In the spring of 2016, Samani was at Europol’s European Cybercrime Centre in the Netherlands. He was there with security experts from Kaspersky and the Dutch Police. At some point, they booked a small meeting room and started to talk about joining forces. Would it be possible for security companies to unite with law enforcement and build a platform where users could find all the decryption keys free of charge?
“I was like: Absolutely,” Samani says. “We need to do this.” Everyone in that room quickly agreed, and the NoMoreRansom.org project was born. “I don't think that meeting was more than 10 minutes,” says the McAfee researcher.
Immediately, they divided their tasks for the NoMoreRansom project. Samani’s responsibility was to identify a company that would host the platform. “I’m good friends with AWS, and so I asked my buddies: Can you host something for us if I don’t want to pay for it?,” he says. “And by the way, it’s probably going to be one of the most targeted websites in the world.”
Amazon Web Services’ executives were supportive. They asked Samani how many hits he expected this platform to get on a daily basis. He made a guess and said 12,000. “On day one, there were 2.4 million hits,” Samani says.
The NoMoreRansom project officially launched in July 2016, gathering accolades. “To me, it's a really wonderful example of how public-private partnerships should work,” says Samani. Four years into the making, the project had more than 100 partners--security companies and law enforcement agencies from across the world.
Yet, shortly after NoMoreRansom launched, the cybercriminal gangs regrouped. “They had to adapt their techniques to make people pay the ransom,” says Samani. “We were forcing them to innovate.”
Ransomware takes different shapes
Malware analyst Benoît Ancel, who works for CSIS Security Group in Denmark, saw how this whole process unfolded. He’s often reading forums where ransomware gangs exchange “best practices,” develop game plans, and talk about making a fat profit. He saw them innovate, echoing Samani.
These forums are highly collaborative, according to Ancel. Even competitors work together to create better schemes. “As long as they are making money, everybody is friends with everybody else,” Ancel says.
The cybercrime market is highly specialized. “There are people who know how to send spam, people who collect email addresses, there are developers, network engineers, people who cash out.” Each person gets their share when a ransomware operation is successful.
At some point, when cybercriminals noticed that fewer victims were paying the ransom, several threads on these forums debated the problem, says Ancel. Some groups came up with the idea of changing how ransomware works. Instead of encrypting a company’s files, they could steal them, and then threaten to post them online if a ransom is not paid. Hackers behind the Maze and REvil/Sodinokibi strains have used this tactic.
Ancel is afraid that ransomware gangs will increasingly target critical infrastructure, municipalities, and sectors such as healthcare that are vital to society. Which is exactly what the actors behind the SamSam ransomware did. They attacked the city of Atlanta, Georgia, and several other municipalities, hospitals and universities looking for victims that would suffer the most, thus being more likely to pay the ransom. At the end of 2018, the Department of Justice indicted two Iranians believed to be behind these attacks, saying that they got $6 million in ransom payments, while causing $30 million in losses to victims.
SamSam is hardly the only example. The actors behind the Russian-speaking Ryuk ransomware, which appeared in the second half of 2018, have also hit large organizations, governmental networks, and municipalities. The victims include schools in Rockville Centre, New York, as well as the cities of New Orleans (Louisiana), Riviera Beach and Lake City (Florida), Jackson County (Georgia), and LaPorte County (Indiana).
Ancel is also worried about the growth of the ransomware-as-a-service in recent years. One notable name is the GandCrab, discovered in 2018. It was created by a Russian-speaking group and, like the early Android malware Fusob, it checks the language of the machine. If it’s Russian or a language spoken in a former Soviet republic, it will not drop the malicious payload.
Cybercriminals are invited to join the operation, since GandCrab follows an affiliate business model, but they must agree to split their earnings with the core team of the project, which gets between 30% and 40%. This system made GandCrab popular. By the beginning of 2019, it had 40% of the ransomware market, according to Bitdefender, which estimated that there were 1.5 million victims around the world, both home users and organization.
By May 2015, the cybercriminals behind this project announced they made enough money and wanted to retire. They bragged about earning more than $2 billion in less than a year and a half. However, researchers at Secureworks saw many similarities between GandCrab and a new strain of ransomware called REvil or Sondinokibi, suggesting that maybe not everyone associated with GandCrab has retired.
Nation-state groups get into the ransomware act
Swimming in money is not the idea that powers every attack, says Ancel. He argues that ransomware is no longer ransomware as we know it, since some groups use it as a decoy.
WannaCry, for instance, which affected more than 230,000 computers in 150 countries in May 2017, was likely the work of a nation-state actor, North Korea. The malware used a leaked NSA tool, a Windows exploit named EternalBlue. When a computer was attacked, the victim was indeed asked for money--$300 in Bitcoin within three days, or $600 within seven days. Yet, those orchestrating the operation didn’t strike it rich. They only made about $140,000, which prompted analysts to say two things: that WannaCry was meant to cause disruption, and that it could have been politically driven.
WannaCry was followed in June 2017 by NotPetya, which also relied on the EternalBlue exploit. It mostly targeted Ukraine, and was attributed to the Sandworm hacking group, which is part of the GRU Russian military intelligence organization.
Given all this, the lines between cybercriminals and nation-state actors are becoming blurred. Everyone learns new techniques and adopts new tools. “Ransomware attacks are becoming more targeted, sophisticated, and costly, even as the overall frequency of attacks remains consistent,” FBI's Internet Crime Complaint Center wrote in a Public Service Announcement issued in November 2019.
Add up all these, and the future does not look promising, says Willems, the security researcher who still holds onto that AIDS floppy disk that changed his life. Ransomware, he says, will continue to hit us hard: “I'm 100% sure about that.”
“At some point, you'll be using a self-driving car. It’ll be hacked, there will be some demand for ransom, and you'll only have 10 minutes to pay it. If you don't pay, they will crash your car,” he says.
Thoughts about the destructive ransomware of the future have occupied his mind recently, so he started working on a science fiction novel set around 2035. In this not so distant future, in which NATO controls the internet and all our devices are online, ransomware takes center stage. Ovens can be switched on remotely to burn our houses if we don’t pay the hackers, and our personal data could also be shown to the public if we don’t comply with the demand.
“Well, this is not actually science fiction,” Willems says. “These are the trends we see more and more of.”
