Malicious Life Podcast: Hell to Pay: Ransomware, Part II Transcript
Hello and welcome to Malicious Life.
In the previous episode, we discussed the roots of the Ransomware phenomena: malicious software that prevent the user from accessing the files on their computer, and demands ransom in order to release those files. We also discussed the two big challenges cyber-criminals face: devising effective encryption that is hard to crack, and figuring out a monetization strategy that keeps the criminal anonymous and doesn’t allow the victim to cancel the payment or get a refund.
In September 2013, a new ransomware was discovered, named CryptoLocker. CryptoLocker would seek out a specific type of files – for example, Excel and Word files, pictures, and videos – encrypt them, and then pop up a threatening message on the computer’s screen: pay $300 or all your files will be deleted forever. A timer at the corner of the screen would start counting down 72 hours.
Now, Information security experts had already encountered ransomware in the years prior to CryptoLocker, so the threat it presented to the users wasn’t new. What was new was one of the payment options that the ransomware offered its victims- BitCoin.
BitCoin, first created in 2009, is a virtual cryptographic currency. That means it is a currency that exists only in the virtual world and is based on encryption algorithms. BitCoin has a few fascinating characteristics that differentiate it from traditional currencies such as the Dollar and the Euro, which are also usable online- but the characteristic most relevant to us is that BitCoin, among all other recognizable currencies, is the closest thing to cash. Yossi Na’ar, Chief Visionary Officer at Cybereason, explains:
“The concept of privacy and the concept of anonymity on the internet is, I think, a very fundamental thing for a lot of people from the old school. People who considered the internet to be a place where absolute freedom can be practiced, absolute freedom of expression – this doesn’t necessarily mean that they were intended to support these criminal activities. But they make them feasible. The idea of cryptocurrency is the same. It comes from the same, I don’t know, anarchist idea that, I don’t know if money is an anarchistic concept, but it comes from this idea that no government should control this thing. That there needs to be a thing where all the transaction histories are traceable, and the actual people who are using this money are not traceable. So kind of like the ultimate version of cash money that can be used anywhere. In the same sense that you shouldn’t know who I’m talking to or what it is I’m trying to look for online.”
“So the idea for ransomware is pretty ancient like almost 30 years. But only in the past three years, criminals are able to really get money from their endeavours.”
And here is Uri Sternfeld, a senior investigator at Cybereason, and expert on Ransomware:
“The reason for that is simple. BitCoin. Bitcoin is a phenomenon, not the bit currency itself. I mean there are tons of other virtual currencies which have no central authority. But the idea of Bitcoin, which was arguable at first, is that it’s untraceable and irrevocable. You can’t cancel it after you pay. It’s simply not possible. It’s by design. Unlike credit cards which have a central authority which can cancel cards, and they even have insurance against stolen cards because thousands of credit cards are still being stolen every day. Bitcoin is pure money that is being transferred to criminals, and it can’t be taken back or traced.”
“Ransomware is just easy, it’s – I mean, like any kind of ransom. Ransom is not a very sophisticated crime, you know? Abducting someone and then asking their family for money is not a particularly sophisticated crime. It doesn’t require too much planning, it’s easy to execute. It’s maybe dangerous like a lot of criminal activity, but orchestrated in the right way – or the wrong way- the odds of being captured are relative low. Now, the real reason that ransomware became possible is cryptocurrency. I think without cryptocurrency there wouldn’t be ransomware. Because the ability to extract payment for ransomware would be impossible in an untraceable way. But because cryptocurrency is untraceable, and because you can transfer it without requiring banking services or a banking account or, you know, anybody can set up a bitcoin wallet as it takes seconds, it enabled the payment side of things. And this makes for a crime with no consequence.”
“So CryptoLocker is arguably the first modern ransomware. It appeared out of nowhere. It was the first one to combine the old idea of ransomware to the new idea of bitcoin. So 2013 was the year that marked the rise of ransomware.”
According to different estimations, Cryptolocker overtook roughly a quarter of a million computers around the world, and earned its creators an estimated 27 million U.S. dollars worth of BitCoins, making it the most successful ransomware in history up to that point. BitCoin allowed the criminals to solve the problem of monetizing their Ransomware.
