortunately, they keep finding innovative new ways to do this. But where we are right now, is that a bit of an impasse, apparently. The ransom proceeds that a lot of groups have been seeing have been going down, or the proclivity to pay, I should say, has been going down the average ransom payments, maybe even going up a little bit, but fewer victims are paying. One of the reasons that I'm hearing for this being the case is because a lot of groups are wielding amateur tactics. So in the past, if you got hit by a ransomware wielding group and you paid them a ransom, you wanted to know that you were going to get something for that ransom payment, typically a working decrypter. That is, again, typically the reason the victim pays, they look at what it will take to get their systems back up and running. They make a business decision that because of the lack of backups, perhaps or because of the length of time that it might take to restore backups. If they do have them, they're going to opt to pay. So there's another number of firms that work with victims and advise them they can say, Look, if you are trying to get back up and running, we think this is the group that has attacked you. We can tell you that in 99% of cases, if you pay a ransom, you will very quickly get a working decrypter and based on what you need to get back up, based on the data that was crypto locked, we estimated it'll take you this many days, this many people to get restored. So there's some reliability. Apparently, however that reliability has been going out the window. More attacks are involved in crypto locking malware that shred data, meaning you can't get it back. More attacks are also happening in which victims getting decrypters that work very well aren't. So why is this the case? Why would groups having hit on this strategy of "okay you give us 10 Bitcoins, we'll give you a working decrypter,"there's some guarantees there, right? What's gone wrong? Apparently one of the reasons why this is changed is because ransomware-as-a-service operations are no longer doing the heavy lifting. Previously, we had groups like GandCrab, or REvil, LockBit, which is still around; Conti, which is not around. And a lot of attackers would work with the groups because the groups would give them cryptolocking malware. And they worked as affiliates so they can access this malware as a service. In exchange, the operator who provided the malware would typically keep 20% or 30% of every ransom payment. But authorities have been spending a lot of time and effort to disrupt these ransomware-as-a-service operations. This has driven a lot of attackers to look elsewhere. And some of them are buying malware off the shelf. And some of them are also using leaks. So a lot of ransomware has been leaking. Insiders who are unhappy with the rents or as a service operation has leaked code for numerous operations. And so a lot of these hackers are going "well, why give 20% or 30% to operators when I can just use their leak code myself?" Well, one of the results of that is a lot of these attackers don't have the technical skills that the big operations have. So the big operation is spent a lot of time and money to make sure that their crypto locking malware works quickly and effectively. And if you pay because you got crypto locked, you will get back a working decrypter because that's good for their reputation. But apparently what's been happening is again, amateur hour. A lot of these attackers are kind of going their own way, using freely available code and surprise, surprise, it's not working or they can't bring the technical support skills they need to bear to give the victims a reliable outcome. As a result, victims are paying less. As a result of attackers are getting a bit desperate, we're seeing more attacks on health care, even by big groups that previously avoided health care. We're also seeing more real extortion attacks, where the same group attacks the victim more than once the victim pays a ransom. And then the attacker comes back and demands another ransom. Not just from small groups, small upstarts, but also from big groups. And experts say this is because fewer victims have been paying a ransom, leading to more desperation on the part of ransomware-wielding attackers. So that's where things are today. I'm sure they're going to sort it out. It's just a question of how soon and how many victims get hit in the interim, and have all this pain of perhaps needing or wanting to pay for a decrypter. But knowing that they can't rely on it, even if they do get something that works a bit.
Delaney: How great an influence has Russia's war in Ukraine had on the change in these groups' tactics?
Schwartz: Great question. We're still seeing predominantly Russian-language groups wielding ransomware. One of the big changes or occurrences I guess, this year has been Conti, at least in the brand's name going away. Conti publicly backed Russia's invasion of Ukraine, and threatened reprisals on anybody who worked to undermine the invasion. So by doing that they allied themselves with the Russian government. And experts say that very few victims of Conti were willing to pay a ransom anymore. So apparently, the proceeds just plummeted. So Conti spawn up some new brands, then announced that it was going to be retiring. So that has been a disruption, although unfortunately, in most cases, this is just a blip. Like I said, it's so lucrative that we tend to see well-organized attacks come back no matter what. They might have a different name. A lot of times they're the same people, though, with the same skills just in a new shiny new format or brand name.
Delaney: Is this rip for ransomware as a service groups?
Schwartz: It's a good question. Yeah, are they dead finally? I doubt it. We still see some big groups that are tied to many attacks. So for example, LockBit is still a major player. And I think that we will see a resurgence in this business model. They'll have to reinvent themselves in some way, but they've proven expert at doing so. And if they're not getting proceeds, if individual attackers aren't getting proceeds by trying to do it on their own using a freely available code, there's going to be a real financial incentive for them to realign themselves with big players, even if there's more risk, because I think the revenue is the first consideration, and they're willing to take some risk if they can get that. They can get tens of millions of dollars, for example, in a year. They're going to go that route, even though they have more law enforcement exposure. So it's probably a temporary thing. I do think we'll probably see the big ransomware-as-a service operations comes to ring back at some point, unfortunately.
