Fortinet was proud to have been asked to participate in the first INTERPOL High-Level Forum on Ransomware, held online on July 12, 2021. FortiGuard Labs’ Derek Manky joined other cybercrime experts —including INTERPOL’s Secretary General and Executive Director of Cybercrime, the Chief of Cybercrime at the United Nations, leaders from the World Economic Forum, and members of law enforcement agencies from around the world—to discuss the rapid rise of ransomware around the world and its growing impact on the world economy. Manky has also been a member of the (INTERPOL Global Cybercrime Expert Group) since its inauguration in 2015. INTERPOL IGCEG is a selected group of cybercrime experts that participate in annual workshops to tackle various problems.
Much of the forum was dedicated to discussing the real-world impact of cybercrime on organizations globally, impacting businesses, critical infrastructure, and essential services, especially healthcare. Very timely topics, given several recent high profile ransomware attacks and FortiGuard Labs research showing ransomware on the increase.
Presenters were also quick to point out that while high-profile attacks get most of the attention, most attacks never make the news, and many go unreported. The reason for the wide range in ransom demands is related to the sophistication of the criminal enterprises running these attacks. Today’s cybercriminal activities are often highly distributed.
INTERPOL’s First Global Conference on Ransomware – Mapping Cybercrime
Manky also spoke about a new threat mapping project he is running in conjunction with the World Economic Forum. This effort is focused on mapping cybercrime, including the ad hoc organizations running attacks like ransomware, as a strategy for combating cybercrime. The goal is to create a strategic tool to help effectively understand the scope of the problems and the use that information to disrupt cybercrime.
This is harder than it looks. While there sometimes may be some well-known criminal name attached to a high-profile attack, the reality is that there are often dozens of independent contractors collaborating in anonymous underground chat rooms to pull off that attack. Another aspect to this project involves addressing the lack of a common framework for discussing and tracking these elements. Instead, different researchers/organizations use different names to attribute them, which simply adds to the confusion.
No criminal activity generating billions of dollars in revenue is run by lone wolf actors. Instead, a growing percentage of cybercriminal operations are the result of loosely affiliated groups working together for a common goal. Some produce the crimeware (such as developers, packers, and individuals with expertise in special platforms), others are enablers (like nation states and hosting services), and some are members of the primary criminal organization running the operation. The most common elements, or business units, if you will, in a ransomware attack include:
- Potential targets are identified in advance. Analysts using advanced tools then watch traffic patterns and data movements to determine the best time and place to strike as well as the best ways to obscure an attack—either by exploiting security gaps, selecting tools capable of evading detection by the security solutions in place, or by using other strategies, like misdirection.
- Another group then either deploys or leverages existing botnets, or runs automated tools to discover devices with exposed vulnerabilities that can be compromised. These can be broad-brush activities, such as spam or automated scanners looking for a specific set of vulnerabilities, or a targeted system scouring the online resources of a specific victim.
- At the same time, a group of financial experts reviews the organization’s business, resources, and potential data value to determine how high the ransom should be set. According to one recent report, the average ransom paid out is now $170,404 for all victims. But that is spread out across organizations of all sizes. Extortion rates for small companies may be less than $20,000, and for large entities the cost is often in the millions. But in either case, attackers often know exactly how much to ask for long before an attack begins. And even worse, only 8% of organizations ever recover all their data after paying a ransom, with nearly a third never recovering more than half.
- The next decision is whether to develop or customize a new tool to target a victim, or to use an existing Ransomware-as-a-Service. Both have their advantages. But like other businesses, ROI is a serious consideration for criminal enterprises. A custom attack can be harder to detect and stop, especially when targeting a new vulnerability, but can be very expensive to build. A RaaS strategy is far less expensive but may only be good enough based on the security profile of the target. To help with this decision, a specialized team may be engaged to help determine the best course of action based on a cost analysis.
- Just as important is determining what form of extortion will be needed to get a victim to pay out. In addition to simply encrypting data and leaving a ransom note, many criminals now use double, triple, or even quadruple layers of extortion. Double extortion usually combines encryption with data exfiltration, with the threat of exposing or publicly publishing data (also known as doxing) as an additional incentive for paying the ransom. A third layer involves adding a DDoS attack to the mix to shut down additional systems and create additional confusion and panic, making victims more likely to just give up. And a newer, fourth layer involves reaching out directly to a victim’s customers and stakeholders to put additional pressure on them to pay (and release their personal data.)
- Another set of critical players are the professional negotiators who work directly with victims to settle on a price and clarify instructions on how to make a payment.
- Digital money mules and launderers use sophisticated systems, including advanced cryptography, to transfer funds through a maze of connections so law enforcement cannot intercept or trace funds back to the cybercriminals.
- Other actions can include removing data tracks, promoting RaaS services online to potential users, and even financial planning services on how to use ill-gotten gains without being caught.
Catching the Bad Guys and Preventing Ransomware
Ancillary to the complexity of the structure of many ransomware campaigns is capturing those responsible. This challenge has two elements:
Because many of the services outlined above are provided anonymously in Dark Web chat rooms, catching one person or group does not stop an organization. Like the fabled nine-headed hydra, if one head is cut off it will simply grow back—or in this case, be replaced by a new individual or organization willing to provide the same service. The other challenge boils down to international borders. While there has been some success at hunting down cybercriminals, they still successfully evade capture because some countries are less willing to cooperate.
INTERPOL’s Ransomware Conference Takeaways
At the end of the conference, there were four key takeaways that should be used by law enforcement and other agencies, both public and private, to help staunch the tide of ransomware. For governments and law enforcement agencies, these takeaways are:
- Prevent ransomware by raising awareness, partnerships, and information sharing.
- Aim for pre-exploit disruption of ransomware and its ecosystem through global law enforcement actions both reactively and proactively.
- Provide in-event emergency support against ransomware attacks with the use of INTERPOL’s global network and capabilities.
- Ensure post-event support following ransomware attacks to increase resilience, agility, and responsiveness.
Achieving these objectives also requires a close partnership with the private sector. Public agencies need to combine their efforts with advanced prevention, detection, and response technologies, threat hunting and criminal tracing capabilities, best practices and training, and advances in AI and machine learning to effectively combat and counter the growing sophistication of today’s cybercriminal enterprises.
Learn more about Fortinet’s free cybersecurity training, an initiative of Fortinet’s Training Advancement Agenda (TAA), or about the Fortinet Network Security Expert program, Security Academy program, and Veterans program. Learn more about FortiGuard Labs global threat intelligence and research and the FortiGuard Security Subscriptions and Services portfolio.