The file encryption algorithm was impeccable and uncrackable. Spreading the malware via Email was also highly effective: the emails containing the infected file were designed in a way that would appear as though they came from clients of the recipient, or from respectable establishments. It was obvious that whoever created CryptoLocker knew what they were doing. CryptoLocker was clearly created by professionals, and not by teens looking to have some fun with malware in their spare time, or criminals looking for quick cash.
Uri Sternfeld:
“At first it was a very minor threat. You can measure the effect of ransomware in two ways, the amount of money they’re making, and the amount of damage they cause. The amount of damage they cause is usually tenfold because first of all not everybody pay. Some decide to use backups and some because of principles, some because they have a valid backup. Even if they do pay then it still causes damage, I mean, lost revenue, lost reputation, lost business time.”
Naturally, CryptoLocker’s great success and the huge damage it created attracted the attention of information security companies and law enforcement agencies. The ransomware itself didn’t contain any hints regarding the identity of its creators, but investigators did have a lead in the way that the ransomware was distributed online.
The name Slavik has been known to information security people since 2006 at least. Slavik is the nickname of a programmer who created one of the most infamous malwares: Zeus. This was a very sophisticated and stealthy malware used mainly for breaking into bank accounts. Slavik, and a gang of Russian-Ukrainian criminals who were cooperating with him, broke into the accounts of dozens of companies and organizations and stole tens of millions of dollars from them. In 2010, the FBI was able to put its hands on some of Slavik’s partners in crime and stop the gang’s criminal activity in the US, but Slavik himself was never caught, and his true identity remained a mystery.
Slavik went into hiding. In “underworld” forums, he declared his retirement and even sold the code to Zeus to another criminal. No one heard anything from him for some months, but his ‘retirement’ turned out to be a bluff. In 2011, a new malware was discovered, which was a better, more sophisticated version of Zeus. The name given to it was GameOver Zeus. Like Zeus, GameOver Zeus had taken over millions of computers throughout the world and turned them into “zombies” in a BotNet. It was clear that Slavik did not only not retire, but also improved his methods: a new wave of hacking hit big companies and financial organizations, with damages estimated at tens of millions of dollars.
In 2013, a Dutch company called Fox IT was able to lay its hands on a server that was used by Slavik, and the information extracted from it provided the investigators with a rare insight into the evil empire that this slippery criminal established. The gang Slavik gathered around himself contained 50 seasoned and experienced cyber-criminals, each of them specializing in a different aspect of the “trade”: some were responsible for hacking into bank accounts, others managed the transfer of funds throughout the world, and others the technical aspects of running the GameOver Zeus BotNet. The gang, led by Slavik of course, called itself The Business Club, and operated accordingly: transcriptions of the chats conducted between the gang members, exposed on the server, showed that the criminal activity was run in an organized and professional manner, just like a regular company.
Gaining control of the server produced one more meaningful item- an email address used by Slavik. The Fox IT investigators scanned social media and found a profile attached to this address. It was the missing piece of the puzzle, which exposed Slavik’s true identity. Slavik’s real name was Evgeniy Mikhailovich Bogachev, a man in his mid 30s, living in Anapa, a tourist town by the Black Sea. The pictures he posted to his profile – standing next to a fleet of luxury cars and sailing on yachts – hint that his criminal career paid off. There was also some evidence to suggest that Bogachev was working for the Russian intelligence service, at least part time.
But it would appear that Bogachev’s intelligence career and the money he earned from hacking into so many bank accounts were not enough for him: when CryptoLocker appeared in 2013, investigators discovered a direct connection between it and Bogachev’s organization. CryptoLocker was distributed in two ways simultaneously: one was through malicious mail attachments posing as innocent PDF files. The other was through GameOver Zeus, which installed the ransomware on computers it infected. Since GameOver Zeus was under the complete control of Bogachev and his men, it was clear that Bogachev was also responsible for the new ransomware- or at least was working in full cooperation with its creators. This fact created a rare opportunity for law enforcement authorities: if they could take over the GameOver Zeus BotNet and bring down Bogachev’s Business Club, they could also take down CryptoLocker. Two birds, one stone.
