Antivirus providers are playing war games with the bad guys - interview
Cybercrime is accelerating, with new attack vectors emerging daily. But it’s not just malware that is becoming more complex: threat actors are getting more complex too, according to Bogdan Botezatu from Bitdefender.
Mantas Sasnauskas, the Senior Security Researcher at CyberNews, spoke with Botezatu, Director of Threat Research at Bitdefender, about the current antivirus landscape, the spread of complex malware, and the inevitability of leaks.
In our race to tackle cybercrime, antivirus remains one of the most used products utilized by companies and individuals to ensure online safety. Bitdefender is a Romanian antivirus company that has established its position as a reliable provider since its launch in 2001. Today, it operates across 150 countries, serving government organizations and large enterprises, and offers a free version of its product. You can read a full review of their antivirus, including the functions and deals on offer, here. Botezatu shared more insights into their company and how they respond to the constantly evolving cybercrime environment.
How does it feel to be a part of this project?
Well, it's a big challenge, but it's also a big responsibility because we safeguard the well-being of 500 million people, both in consumer and business environments. So at the end of the day, you know, we're doing the good guy's work. We're trying to protect as many people from falling victims to increasingly specialized groups of cybercrime.
Imagine going every single day to work and playing war games with the bad guys!
What would you say is the most significant change in the antivirus or anti-malware world compared to when you’ve just started?
In 2014, there was a big epidemic, an outbreak of ransomware. This changed the paradigm because up until the emergence of ransomware, malware was simple to fight. You would have an infected computer, say, with a Trojan that sends spam email messages every couple of minutes.
That was nice because if you managed to somehow slip through the antivirus, the computer was infected for a brief period of time in which it caused harm.
An anti-virus sweep would eventually detect that malware and remove it. And that's where the damage stopped. With ransomware, things have escalated quickly because it is very insidious. It only needs you to miss one sample for a couple of minutes, and it infects computers in an irreversible manner.
It's no use if you, as an anti-virus company, detect it five minutes later. Because by that time, it has encrypted the device, and even if you remove it, the device still stays encrypted.
There is no restoring the functionality of the computer back to normal. So I would say that ransomware is the most visible and the most important development in cybercrime in the past few years.
We usually hear that ransomware gangs are mostly targeting larger enterprises to demand a ransom, but do you observe a lot of ransomware attacks on home users, as well?
Yes. They are still very, very visible, even if ransomware's history is very convoluted. We always regard ransomware as something new and fresh out of the oven.
It's not like that. It's been 32 years in the making. The first samples of ransomware emerged somewhere at the end of 1989. So back then, it started as a prank because there was no infrastructure to support the ransomware business.
The internet was still years away from home use, and cryptocurrencies in which most payments of ransomware are made did not exist at that time. And ransomware remained somehow dormant and ineffective to monetize up until 2014, when first threats started hitting home users.
They were less protected. They were less capable of restoring files from a backup. They risked losing everything. So, you know, the competition on the home user space became so high that at some point that we would see files coming from victims that were encrypted by six or seven different families of ransomware. If users wanted to get that information back, they would have to pay each and every individual cybercrime group a specific amount of money.
And it soon became visible for cybercriminals that that was not the way to go. Now, they are moving to larger companies just because the competition on the home market was so intense that people would not pay a ransom anymore. But with recent regulations and with companies becoming increasingly reluctant to pay up ransoms, they are going back to their origins. They're starting to target indiscriminately between home users and enterprises because money is money, and they are after easy money.
Do you see an increase in more complex malware being spread, for example, polymorphic or malware that tries to evade the antivirus software?
Definitely. And it's not just malware that's more complex, it's the attackers who are becoming more complex. Up until recently, ransomware would usually get into somebody's computer by having them click on a malicious link or download and execute uninfected attachments that came via spam email. Now cybercriminals are doing extensive research into companies to see if they are worth being targeted. They look into financials, they look into what types of cyber insurance they have, and then they start assessing what are the most important attack vectors, entry points inside the company.
They buy stolen credentials from the dark web. They go as far as trying to bribe employees into running the ransomware on a company’s property and so on. So the malware is very sophisticated because it is able to jump from one computer, the original infection point, to different computers until it reaches the servers.
And on the other hand, there are cybercriminals who have a much more extended array of entry factors, from spear phishing to purchasing stolen credentials, to even bribing employees into compromising the safety of the network.
Bitdefender has got advanced protection against a long list of threats: malware, ransomware, adware, spyware, and so on. Could you tell me a little bit about the criteria used to detect these threats?
Yes. These tasks are run by independent testing companies that put different security solutions to synthetic and real-world tests. Meaning that when analyzing a security solution, the researchers at the testing site will emulate the behavior of a normal person in front of the device. They would click on malicious links, open up attachments, attempt to go as reckless as possible in the digital world.
