Mafia-style ransom gangs don’t need to be tech-smart, warns veteran analyst


With losses from ransomware attacks estimated in the multimillions and the tools to conduct them easily available, cybercriminals are queuing up to get a slice of the ill-gotten gains, an infosecurity veteran is warning.

Chester Wisniewski, a principal research scientist at cyber-watchdog Sophos, probably doesn’t need to worry about job security. He works to help companies resist the onslaught of cyberattacks from ransom-hungry criminals. And those attacks just keep on coming.

UK car dealer Pendragon was allegedly hit by a ransomware attack last month, with rumors swirling in early November that multinational Continental also fell victim. Both are said to have fallen foul of cyberattacks mounted by LockBit, arguably the most notorious ransom gang of all.

Shortly after, Australian healthcare giant Medibank lost data on 9.7 million patients to an undisclosed ransomware group: perhaps mindful that, on average, just one in ten victims refusing to pay actually lose their data, it has dug in its heels. But many other victims have crumbled, such as Colonial Pipeline, which paid $4.4 million in ransom last year, although the US Department of Justice subsequently recovered nearly half that amount.

However, it isn’t just about big targets and high ransom demands – whether the victim chooses to pay or not. Wisniewski warns that much of the tens of millions of dollars in extortion that Sophos has witnessed is being raked in by smaller groups mounting stealth attacks on easier targets.

Being relatively small fry, these often pass under the radar of media coverage. Yet, that doesn’t mean they aren’t adding up to one enormous cyber-headache for businesses, not to mention the potentially life-threatening impact of digital sabotage against hospitals carried out by the more ruthless gangs such as HIVE.

Cybernews sounded out Wisniewski to get his take on where this 21st-century crimewave could be headed and what worries him most about the digital heisters of 2022 and beyond.

You've previously suggested that many ransomware actors are not quite as smart as people might think, in that they seem to make the same mistakes again and again...

A lot of us think about this, and the criminals reference it themselves as an unauthorized penetration test – or, as they call it, a “post-pay penetration test,” which I don't find nearly as amusing as they do! But we get it in our minds that we're dealing with professional attackers that are quite skilled at bypassing every possible defense that we may have, any gaps in our strategy.

I don't want to insult any of them because we're certainly not trying to draw their attention to target more people, but the truth is that most of them are following a basic playbook using off-the-shelf things. These groups are not developing their custom exploits, they are not spending hours, days, or weeks figuring out how to penetrate your SQL database. They're using standard network scanners like anybody else uses, Nmap, Angry IP Scanner, whatever it might be. They're at a moderate-to-low level of penetration skill, as far as I'm concerned – if I was out there hiring for my [penetration testing] red team, most of these guys would not be on the list. It's not a super-sophisticated adversary.

The received wisdom seems to be that roughly one in ten of these actors are tech wizards that really know their stuff. Is it more nuanced than that?

It's remarkably more complex. The truth is there are a lot of different skills required to operate at scale for a group like Conti, which we saw self-dissolve this year: we did get a glimpse into their business operations, the fact that they had an HR department, they ran like a real business. We have to take each of those sections separately. I think most of our focus is on the affiliates, the ones that are breaking into our network and extorting us and taking the data. On that end, on a scale of one to ten, most of them are in the three and four zones of skill level.

However, you've got people in these groups that specialize just in money laundering, and they're quite talented at it: they understand all the cryptocurrencies and the privacy implications of those, and how to manipulate and move money between them and try to come out the other side with some hard currency.

But the evil geniuses are the people organizing the entire scheme and hiring the money launderers and setting up the affiliate program, and hiring the contractors to write the software – no different than any startup would in San Francisco or anywhere else in the world. The person with the idea typically doesn't do any of the work! [laughs] They're sitting back and bringing in the right people to run different parts of their operation for them. They don't have the luxury of hiring the best and most brilliant – they have to pick amongst the other people that have chosen the dark side, so often that's to our advantage.