The FBI began planning an operation to take down GameOver Zeus’s BotNet: an operation nicknamed Operation Tovar. No one doubted that this would be one of the most complex and difficult cyber operations ever attempted. The Business Club’s tentacles spanned almost every corner of the globe: the crime organization’s nerve center was located in Russia and Ukraine, but it had servers and cooperatives in the USA and many European countries- not to mention the millions of computers all over the world infected with GameOver Zeus. FBI agents created ties and collaborations with organizations, law enforcement agencies, and information security companies all over the world: Europol, UK National Crime Agency, Dell, Microsoft, Symantec, The Australian Federal Police, and many others. The goal was clear- to simultaneously strike Bogachev’s organization on multiple fronts and to knock it out before it had a chance to recover.
The additional challenge in operation Tovar was a technological one: taking control of the millions of computers infected with GameOver Zeus. The goal here was to wrestle control over the BotNet from Bogachev’s hands- something that would practically sever the tentacles of this crime-octopus. It was no simple matter: a special team from Microsoft tried to take over GameOver Zeus in 2012, and failed. Several American and German information security experts tried again in the beginning of 2013. They were able to take command of 99% of the computers on the BotNet, but the remaining 1% was all Bogachev needed in order to foil their plans and take back control of the entire network.
What made GameOver Zeus’s BotNet so resistant to attempts by law enforcement agencies to overtake it? The reason had to do with the clever control scheme that Bogachev created for his BotNet. In other, less sophisticated BotNets, communication with the computers was made through one server, or a small number of servers called C&C (Command and Control) Servers. A C&C server is like an orchestra conductor, responsible for coordination between the various players: The Botmaster gives his orders to the C&C server, which in turn relays them to the rest of the bots. Working with a single C&C server (or a small amount of them), instead of with thousands of individual bots, makes the Botmaster’s life easier, and allows him to manage the network efficiently. Having said that, the C&C server also poses a great risk for the Botmaster by being a single point of failure: if law enforcement authorities manage to get their hands on the server, they can, in fact, prevent the Botmaster from accessing his own BotNet.
Bogachev was aware of this potential single point of failure, and designed GameOver Zeus’s BotNet accordingly. First, the computers in GameOver Zeus’ BotNet were able to communicate and receive commands not only from the C&C server but also from other bots inside the network, a configuration called a Peer to Peer Network. To continue the last analogy, this kind of communication allows the members of the orchestra to communicate and play together with a certain level of coordination, in case the conductor was unavailable. This ability gave the Botmaster an alternative channel of communication with the infected computers, in case the C&C server was not under his control. This mechanism was the reason why the second takeover attempt failed: despite the fact that 99% of the computers on Bogachev’s network were under the control of the investigators, he used the communication between the bots themselves to “push” an updated version of GameOver Zeus into the infected computers, which brought control back to him.
Despite the advantages of peer to peer communication, it cannot completely replace the role of C&C servers: the direct control that C&C servers provide is much more efficient and practical than the indirect control of peer to peer communication. Bogachev still required a C&C server, but without it becoming a potential single point of failure for the entire network.
For that reason, Bogachev implemented in GameOver Zeus a clever idea called DGA, or Domain Generation Algorithm. The DGA mechanism generates a new URL address every few minutes, to which the infected computers go to when searching for the C&C server. The infected computer reaches out to the C&C server via that URL, and If it doesn’t get a response, it waits a few minutes and then tries again with a newly generated address. Think of an orchestra whose conductor disappears, and all the players, in unison, lift their gaze to the crowd, to one specific seat, where an alternative conductor rises on his feet and begins conducting the score. If the alternative conductor isn’t there, the players divert their eyes to a different seat, and then a different one and so on – until they find a willing conductor.
Uri Sternfeld explains the advantages that the DGA technology gives the Botmaster in his battle against law enforcement authorities attempting to take over his BotNet:
“The Zeus and Cryptolocker used I think thousand domains per day based on the current date. So if you have the same algorithm as the malware then each day you only have to register a single domain out of the thousand and you’ll be able to communicate with all the tools out there. The next day, you simply have to register a new domain. If one of them is taken down, then you don’t really care. You simply register another and the domain names since they are randomly generated they usually cost very little and they are always available. So like we’ve said $10 per domain you can probably get the entire operation going with less than $4000 per year which is nothing. It is very difficult to mitigate because if you think about it, not only is it difficult to protect against hundreds of thousands of domains. I mean Cryptolocker alone generated more than 350,000 domains per year, and most firewall appliances aren’t really meant to be able to work with so many domains.”
