Sophos principal research scientist: some criminals might not know how dumb they are
Infosec researchers know about cybercriminals more than they reveal to the public. “We do not want to tip the criminals off to something dumb that they regularly do,” Chester Wisniewski, a principal research scientist at the cybersecurity company Sophos, told CyberNews.
Instead, researchers share this knowledge with law enforcement to help catch criminals by hand.
Wisniewski, having more than 20 years of professional experience, analyzes the massive amounts of attack data gathered by SophosLabs to distill and share relevant information in an effort to improve the industry’s understanding of evolving threats, attacker behaviors, and effective security defenses.
“2021 has just been a rollercoaster,” he told me during the interview. After ransomware was banned on the hacker forums, cybercriminals moved to private discussions making it harder for law enforcement and security researchers to trace them. The rebranding of major ransomware gangs also makes them lag behind the masterminds of the criminal world.
However, cybercrime, according to Wisniewki, doesn’t seem to be increasing at the pace of the first half of 2021. Another silver lining is that threat actors are actually not that smart - some of them keep making the same mistakes that can easily end their ‘career’ as an outlaw.
In your bio I read that when you are not busy fighting cybercrime, you spend your free time cooking, cycling, etc. Now, I’m not going to ask about your hobbies. I just wonder how you help fight cybercrime? Do countless researchers that Sophos do and insights that you provide help law enforcement? How?
We work with Europol, FBI, Australian Federal Police, and Royal Canadian Mountain Police. It depends on what's going on. In this modern-day, if you do everything perfectly, if you never make a mistake, you could probably stay anonymous and get away with ransomware and stealing all the money. But nobody is perfect, and people do make mistakes.
The most recent high-profile public case that we were involved in was probably the SamSam ransomware group that we had been tracking and publishing some stories on about two-three years ago. We came across some things that we did not disclose in blog articles, some mistakes that they have made. We thought there was no value in this to the defenders, so we would share this privately with the FBI and cooperate with them, and provide some additional information. Eventually, the FBI worked with the Department of Justice, and they did the wanted poster and the press conference.
If specific information can help people not be victims of a crime, you often want to disclose it publicly. Sometimes, there can be some tension in deciding whether sharing is the best way to go. Obviously, we want law and order, and we obviously need some deterrence to these crimes, but we also need defenders to be well equipped to understand what attackers are doing.
Obviously, you don't want to give yet another weapon to cybercriminals.
Information is not going to be kept secret. Criminals are not stupid. The ones we are worried about, the adversaries that are succeeding to cause the most damage these days, are very skilled pen testers working in concert with one another and building their own playbooks. By the time the FBI publishes something, it's so stale and well-known to the criminals that it's a joke. We've been through these battles for over 25 years in our industry with Metasploit (penetration testing framework), which is a legitimate tool. Criminals use it too. We see Metasploit used in ransom attacks, and we see Cobalt Strike (penetration testing product) used in ransomware attacks all the time.
Does that mean that tool is unethical or shouldn't have been released, or there shouldn't be tools like that? I don't think so. The truth to the matter is - ideas can't be controlled like arms. There were a lot of talks two years ago about the international agreement mainly designed to regulate the arms trade. They wanted to apply it to exploits. Should selling zero-days be controlled? Should you only be allowed to sell it to governments or legitimate companies, whatever that means? The truth to the matter is, this is not a nuclear weapon that can be controlled. You can't control it like trading highly enriched uranium.
Once the idea of how you attack Microsoft Exchange Servers (like happened twice this year with ProxyLogon and ProxyShell) comes about, once the cat is out of the bag, every criminal from the street thug all the way on up to a kingpin in an organized crime gang can use that weapon the same way that the Chinese who developed it did.
I don't really buy into the idea that publishing detailed information for defenders gives the attackers any necessary advantage. I think we have certainly seen publishing nation-state attack playbooks may be causing some damage, but I am not sure restricting it would necessarily be helpful. But it is one of the concerns I have. When we see attacks like the SolarWinds attack, this supply chain stuff is very interesting to the criminals, and seeing how China or Russia or the United States go about it as we saw with Stuxnet or SolarWinds or the ProxyLogon attacks that were attributed to China back in February.
