There are some strange rules in techno-shock stories published in the mainstream media. Ever-larger counts of stolen data sets from ever-more-remote corporations form a constant backdrop to the self-appointed superheroes, videoing themselves laying down the actual law to some distant, bemused office of identity scammers before wiping all their machines with one click of the mouse.
Altogether there’s a certain sense of predictability to the affair; a way that the whole matter can fit into our view of our societies and how they work. One of the oddities always makes me look up when a ransomware story comes by, and it’s that there are upper limits to the amounts of money paid in scams. This is of semi-professional interest to me, because as a callow spotty lad I got to play around with a portfolio of loans totalling some £2 billion. When I say “play around”, I mean I had access to a read-only copy of the databases, and a whole boardroom of impatient, irascible banking directors had access to me. I quickly learned there was no approximating with that amount of money and that audience: you had to be able to track what was happening to the millions – the pennies – and every other sum in between.
So when I see an artificial cut-off in the reporting of the scale of the ransoms being demanded, I become suspicious and want to find out why. Not an easy topic to pick, even for someone with my employment history.
Assessing the ransomware battlefield
Securing endpoints amid new threats
Ensuring employees have the flexibility and security to work remotely
We know that there are incidents at all scales, but why do we only get to hear about the pay-outs in the few million bracket? It’s pretty clear that the more we can see in public, the more inclined we will be to heed the various warnings that have escaped from the security-nerd ghetto and now come from sources disinclined to hyperbole.
Recently, I had three separate notifications drawing my attention to statements issued by the NSA, the FBI and the CISA. I feel honour-bound to point out that we have been so far ahead of this curve, that people may not realise the breadth of our contribution: incredible as it might seem to our group of mutual friends, Mr Winder and I were meeting with the men of the US Secret Service nearly three years ago. Not that there’s a traceable link between those meetings and any emergent products or services, mind you.
One of the most difficult things to engage with is that the fightback against ransomware and cyber criminality is a weird mixture of massive names and single individuals. Do you know who Troy Hunt is, or what he does? It’s not even immediately apparent from his own blog: Troy owns haveibeenpwned. com, the go-to site if you think your personal data might have been stolen from your employer, supplier or government department.
Ironically enough, we’re advised by many cyber security resources that we should check the credentials or reputation of any newly introduced site, and yet Troy emerged for most of us as a wildcard. The economics of a private individual running a web service in the middle of a maelstrom of crooks and cops, corporates and consultants are far from straightforward, and Troy’s provision of a database of stolen and recovered names and addresses is a Pandora’s box for both businesses and private individuals.
Once you’ve realised your email or credit card number is in his list, it’s up to you to work out the best response to that. It only takes a tiny fraction of the pool of victims to misunderstand Troy’s role and purpose, and come out with all lawyers blazing; not something they would be trying on IBM. I mention IBM because it’s also in the anti-ransomware public service business through its participation in the Quad9 project. This is a public, free DNS server that automatically refuses to return blacklisted DNS addresses, thereby cutting off the sine qua non of ransomware work: no prospect of remote access to your machines, if you’re using IBM’s DNS at 9.9.9.9. Again, how you achieve the level of well-researched satisfaction that either IBM or Troy Hunt genuinely own the resource you’re about to stake your financial future on, nobody seems to know – but they all think you ought to make the effort.
That strange sense of distorted scale, of one rule for the big boys and another for the small fry, becomes a primary concern when you’re trying to work out how to manage the process of recovery from a ransomware attack. Ask a business to develop a resilient IT platform and the first thing they do is go and get Gmail addresses, “just in case” the attack does bad things to their company email server (an early fad for the bad guys, now not so popular; they definitely want that email server working to discuss the payment of their demanded ransom, after all). I don’t mind the Gmail reflex move, actually, as it’s better than having your key workers admit they don’t know what to do otherwise, and it’s a great kicking-off point for ransomware training.