Delaney: Okay, more on that soon then. Thank you very much, Matt. So Suparna, let's talk about scams. You conducted a great recent interview with Ian Mitchell of Omega FinCrime on the rise of online scams and why and how defenses must change. Could you share some highlights from what you discussed?
Suparna Goswami: Sure, Anna. Thank you. And before I proceed, let's first differentiate between scams and fraud. So scams fall into the category of fraud called authorized fraud in which victims are duped into performing the foreign transaction. So here they themselves are carrying out the transaction unlike in fraud where typically it is a fraudster who is carrying on the transaction. So this is a very important rule. So since it changes the way our fraud defenses need to act. Now currently this is one of the biggest challenges financial institutions globally are dealing with, as fraudsters have evolved past our traditional defenses. Now the industry has seen a massive rise in variety of scams, right? From romance scams to picture butchering to rental scams, job scams, and this is what is making it difficult for fraud fighters since there is no one scenario that fraudsters are following where defenders can put their finger. There's variety of scams out there. So as I said, scams in itself is a bucket of fraud since method of duping a victim is unending, there's so many variety of ways you can dupe a victim. However, the way the fraudsters carry out the scams remained typically the same. They will pretend to be either from the fraud department of a bank or from an employment firm or from the government. Now the question that arises is what are banks doing to stop scams or rather, why are scams increasing despite them investing so many tools out there? Nowadays typically, if you speak to any bankers, any security practitioner or fraud practitioner, there is a lot of investment by banks and rightly so, in tools to verify your identity of a person or to authenticate a person. Typically in an account takeover fraud or any fraud, for that matter, the fraudster say dupes a victim into giving their credentials, but the transaction is carried out by the fraudster. And it's the fraudster who is engaging with financial institutions. So here your identity and authentication tools will work fantastically. However, like I mentioned, in a scam, it is the person who is carrying out the transaction. So if I'm being duped, I'm being scammed, I'm the one who's carrying out the transaction. So aside from a few vendors who are still relatively new to the space, we don't have many solutions out there. Because here, your identity or authentication tools will not work, because I'm the one who is carrying out the transactions. So essentially, we need solution providers to think how they can retrofit their solutions for first-party scans of fraud. In the meantime, there are some steps that banks can take, like I was speaking with Ken Palla, and he said that there could be smart education close to the transactions of when banks can introduce interactive education message for the first pay. So if I have added a new payee, and I'm paying a large amount to a new payee, there can be a call from the bank, which says, "Is there a person who is directing you to make this payment? Are you sure this is not a fraudster?" Or they can be transaction notches? The purpose is to make a customer stop and think if I'm making the payment, it's to go to the right person. Messages like you could be at risk of being scammed, what is this payment for, these kinds of things help. And what I found most interesting is there's this whole thing of instant payment, right? Banks can delay the execution of payment for at least the new payees. So if I am a first-time payee and I'm paying a huge amount, banks can delay it by a few hours if there's a high-value amount that has been made. And I'm sure that customers will not mind if you delay the payment by a few hours, so that they can just crosscheck with the customer, they can just ensure that it is not being sent. So these are some of the steps that banks can take from there till there is a tool out there, which will help in stopping the scams.
Delaney: So it's not just the tech that needs to be changed, the operational procedures and the way that banks interact with customers.
Goswami: Yes, absolutely. The messages need to be closer to the transaction time. That's what is needed. And the U.K. is doing fantastic with all the steps that I spoke about. So this is something that the banks in the U.S. can also follow.
Delaney: And did your interviewee share a prediction as to how the economic downturn would impact scams and fraud?
Goswami: Oh, yes. So economic downturn impacts we have seen during the COVID time, how there was a huge employment scam that was happening, people were impersonating, somebody from the government are some different employment agencies. So that is typically a fraud triangle you describe in any fraud scenario. The moment you see an economic downturn, there would be job losses, there would be uncertainty, and fraud. And also, an important point is banks or financial institutions, or any institution for that matter will cut down on their security or fraud tools investment. So this is typically a classic time when scammers or fraudsters can up their ante. And especially for scams, there are no tools out there. So if I'm someone who's looking for a job, and I get a call from somebody who's impersonating someone from an employment firm, I'm going to be, whatever is being asked for, I will go in for that. Because emotionally, I am a little vulnerable at that point in time. So this is what fraudsters play with.
Delaney: For sure. There'll be more of it. Thank you. Suparna. Well, this leads smoothly on to our next conversation, our next segment. Rashmi, this week, ISMG hosted its Crypto and Payments Summit. What was some of the key themes or trends that you identified?