Those are, in a way, sometimes inspiring to criminals. We did see the zero-days from the Stuxnet attack on Iran immediately being used by criminals around the world. And then we did see the methodology with which they approach attacks, start to get more sophisticated, look like they are maybe cribbing ideas from how we disclosed all that information about Stuxnet. And we've seen similar things with SolarWinds and other nation-state attacks that the security industry has well documented.
It's a tough call because we obviously don't want to inspire the criminals to take on new things. On the other hand, if we know about it, there's no reason to believe somebody else doesn't know about it, and defenders should understand what they are up against rather than pretend we are keeping secrets.
I've read an intriguing article by Sophos on ransomware mishaps. The brilliant minds some criminals might be, they are only human, and funny misfortunes happen to them. Has something stuck in your memory?
I have to give cleverness to the victim who didn't want to pay the ransom to get their data back, so they let the criminals publish all the data on the dark web to get access to their data again, which was kind of clever.
You don't want to see your information published necessarily, but if you can't afford to pay the ransom and there is data that you wish to access, and the criminals are threatening to make it public, it does kind of turn the tables on the criminals to have the criminals play into your own hand by giving you your data back by publicizing it.
It's important to remember that these criminals are not perfect. They do make mistakes. We do stumble across stuff regularly where the criminals have disclosed their IP addresses. The ones we published were only the ones we could post innocently and not tip the criminals off to something dumb that they regularly do.
There are certain things that we see. The criminals make the same mistakes over again. We intentionally don't publish those in our blog articles. We think they don't know they are doing this, and we don't think they understand that we can trace them back because of their mistake. We are not going to talk about that, and we keep that a secret. Once it's well known or somebody else lets the cat out of the bag, then it's no longer a secret, and we can talk about it.
But there are quite a lot of things throughout any given year. Whenever we publish a blog, we have a meeting and talk about it. Do we really want to say this? Because maybe they don't know they are doing this thing. They might not know that they are tipping their hands.
I mentioned SamSam earlier. One of the reasons why we were able to collaborate with the FBI was SamSam's server infrastructure, which was disclosing not just their IP addresses but also all of their communications with their victims.
Even though Sophos might have only protected 10% of the victims of those ransom attacks, we knew who the other 90% were. We didn't put that in any of our reports until the FBI had made their official public indictment. After that, we felt more comfortable speaking about it.
When we were putting the list of funny things together, we were censoring it. We were like, 'these are the funny things we've observed, but some of these we should probably talk about because the criminals might not know how dumb they are being.' We are just going to hold that back.
I ask all the experts that I talk to - how has COVID-19 changed the cybersecurity landscape?
I don't think it's all attributable to COVID, but COVID changed it. These guys already were on this path of ramping up ransomware attacks before the pandemic began. The criminals entirely focused on remote access for their attacks. We saw more exploit development against remote access tools starting in 2020. We saw more organizations that previously were trying to cut down on remote access suddenly make it very available, which made it available to the criminals as well.
Certainly, the style of attacks can be attributed to the pandemic, but not the volume of them. 2021 has just been a rollercoaster. If you called me and asked me in June what I saw in 2021, I would have said this rapid acceleration of attacks. We saw far more at the beginning of 2021, especially ransom attacks, than we had ever seen in 2020 or 2019 for sure. Then there was this disruption when all this publicity happened around the Colonial Pipeline attack and president Biden talking to Putin. And that's not to say that it stopped necessarily, but it seems like it was a disruption in our ability to monitor their communications.
They talk a lot in specific criminal forums, the dark web, and many of us in the security community participate in those forums and keep an eye on what they are talking about, who they are talking to, and how they are organizing this kind of thing. Most of those forums had some restrictions on talking specifically about ransom attacks because they didn't want law enforcement to get too interested in their particular forum. Then they banned ransom criminals from communicating on their forums out of fear when all the attention was being put on things over the summer.
That made it more challenging to keep an eye on some of the activities because they went into more private areas where we wouldn't have access. And we did see a disruption in the number of victims slightly. It was a massive acceleration early in the year, and now it seems to have leveled off.
