One gang of cybercriminals extorted at least $75 million from private sector companies, local governments, and hospitals, a former NSA contractor concluded in a months-long study released Wednesday, an alarming sign of the potential financial rewards for online attacks.
Jon DiMaggio, the chief security strategist at Virginia-based Analyst1, estimated the group known as Twisted Spider used the Egregor ransomware to extract at least that amount from his targets, according to publicly acknowledged ransom payments. He believes the real number is much higher, because “many victims never publicly report when they pay a ransom” and the “bad guys don’t post their stuff online.”
DiMaggio’s study is a broad examination of attacks in recent months, examining the goals, practices, and payoffs of what he calls the world’s first “ransom cartel.” Gangs like Twisted Spider operate within a web of similar groups, often, often relying on other gangs to hack into corporate networks and insert ransomware into systems.
That insulates the leaders of the group from prosecution. In February, for example, Ukrainian and French police arrested “affiliates” of the ransomware cartel in Ukraine.
The gangs of cybercriminals who predominantly originate from Eastern Europe and Russia have built checks and balances into their ransomware to ensure that none of the victims they target are Russian, DiMaggio wrote. The attackers joined forces to steal data and negotiate payment with victims across their command and control structure, and have created malware that checks if the system language they are attempting to infiltrate matches dialects spoken in the former Soviet Union.
“The Cartel gangs do little to hide the fact they speak Russian, and they go out of their way not to target victims within affiliated Russian territories,” wrote DiMaggio, who has in the past conducted vulnerability assessments on classified and unclassified US government networks and was later an intelligence analyst at Symantec.
The Russians “are not prosecuting these individuals and that’s one of the reasons why ransomware appears to originate primarily out of Russia. Those are the guys that don’t get caught because no one is arresting them. The ones that got arrested were arrested in Ukraine,” he told Bloomberg News.
The gangs also ran “leak sites” where they would post a company’s hacked data in a bid to shame them into paying ransoms to prevent further sensitive information from being published online.
Most worryingly for DiMaggio, was the growing trend of automating attacks. He said the gangs were “spending time and money to improve their malware and to add automation into the code of the ransomware.”
That will lead to a higher volume of attacks; an attack that once consumed a week to a month to stage was now taking hours.
“They’re taking their proceeds and they’re reinvesting in themselves,” he said. “It really reminds me of a business model, they’re professional criminals.”