Ransomware washes a fortune into cybercriminals' cryptocurrency accounts. But where does all the money go? A life in luxury? Research by Sophos shows that a lot of money is being invested in further attacks. If you pay, you also finance the next attack on yourself.
Where are the millions of Bitcoins & Co. going that the victims of ransomware attacks pay their blackmailers on the assumption that they will get their confiscated data back in this way? At least once there was a hunch: when suspects linked to the ransomware group “Clop” were arrested in Ukraine, there was an impressive collection of car key fobs that were collected as evidence and numerous luxury cars that were on tow trucks were loaded and confiscated.
Reinvestment for further attacks
But, like any good company, cybercriminals also invest a certain percentage of the profits back into the "operations". And the expansion of the cybercrime business in general is also a popular business model for using the dollars earned. So it's not surprising that last year the REvil group donated $XNUMX million worth of bitcoins to a cybercrime forum as an upfront payment for services rendered. However, this action served more to prove to the members of the forum that the money offered was more than just a promise: it was already a mandatory investment to be spent on successful "applicants".
RAT, LPE, RCE - Cybercrime technical jargon under the microscope
The offerings in this cyber crime market sounds cryptic and ranges from fileless software for Windows 10 with up to 150.000 US dollars for the original solution to zero-day exploits including RCE with a budget of several million US dollars to offers such as “I'm buying most clean RATs. ”The list of technical terms on the cybercrime forums is long, the most important are briefly described below:
RAT = Remote Access Trojan
Also known as bots or zombies. RATs open unauthorized access loopholes that allow fraudsters to take control of the PC. Some RATs offer explicit remote access commands that turn on keylogging, take screenshots, record audio and video, or copy confidential files.
But almost all RATS also have functions that the RATs themselves can automatically update, download or install additional or arbitrary malware or immediately close the original RAT and remove all evidence. The enormous ability of a RAT to transform itself into completely different malware shows that the risks that arise from an undiscovered RAT are almost limitless.
Fileless software "lives" in the registry
From a technical point of view, software that "lives" in the registry (in Windows the place where the configuration for the operating system is located) is not really fileless, because the registry itself is in a file on the hard drive. But most of the software that Windows automatically starts up is listed in the registry as a file name that contains the program that is to be executed. So if the program is malicious or unwanted, a regular hard drive scan can find and remove the malware. So the normal course. However, some registry entries can contain the actual script or program that Windows is supposed to execute encrypted directly in the registry data. Threats saved in this way do not occupy their own file on the hard drive and are therefore harder to find.
LPE = Local Privilege Escalation
Fraudsters cannot break into the computer with an LPE. But: if you are already in the system, you can use an LPE vulnerability yourself to move from a normal user account to an account with more rights. The hackers favorite is the domain admin, almost on a par with the sysadmin.
RCE = Remote Code Execution
Does exactly what it says: attackers get into the computer and start a program of their choice without a username / password login.
Zero-day exploits
Vulnerabilities that have not yet been patched
Zero-click attack
Attacks that do not require any user action. The technology even works when the computer is locked or no one is logged on, as is often the case on servers.
The crucial question after a ransomware attack: numbers or not
Pay or not pay - that is the question of a successful hacker attack with ransomware. Even if no ransom should be paid in principle, there is unfortunately no one-size-fits-all answer, as it can ultimately be the only chance for the victim to avert a business disaster. However, as the “Sophos State of Ransomware Report 2021” makes clear, paying the ransom is by no means a guarantee of complete data recovery. Only 8% of those who paid the ransom got all their data back afterwards. "Anyone who has ever said to themselves that paying the ransom to save the time and effort involved in restoring cannot do much harm to others should know better," said Paul Ducklin, Senior Technologist at Sophos . “Doing business with cybercriminals is like playing with fire, and at the same time everyone should be aware that the extortion money is not only being spent on private luxuries, but also on new attacks and technologies that drive the growth of the cybercrime business is driven as a whole. "
More at Sophos.com
About Sophos More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.