Rashmi Ramesh: Yeah. And just to add to what Suparna was saying, it's terrible, right? How these scams happen in a traditional finance space. Take that and put it in crypto where there are things like decentralized finance. So there is no central authority that you can go and say like, "hey, this scam happened, can you reverse my transactions?" Because no, you can't reverse transactions. So it takes something bad and makes it terrifying. So the Payments and Crypto Summit comes at a good time because we had speakers like Cody Carbone from the Chamber of Digital Commerce. We had folks from OFAC, we had folks from U.S. Faster Payments Council, we had our own contributors - former Treasury executive, Ari Rebord and we have the former PCI exec Troy Leach, all of these people talking about cryptocurrency and payments. So we spoke about the use cases of digital assets. We're constantly talking about how everything is wrong with the space rally. But as Ari once said, it is so important to acknowledge the opportunities also that the space provides, and look to secure these areas. But there are vulnerabilities and there are massive ones and hackers exploit it. So there are dozens of hacks every single week. As of October, I think this year, about three billion have been stolen. And that's just this year, right? So how do organizations in the space and also federal agencies conduct blockchain crime investigations? So the experts who do this every single day shared their experiences. We had folks from the OFAC talk about sanctions. Who needs to comply? And what happens when we don't? This is such a hot topic because the U.S. has been imposing a slew of sanctions against multiple crypto exchanges, and also Tornado Cash, which is a very popular mixing service. And, of course, no conversation is complete without taking into account the current and upcoming legislation in the space. And there are plenty of those. So we had people who helped formulate these policies, who would think cybersecurity first share their thoughts on how these policies impact security. But it wasn't all about crypto. It was also the Payments Summit. So we had folks from Faster Payments Council and the Federal Reserve Bank of Boston and other experts to talk about how enterprises and law enforcement can outpace criminals. What challenges Faster Payments bring, what the ecosystem of fraudsters look like, what technologies can be used to mitigate this criminality. And we also had a conversation about how to title the new challenge of P2P payment fraud. So what I liked about it, though, was that it wasn't just about solutions. It brought up a lot of questions as well. What areas of the blockchain do regulators need to focus on? What do people who brought policy in the traditional finance space have to say about cryptocurrencies? What about cross-border regulation for a currency that does not have borders? So how does this technology impact traditional financial institutions, especially banks that are entering the space? So how do you address security challenges in a decentralized finance space, which is literally designed to not have a centralized authority, so the list is endless? But that's pretty great because there are the best minds in the world that are being asked these questions. And those who have designed and implemented these as legislation discussing where we are and what we need to do. And there are also those that are currently in a position to push for these solutions and talk about the hurdles, having these conversations. And that's the point of the summit.
Delaney: Absolutely thorough analysis of the event, Rashmi, thank you, and you cover this space in great detail and depth. What's promising, from your perspective in this space in terms of regulation or even technology? What progress has been made?
Ramesh: The one observation or conclusion is that blockchain is here to stay. So you hear so much about how crypto is a Ponzi scheme, how NFTs are a Ponzi scheme. Maybe they are, and maybe they're not. But blockchain tech on which all of this is built is sturdy, it's secure. So some use cases of it may not survive the test of time. But the technology isn't going anywhere. And the government has realized this by the recently-published executive order on digital assets. And there are multiple regulatory bills in the works. And the U.S. is also exploring central bank digital currencies. India has already started a trial on it. And the U.K., in fact, is testing the use case of an NFT in the supply chain for better execution for better security and traceability. So, honestly, the segment has a gazillion use cases for cybersecurity, too, and I'm sure we'll see way more conversations around blockchain and the intersection with other technologies.
Delaney: Excellent! Rashmi, that was great. Final question - You have set up the world's most secure crypto exchange. What would you call it? Suparna, what are your thoughts?
Goswami: Yes, I thought of Cryptoden because I thought the lion's den is a more secure place. So Cryptoden.
Delaney: Love it. Very good. Rashmi, go for it.
Ramesh: I've mentioned to you earlier about my dream company called Kryptonite with a KN. But I've given up on that. Because I don't want to risk the wrath of Superman. So I decided to go straight forward this time. My company will be called Safecoins with a tagline yes, they exist.
Delaney: I believe you. Very good. And Matt?
Schwartz: I have to take my hat off to Kryptonite. The pun there is just beyond fantastic. Nothing so good as our resident crypto expert here, but what I would do is I'd call it Fort Knox. Now it might sound a little bit like Mount Gox, which basically flamed out in spectacular fashion, not quite a decade ago. And apparently, there is already some kind of a digital coin called FortKnox. But that's a digital coin. I think we're talking about Bitcoin exchanges here. So I would make sure it included all of the typical boilerplate about how it had military-grade encryption with hack roof, and how getting your money back was a silver bullet guarantee - just because we're used to those sorts of platitudes, especially from organizations that don't know what they're doing.
Delaney: Oh, these are all excellent titles. And well, I've got a working title of The Labyrinth. I was just trying to conjure up something more complex for criminals to hack.
Schwartz: Very good. Have a Minotaur coin.
Delaney: Yes. This has been excellent. Thank you for your creativity and fun at the end, and Matt, Rashmi and Suparna - always a pleasure. Thanks so much for watching. Until next time.