What's been odd the last month or two has been all these groups seem to be rebranding, if that's a thing for a criminal, changing names every few weeks. We keep seeing new names, and it takes us investigating two or three incidents of that group before we can go, "oh, wait a minute, that looks just like this one from before." Then we realize that it must be the same people, maybe they are using a different ransom network, but it's the same attackers.
For example, we talk about Conti as if it's four guys sitting around the table. The truth is, Conti is a payment processing chat network for negotiating with victims and maybe the encryption tool itself. But the people carrying out the attacks are affiliates of Conti who are sharing the proceeds. Those affiliates are changing rapidly between ransom brands now - they might have been affiliates of Conti, but currently, they are affiliated with Black Matter.
It takes a few incidents to make a pattern enough before realizing this is the fingerprint of this particular group. Once you know the fingerprint, it makes it easier to defend because you go 'oh, every time we see group Y, they always copy the stolen data to this certain file-sharing service, or they always seem to use this PowerShell script that turns off the antivirus.’
You start to recognize what they will do next because you've seen them five times before. And so, when they are changing brands as frequently as they are, it makes it a little bit more difficult sometimes to identify and predict what the next step might be because you are trying to figure out who they are dealing with. That's been one of the big patterns over the summer.
Other than Conti, most of the brands vanished, REvil went away, and we haven't seen any Ragnarok. REvil came back. Where are they on vacation? Did they change names over the summer and decided to change back? We just don't know why they do these things, but the volume has certainly kept up at a pretty high pace despite the motions from the United States to cut it out.
They have become somewhat PR-savvy. Are they doing it to better recruit other criminals?
I think any guess we have is as good as the next guess. We don't know what's going on in their minds. We certainly had some speculation that victims might be more scared if they recognize that it's one of the well-known successful groups they are up against, and they might be more willing to pay. I haven't personally seen any of it when talking to victims.
Victims are largely ignorant of the space, which is ultimately why many of them become victims. When you go to them, a victim has never heard of Conti. If they had heard of Conti, they might have taken measures to protect their assets better because they would realize how prolific and skilled these groups are. I don't know if I buy that.
Partly, they are public for the recruitment of affiliates. There's a lot of competition to get skilled pen testers. REvil has literally placed job ads for penetration testers, and it's no secret that that is precisely what's helpful in doing the types of attacks they are doing. That could be it.
It could be that they enjoy it. Criminals like the spotlight. People like their 15 seconds of fame, I guess.
The constraint on ransomware is the ability to cash out, not the ability to operate malware infrastructure or hack into networks, Thaddeus E. Grugq tweeted. What do you think about it?
It's not hard enough. Laundering the money is probably the most challenging component of the attack, to be fair. Most of these attacks aren't that sophisticated. Unfortunately, the victims have usually left the door open, and it's not that hard to get in and cause a lot of damage. The money laundering aspect has undoubtedly been a challenge.
It's interesting because the criminals are trying to move away from bitcoin because it is a little bit too traceable. But the victims have, of course, never heard of a lot of these other cryptocurrencies.
It's sort of like early in the ransomware days when it was hitting consumers rather than businesses back in 2013-2014. One of their challenges was, if you hold a grandma hostage, she doesn't know what bitcoin is. If you don't take Mastercard and Visa, how do you rob an individual? It's tough. My parents have no idea what bitcoin is. There's no way you can talk them into giving a criminal a bitcoin.
For businesses, it's a similar thing. Demanding Monero is difficult because people don't know how to buy Monero. We are not talking about small amounts of money here. Recently, we were dealing with a victim who was with a $6 million ransom and just paid up. It's hard to get $6 million with a Monero in a few minutes' notice. With bitcoin, it's a little bit easier.
The criminals are now refusing to accept bitcoin for illicit trades within the dark markets themselves. They are almost exclusively using Monero. But they still have to accept bitcoins from the victims and then figure out how to turn bitcoin into Monero, move it between different cryptocurrencies a few times, and try to launder it.
