Ransom gangs function just like McDonald's, researchers find

As more organizations fall victim to ransomware, they might be surprised to find that the anatomy of modern ransomware gangs is hardly different from traditional franchises.

From Australia’s largest health insurer Medibank to UK’s second-largest car dealer Pendragon, companies are hit with cyberattacks resulting in data theft and subsequent ransom demands. And while some, like Medibank, refuse to pay, others are more willing to give into cybercriminals’ demands. But how do such ransomware gangs operate and what are they really after?

A recent paper from Duke Fuqua highlights how the majority of criminal gangs operate out of North Korea and Russia, and indeed, the researchers themselves worried that studying modern cybercriminals would put them in danger. Nonetheless, they continued with their effort in the hope that their findings would help society fight back against the burgeoning cybercrime industry.

Crypto-enabled crime

A particular problem observed by the researchers was the way in which cryptocurrencies have enabled criminals to conduct their activities far more widely. They explain that the overwhelming majority of ransomware attacks demand payment in cryptocurrency, and the growth of currencies like Bitcoin has provided two key opportunities for criminals to exploit.

While the use of cryptocurrencies as a form of ransom is well documented, hackers are also targeting exchanges themselves. For instance, the Japanese exchange Mt. Gox has been the victim of multiple cyberattacks, with the most notable in 2014 resulting in the loss of 850,000 bitcoins. The anonymous nature of blockchain means that attackers are initially shielded from scrutiny, with detection possible only when they try to extract the money.

By far the most common opportunity, however, is in using cryptocurrencies as a payment channel. This replaces wire transfers (or the traditional suitcase of cash) with something far less traceable. The researchers explain that a record $14 billion was extorted in cryptocurrency during 2021, which represents a growth of 79% from the year before.

Sophisticated operations

Given the scale of the money involved, it’s perhaps no surprise to learn that modern cybercriminals are a long way from the lone wolf operating in their basement. Instead, they’re more like a traditional corporation and deploy a sophisticated array of methods to extract money from victims. These operations include everything from call centers to physical offices, as well as a wide range of technological tools to launch their attacks and extract their bounty.

Indeed, the bigger ransomware organizations often operate in a kind of umbrella structure that allows smaller gangs to access the software they need to launch successful attacks on victims. Any ransom that is extracted from the victim then triggers a “commission” to the umbrella group. In many ways, they function in the same way that traditional franchises, such as McDonald's, do.

Another interesting observation is that there does appear to be a degree of honor among thieves, as the researchers found cybercriminals will generally keep their promise to unlock a system after the ransom has been paid. They explain that this is predominantly due to the important role reputation plays in leveraging any attack to extract ransom payments. Criminals need their victims to be confident that paying up will release their systems.

Continuous evolution

As the sector evolves, cybercriminals are adding additional layers of complexity and new ways of extorting money from victims via novel ways of hacking that are harder to both detect and fight off. Despite this sophistication, organizations and security teams are still overlooking various basic forms of defense that are leaving them unnecessarily vulnerable to attack.

Cybersecurity should very much be viewed as a first-level risk for the organization, but it’s seldom treated as such, which results in general underinvestment in cybersecurity. Indeed, it’s too often viewed as strictly an IT issue rather than a strategic imperative.

Despite the use of cryptocurrencies by cybercriminals, however, the researchers don’t believe that blanket restrictions are a good approach to tackling this issue. Indeed, they suggest that the inherent transparency and digital footprints that are fundamental parts of the technology can play a crucial role in tackling cybercrime.

"This opens the possibility of deploying forensic tools with a focus on tracking, monitoring and identifying the crypto transactions attributed to criminals," the authors explain.

Here are three key reasons why such a blanket approach would not work:

1. Both cybersecurity and cryptocurrency are very much international issues so stringent regulations in one particular country are unlikely to prove effective as criminals will simply bypass them. A global agreement is required, although they concede that this is extremely difficult to achieve.
2. It’s also important to note that while cryptocurrencies are playing a growing role in cybercrime, they’re a relatively small part of the illegal payment landscape.
3. Perhaps most importantly, for all of the fears around cryptocurrencies, they still have many potential benefits, and it’s important that we don’t throw the baby out with the bathwater by imposing excessive restrictions and regulations on a technology that could do so much.

More from Cybernews:

Robin Banks resurrected after moving to Russian servers

Rebellious Twitter users flock to Mastodon following Musk’s takeover

Another ex-eBay employee sentenced for aggressive cyberstalking campaign

Cash cleaner gets four years for laundering web scammers’ money

Cyberattack paralyzed Danish Railways for hours

Subscribe to our newsletter