There's also the constant fear amongst them that there is going to be backstabbing and theft. They often don't want to know real identities: nobody wants anybody to know who they are, so they can't be ratted out, but that coin has two sides – you also don't necessarily know who you're dealing with. So there's a lot of mistrust in the cybercrime community.

It sounds like a ‘no honor among thieves’ scenario. We hear that many of these groups are based in countries like Russia and North Korea, where they face fewer legal consequences. Are there any groups you know of based in Europe or America who try to move to these countries to benefit from that?

I don't think I've seen anything like that, but certainly, this is a global phenomenon. When we talk about the base organization, yes, most of them seem to be based in the Commonwealth of Independent States, or as I think of it, the former Soviet Union that went East rather than West. Or Iran, North Korea, we see some have been from China as well.

But affiliates have certainly been arrested in just about every country around the world – we've seen them everywhere, including the US, Canada, Australia, the UK. Those are the people who sign up to commit the crimes, not necessarily those who are organizing the whole criminal scheme.

I think they're just too arrogant, to be honest. When they get picked up, they always seem to be surprised. They're always driving the sports car, and everybody's like: "You know, we were always curious how Johnny went from working at the fast food joint to having the second Ferrari that was just parked in the driveway." They seem to have an arrogance that they're not going to get caught because they're so tech savvy and smart – maybe the use of the Tor browser and the VPN was going to somehow keep them out of prison.

Do you think that's where the naivete comes into play? The really tech-smart actors are the ones that lack the street skills to not do something foolish like that?

The guy behind [dark web trading forum] Silk Road was picked up at a public library with his laptop – he was smart enough not to use his home internet connection, and most of the time, he had used his VPN, but he used a real email address at some point in the far distant past before he realized what level of crimes he was going to get into. That somehow unraveled the entire criminal scheme.

And that's the challenge, really – creating a new identity from scratch and keeping it anonymous is possible in this modern age, and cryptocurrency even makes it possible to get the money and put it into a real bank account. However, doing that without making a single mistake the entire trail is increasingly harder than it used to be twenty or thirty years ago. If you're comparing being a mobster in Sicily to being a modern-day mobster of ransomware, the amount of digital cookie crumbs we leave behind every time we touch our devices is astounding. It's how these marketing companies have these dossiers on all of us that are far richer than anything the FBI or NSA have on anyone. And erasing that entire trail means never making a mistake, and that's really, really tough in 2022.

Montage of Chester being interviewed

You mentioned the Sicilian mafia. Despite these pitfalls, a lot of ransomware actors do appear to be getting very rich very quickly – do you foresee a time when groups like Conti will rival Cosa Nostra and other criminal gangs of the 20th century for notoriety?

I kind of hope not! [laughs] There are tradeoffs. There seemed to be, a couple of years back, near the beginning of the pandemic, groups that wanted to be known as a brand – as a fear factor. Meaning if you keep hearing in the news about [suspected Conti predecessor] Ryuk, and then you find a ransom note on your network, and it says Ryuk – that would scare you far more than an unknown brand of ransomware.

I don't think that ever really took hold – victims largely have no idea this stuff is happening, they're not brand-aware, they're not afraid of any brand. The brands have changed so frequently. What is Conti now? It's like six or seven different mini-groups. So as far as their size and scale, I think the bigger they get, the faster and harder they fall. The longest they seem to last is about 18 months – and most of these names only last about six or nine before they dissolve and are reincarnated.

Affiliates often participate in multiple ransomware groups, so it's not even really possible to survey the landscape to tell the size, but I think it's going to remain somewhat small because that's where they're having the most success. When they grow too big is when somebody turns on them or steals the money – or the people at the top just decide they're rich enough and walk away.

You get one report that says ransomware gangs are going after the big companies, another comes out and says SMEs should watch out, and so on... Is there really any pattern to the modus operandi of ransomware groups as a whole, or does it just depend on what the individual ringleaders decide?