And they're attempting to find threats that the antivirus should block. If you're failing that test, this means that you are not up for a real-world scenario, and people will sooner or later get infected.
These are very complicated tests. And to achieve these kinds of accolades from industry vendors, we are attempting to employ all the modern ways of doing detection, from behavioral-based analysis to machine learning to signatures. So we cover all these three key pillars that allow Bitdefender to detect emerging malware samples that have never been seen in the world until the test.
Speaking about malware definitions, sometimes you refer to them as malware databases. Are they the same for free and paid products?
Yes. Malware detection stays top-notch even if you're using a free product. We believe that cybersecurity is or should be everybody's right. And we don't condition that access to cybersecurity services for money.
We have the same amount of protection offered in the free suits as we do have in the paid ones. The only differentiator is the number of teachers who complement this layer of detection, such as parental controls, a VPN, you know, things that add more value to a suit. But people who need just the antivirus can use the free offering safety.
Bitdefender's Global Protective Network is one of the world's largest security delivery infrastructures. How does it work exactly, and what benefit does it bring to the user?
The Global Protective Network is, as we call it, an animal in itself. Imagine a huge cloud that spans over all continents. And that's able to pass information about a threat in less than one minute. So think of this, we identify a new threat in Malaysia, for instance, right now, and within seconds, all the endpoints will become aware of that threat without the need of delivering a definition sub date to everybody.
So it dramatically minimizes the time needed to respond to new threats. This cloud architecture delivers somewhere around 35 billion threat queries every single day. It's a huge infrastructure that caters to these 500 million people that I mentioned a little bit earlier.
So it's one of our key technological pillars that help us act quickly on emerging outbreaks.
Recently Revil, a ransomware gang, has been shut down. Are there any statistics on how often they have been used?
Let's say that the number of downloads does not necessarily mean or depict the success of a decryptor because people would download decryptors in a desperate attempt to get their data back. On some systems, maybe it wouldn't work because you are encrypted with a different family of ransomware.
But to answer your specific question, we saved about 700 institutions and home users. And we have them save about more than a couple of hundred million dollars in unpaid ransom.
So the impact that we have on people and on the cybercrime world is significant.
Firstly, these people get to keep their money. And secondly, the ransomware authors will not receive that money, which means that they have spent a lot of effort for nothing. This helps us limit the efficiency of their ransomware programs and get them in a conflicting position with their affiliates. It helps us deal a major blow to the operation, not only in terms of revenue, but also in terms of how they position themselves on the ransomware operators forums.
Do you think the recent REvil disappearance is somewhat connected to the spotlight they've been in?
This is not the first case when a free decryptor offered publicly has helped us disrupt ransomware gangs. The same thing happened to the father of Revolt, another cybercrime group that was called GandCrab, operating from 2018 to 2019. We released five decryptors for that specific family of ransomware, which eventually helped us erode the market share of GandCrab. It made it non-viable for potential affiliates because they would react with: “how would we be able to make money if Bitdefender can decrypt that information for free?”
The same thing happens with any other ransomware operator when faced with a prospect of a free decryptor. For once, people are happy that they have a tool and this establishes a positive mindset to them. And they will think: “I'm not going to pay a ransom because eventually, somebody will help me for free.”
And secondly, that money that doesn't make it into the bad guy's pockets, means lost revenue, means a lost operation, means angry and disgruntled affiliates who are trying and starting to erode their trust in the ransomware as a service vendor.
What would be the best advice you would give someone to help keep themselves safe online?
Take security and privacy very seriously because it might not look like much to you.
You might think, what could a cybercriminal do with access to my computer or my data? But they're valuable. And cybercriminals are spending lots and lots of money on purchasing private information, purchasing access to specific computers.
Because in the end, it's not just your computer, it's the way you connect it to your workplace, to your school, to an institution. And that's something that cyber criminals desire very much.
So always attempt to employ the best security defenses that you have because there's more to the digital world than browsing social networks and maybe reading the news. The digital world holds our money, our dreams, our medical history, our daily agenda.
I would say that we know that cybersecurity is hard, and we don't expect people to be as passionate as you and me about it. For regular people, cybersecurity is just insurance. It's that guardian angel that protects you from falling into a trap.
We try to make this as easy to use for the customer and as transparent as possible. So they can do their thing on day-to-day interactions with the Internet and offload the security responsibility to the security solution that they have chosen.
Do you have any concluding security tips?
Make sure that you change passwords often and that you pick the right passwords. They should be long, unique, and complemented by two-factor authentication.
And as a last piece of advice, never give more information about yourself than required. If you see a form, don't necessarily fill it up with your data, because you don't know where it's going.
And in the event of a data breach, even if you have trusted that information to a legitimate party, it might get leaked when the company or service gets breached.