There are specialized groups that just do the money laundering now. Every piece of this process has gotten specialized. The initial network breach is typically done by an initial access broker, somebody who specializes just in finding networks that they can either get a reused password or that unpatched VPN server or whatever thing they are using to get in. They don't carry out ransom attacks, and they don't steal data themselves. They serially break into organizations to get a foothold. Then they sell the organizations off to the pen testers who then follow the script of finding the sensitive data on the network, finding the backups and deleting them, setting up to disable the administrator accounts when they are ready to attack, and figure out how they are going to deploy the ransom software.
And then, of course, they are using the ransom kit from an affiliate network like Conti. And then the Conti guys, once they get all the money, are hiring professional money launderers that have set up ways of moving all that bitcoin and Monero around to anonymize it. It's easier now than it looked a year ago. Most of them were doing their own money laundering, figuring out their own way to get the money out of the system. Because it was so difficult, that's now turned into another job that somebody got really good at.
The FBI and similar bodies do not recommend paying the ransom. While it makes sense, many experts agree that paying it might be the only solution for businesses that can’t afford to halt operations for a long period of time, and small and medium businesses because that would simply mean losing the business. Does it mean that smaller companies are less resilient to cybercrime? If you are small and get hit by ransomware, does it necessarily mean the end for your company?
It's probably the one thing I entirely agree with the FBI. Don't pay the ransom. I would encourage them not to pay the ransom, and I would provide them with data suggesting that paying the ransom actually costs them more money.
Paying the ransom typically does not make you whole again. I don't see any advantage in ever paying the ransom, even if you think it's your only way out. Our survey information and the victims that I spoke to time and again say that the cost of restoring their business is additional to paying the ransom. If a criminal has compromised the server, even if you pay the ransom, you still need to rebuild it because it's been compromised, and you can't trust it anymore. You still have to go through the whole process of rebuilding your entire infrastructure that's been altered even if you pay the ransom.
The surveys we did early this year showed that almost no one gets all their data back. So they are still in a position of not necessarily having all their data. I strongly discourage paying the ransom, but I'm not going to criticize anybody who does. It may be a business-ending event. Some organizations we've spoken with say that they can continue to operate as long as they can get particular files back. But if they don't have that, their business ends. If that's the case, you have to do it. I don't think anyone should give up their business to satisfy my desire to cut off the money flow to the criminals.
We should be thinking more clearly in those situations, which is hard. You feel like someone has a gun to head, and you are trying to decide about your organization's future, and you've got a day to make all these very important, incredibly complicated decisions.
The quantity of victims I see paying is disturbing to me. And the ones that I see don't pay,are happier in the end. There was one victim I was helping out about a year and a half ago here in Canada. The original ransom demand was $2,1 million. Ultimately, they didn't pay, but it was interesting to do the finances with them in the end. It cost them about $2,3 million in the end, but that included upgrading all of their security products and their entire infrastructure, upgrading the hardware, hiring another security person on their team. It cost their business about half a million dollars for the extra time it took them to do it without paying the ransom. If they had paid the $2 million ransom to get the half a million that they wasted by having it take longer, they would still have to spend the other 2 million to upgrade their security and rebuild all the stuff. They felt better about not having funded the criminal organization.
Too often, people pay out of fear. Colonial Pipeline is a perfect example. There were headlines with quotes from the CEO, saying they are paying the ransom and hoping it helps get the pipeline operating again. We don't even know if it's going to help. If that can help us get the pipeline on faster, I'm just going to pay it. And then we will worry later. If that didn't help, it didn't help. We are losing so much money, and there's so much scrutiny, I'm getting phone calls from the president. I'll just spend 4 million to hopefully cross my fingers and pray that the network comes back right up.
That's the exact wrong attitude. I'm going to fund these criminals even if it doesn't help me just because I'm in a panic. There's too much of that happening, and it's frustrating. If we can cut off the money, these guys are so well-funded, one of these attacks is enough to buy all the exploits and attack tools they need. They don't even buy the stuff anyway, they are the thieves, but even if they were going to buy them, they are as well-funded as governments when it comes to their ability to conduct attacks.
More from CyberNews:
Subscribe to our newsletter