I don't really think there are any [specific] targets. We were watching this really closely to see if it shifted when the war in Ukraine started, just because some of us feared there was a ‘do not attack’ list to keep too much light being shown upon them. And that maybe with Russia not fearing anything from the West anymore, they would start targeting more schools or hospitals or governments – things they would have been more careful around before, to try to not end up doing the perp walk.

The truth is, we haven't really seen any change. How much money you have determines how sophisticated the attackers might be – but we're seeing everything from 15-person companies regularly getting hit. Obviously, those companies aren't paying million-dollar ransoms, they're not headlines, but that's not stopping smaller groups from targeting them for $10,000 or $15,000.

It's important to remember that some of these crimes are being perpetrated from Sri Lanka, or Bahrain. There are lots of different countries where there's poverty, and $10,000 goes a really long way – that's like twice a person's salary for a year. That seems like a small amount of money compared to the Colonial Pipeline attack in America for $4.4 million. We get it in our heads that it's all about that, when it's really happening across the board.

I saw another American healthcare system that was hit, another K12 school – there's no off-limits. Yes, groups do specialize – a “we don't attack schools” policy or “we don't attack hospitals.” But then there's another group like HIVE that is more than happy to. We think we see these patterns – but across the board, when you add it all up, they're going after everything.

Human vulnerability is what all cybercrime is about. The reason we fall for phishing attacks isn't because we're stupid, it's because we had a long day and just got a call that our kid is sick and we have to leave early to pick them up – and then that email comes in, and we click the link because we just weren't paying attention. Most of our problems in cybercrime come from human psychology and frailty in the end. These guys monetizing that just shows ethically where they're at.

Is it true that around half of ransomware attacks are facilitated by social engineering attacks, that is to say, trick emails sent to employees and the like by cybercriminals?

It's really difficult to get to the root causes of a lot of these cases, but of the ones we investigated last year, 47% were a vulnerability unpatched [on an] email server, VPN concentrator, firewall, that type of thing. The other 53% were “other,” of which the vast majority, we assume, were stolen credentials of some sort – we don't know how they were stolen, if it was reused passwords from the LinkedIn breach ten years ago, or whether somebody got the phishing phone call or email or the SMS. But they logged in with the real password: we don't know where they got it, but it was likely some social-engineering scheme like phishing.

Is there any particular trend in ransomware crime that you find really unsettling?

One is still the ignorance of organizations: thinking they won't be targeted despite the fact that they haven't done any of the basics correctly. Those things unpatched were, on average, [left unfixed for] more than three months, so there was plenty of time. And that ignorance – it won't happen to me, it's going to happen to someone else because the headline has never been about a company like me, or I'm just not paying attention – is really concerning because it means there's an endless supply of very weak targets for these guys to continually exploit over and over again.

The pattern that concerns me the most goes back to an earlier question. We haven't seen them be particularly targeted in the past, but it seems like they're going in that direction. We've seen it with phishing attacks: as we're coming into the holiday season, we typically see more phishing around shipping notices. We all expect to send packages to our loved ones around Christmas time, and therefore criminals shift all their phishing into pretending to be Canada Post, the US Postal Service, Royal Mail, UPS, DHL, or Fedex. They've gotten very good at adapting as the year goes by, to change their phishing tactics to match major world events like elections or holidays like Valentine's day and Christmas, things they can latch on to that increase their yield.

I think the ransomware criminals have started going that way. We certainly saw a surge in attacks on schools when the school year restarted in September. The criminals have realized they have extra leverage to get these schools over a barrel to pay these ransoms. Will we see an increase in retail targeting coming into the holiday season as that ramps up? Will we see other patterns emerge, as companies are particularly vulnerable if you disrupt their computer systems at certain times of the year? I'm a little concerned that if they want to be more sophisticated, they could start doing that – and perhaps increase the percentage of victims that pay.

If somebody drops out because they retired, there's more than enough people standing in line to take their spot. We're talking about probably a billion-plus dollars: it's impossible to know the [total worldwide] amount of ransoms being paid, but just on what we witness, it's very easy to say it's tens of millions. I can see that much flowing myself, it's a heck of a lot of cash.