Actually, I hate the term “ransomware training”. Putting this subject into a straight chalk-’n’-talk, PowerPoint-driven training environment isn’t going to give you the outcome you’re looking for. I’d far rather have a brainstorm, with as much coming back from the workers themselves as anything else, and the occasional opportunity for a guest speaker with Q&A included in the session. If you just use the security jargon to make up 209 slides of dense, in-vogue security highlights presented in bright red upper-case text, then the only thing you achieve is glazed eyes and a desperate need for a comfort break. Having people feed back and ask questions about the things they don’t understand, has a genuine impact.
A goldmine for ransomware operators
The most recent case to come to my attention might hold out an answer for us: what happens when the ransom demand is seriously impressive? Pardon me for not doing my usual in-depth description of the business in question; it will be clear as the story unfolds that this is one case study where identifying anyone involved is a serious bit of risk-taking.
If you want something to anchor your understanding, then we can agree that the business might as well be a gold-smelting company – but only because I watched a documentary on the Brink’s-Mat heist, and the mixed fortunes of the smelter that took on the resupply and monetary switching of the massive quantity of gold stolen in the raid. Most certainly not because you can guess the real identity of the victim from that description. The situation evolved as ransomware often does. Initially, there was a small-scale infection of one PC, which went undetected by software or humans. The infection facilitated long investigative remote control sessions. That investigation, though, wasn’t by the IT support guys, but by the bad guys. They traded instant money at low values (using the infected machine as a passthrough for gaming or video- download purposes) for much more money, a few months down the road, by quietly wandering around the network, just reading documents here or there.
In a gold refinery, you don’t measure the value of work by the accompanying weight of paperwork. Millions of pounds of value can be handled in a few A4 schedules of bars in, weights, bars out and serial numbers. The only indications that perhaps there was a bit more money in this business than the common or garden metal trader was partly hidden away, in simple files of scanned invoices coming in, matched to payment notifications going out. Like a lot of people in this sector, these guys had some impressive and possibly not terribly legal side-gigs going on, fitting into the cash flow of the main business.
So the bad guys took their time, looking around the file structures of the machines and servers, trying to work out what they were dealing with. Nobody detected their remote-control sessions. Hardly a surprise, as in lockdown, remote control of single desktop PCs had been a lifeline for this business, like many others, so they’d almost have expected to see someone back seat driving practically any machine in their LAN.
Pulling the trigger
Everything was prepared through that one remote link. I assume they had encrypted older documents before D Day on the principle they couldn’t hit all the files simultaneously, and that older files wouldn’t often be opened or referred to. By the time they were ready to break cover and deliver their ransom demand, their company-analysis research project had been completed, too. Possibly over-excited by a couple of documents they found, and by the more obvious signs of wealth you might expect to find in a gold smelter, they decided this ransom would be seven figures.
From my perspective, that meant a specialist had to be found and consulted, to figure out that this business would be ready to pay a sum of that scale. However, the answer to my initial question, about why the bigger ransoms don’t come out in public, came with all due despatch when the Heavy Mob showed up. I don’t mean hundreds of policemen, or Special Forces types in balaclavas, rappelling down from a helicopter; I mean the quietly spoken, beautifully dressed, upright-standing guys who provide private security services to those with things to secure. They were visiting, apparently, to discuss the prospects for getting the money back, and the range of tactics of persuasion they had at hand to make that happen.
That’s what happens as ransomware amounts get bigger: they attract the attention of equalisers, firms who have no major difficulty in identifying the fraudsters, and even less trouble turning up at their gaff with some shooters, with the intention of having a little word.
At a certain level, somewhere around the £10 million mark, the alleged perfect security of the dark web becomes amenable to enquiry. It’s always the humans who represent the easiest part of the security fabric to break down, especially if you’re prepared to take that as a literal instruction. As of three weeks into this incident, I never heard much from the equalisers, or the victim company. I am assuming this means they haven’t succeeded in working out who has the money.
