Cybercriminals starting to mimic corporate structures to launch more sophisticated attacks
Ransomware gangs, growing in power and sophistication, are increasingly turning to blackmail and extortion in addition to the traditional model of locking someone’s system and demanding cryptocurrency payments to regain access.
A recent report published by the National Bureau of Economic Research said that this turn began to happen around 2019. Researchers believe this is because criminal organizations, which are said to account for the majority of cryptocurrency-enabled cybercrime, became increasingly professionalized to the point of having corporate-like operations with physical offices, franchising, and affiliation programs.
Ransomware attacks remain significant, making up 23.9% of reported incidents, but have now been eclipsed by blackmail threats derived from stolen data at 32.3% and “sextortion” (defined by the researchers as threatening to leak one’s adult activities online) at 33.8%. Together, these three crimes account for 94.4% of reported incidents.
The paper pointed out in particular the rise of the “double extortion” scheme, which basically combines the worst of both ransomware and extortion; the victim’s systems are locked and they must pay to regain access, and then pay again to ensure their data is not leaked. Even when someone does not pay the ransom, attackers can still benefit, as leaking the data can still contribute to the attackers’ reputation, as the information on the market serves as proof that they are willing to follow through on their threats.
It is getting worse. The past two years have seen the rise of what researchers dub the “triple extortion game.” In such a case, not only will the attackers lock the system and threaten to leak the data, they specifically say they will do so to the media via affiliated journalists, as well as stockholders, business partners, employees and customers.
“To employ the new tactic, ransomware gangs run sophisticated business-like operations, such as maintaining call centers to contact the victims’ stakeholders and operatives for ‘due diligence’ on victims’ business,” said the report.
Adding further evidence that ransomware gangs are modeling themselves after legitimate companies, the report also pointed to the rise of “ransomware as a service” models that are becoming increasingly popular. Under such arrangements, a platform provides several services, including ransomware packages to buyers (i.e., affiliates) under several subscription models. Once the victim pays a ransom, the platform automatically splits the revenue between the primary service provider (the ransomware gang) and the affiliates. The revenue split is often based on a previously agreed-upon percentage. The report noted that the Colonial Pipeline cyberattack in 2021 used this model.
Other gangs, according to the paper, prefer to keep things in-house; it pointed to one organization that maintains more of a subsidiary model, with different sub-groups responsible for different kinds of activities. For instance, one group had a ransomware subsidiary that generated $45 million between 2018 and 2020; the parent organization, which had several different revenue streams, took in $165 million in the same time period. The structure of these organizations, said the paper, has served to encourage an increase in the number and severity of cyber attacks in order for subsidiaries to gain favor with the larger organization.
“A manager, similar to legitimate businesses, operates each subsidiary. Shared tools and infrastructures are used across subsidiaries under [parent group] supervision. The larger a subsidiary’s revenue is, the more significant the manager’s influence in the umbrella gang. This system aligns well with incentives for both subsidiary and umbrella gangs to scale operations and become more effective in the long run. However, the system also influences the aggressiveness of the subsidiaries to increase total ransom payments. The latter led to what we now observe as the multiple layers of extortion tactics,” said the report.
The paper said that the crypto-enabled cybercrime space is dominated by only a small handful of international gangs. Because these gangs are often international, the researchers said that national-scale solutions are inadequate. Further, it noted that the sophistication of these groups means that blanket cryptocurrency-related regulations or even bans will be largely ineffective in controlling their impact.
It also warned people against focusing entirely on cryptocurrency, saying that physical cash remains a major vector for illegal payments as well. Overall, the researchers concluded that more transparency and disclosures are a better solution, as it would allow these organizations to be identified more easily by forensics experts.
Cryptocurrency-based scams and breaches have been growing year over year since 2012. A recent report from CoinJournal noted that in 2022 alone the number of reported frauds and breaches related to cryptocurrency increased by 27.66% from 2021, during which incidents increased 203.3% from 2020, during which incidents increased 19.23% from 2019.