The FBI was aware of this ability that GameOver Zeus had. The solution found by investigators may have been the simplest one possible: they bought every ticket available to the concert.
“What they decided to do was they reversed the algorithm of Cryptolocker and they relied on the current date and they pre-generated a 180,000 domains for the next six months. They went to the Supreme Court of the United States, and they demanded that it instructs the relevant internet companies to pre-register these domains and sort of divert all traffic to a specially-crafted sinkhole that the FBI set in order to know who the victims are. It was a really long and arduous effort. You can actually get the older forms they submitted to the Supreme Court online including the PDF appendix of the 180,000 domains which I can imagine they printed and somewhat used the wheelbarrow to bring it into the judge who went over them one by one.”
After many months of hard work and preparation, all forces were ready for deployment. A moment of anxiety occurred when McAfee, one of the partners in this effort, accidentally posted ahead of time on its blog about the operation against GameOver Zeus. The post was deleted swiftly, but there was fear that Bogachev and his partners may have found out about the operation and would be able to defend against it. Luckily, this wasn’t the case. In early June 2014, authorities in several countries simultaneously seized servers owned by Bogachev’s gang, and at the same time, information security experts took control of GameOver Zeus’s bots.
Evgeniy Bogachev, apparently from his home by the Black Sea, tried to fight the investigators and to maintain his control over the BotNet – but lost. Operation Tovar, with its magnitude of international collaborations and the immense amount of resources invested in it, was too big for him. In his distress, he attempted to at least protect his biggest asset: the database containing the encryption keys of all the computers infected with CryptoLocker, the secret keys that would allow him to continue to extort ransoms from his victims. He tried extracting the database from one of the servers before the authorities could lay their hands on it, but he failed there, too. Information security experts identified the attempt to extract the database from the server and intercepted it.
GameOver Zeus and CryptoLocker were defeated. Bogachev’s Business Club took a bad hit and information security experts created a website where CryptoLocker victims could find their encryption key from the seized database and free their locked files. Evgeniy Bogachev is still walking around free in Russia, but the FBI has gathered enough evidence against him to post a $3 million bounty on his head, as reward for whoever turns in this elusive criminal.
But operation Tovar, as successful as it was, didn’t deter the criminals. Quite the contrary: CryptoLocker’s success marked the right way, as far as the criminals are concerned, for a successful implementation of a ransomware campaign.
“Eventually they managed to apprehend the people behind Cryptolocker and they confiscated their servers and they decrypted files and everyone was happy. The problem was solved forever, except it wasn’t because I think a few weeks later a new and improved ransomware appeared written by other people. I think it was called CryptoWall. CryptoWall, today, is already extinct because the evolution is so quick. Other big names around the world: Server, Lucky, Teslacrypt. My guess is by the end of 2017 there will be others. So I can think about it like a head of a hydra. You cut one off but two sprouting instead. So obviously the FBI solution is not efficient enough. I mean, the amount of effort they invested in taking down a single criminal organization is mind-boggling and they required cooperation all around the world.”
Ever since CryptoLocker, there has been a dramatic increase in the number of ransomwares. In fact, in the third quarter of 2016 alone, the number of ransomware was 11 times greater compared to even the first quarter of the same year. The ransomwares themselves became more sophisticated: the encryption improved, and they operated on a wider range of platforms- including mobile. Just like in the cases of Spam and DDoS, here too a flourishing criminal industry was developed.
“It’s sort of like a business, an affiliate program. It’s called ransomware as a service where you can participate and you either supply the ransomware that you are using and get it obfuscated each and every time. Or, you don’t write any code at all. You’re just a distributor. For example, you are a criminal in a remote country and you have access to methods of distribution for example, maybe you control a local ISP or other methods. So you approach the people who actually wrote the ransomware and you agree to distribute their ransomware in exchange to dividing the loot. That really streamlines the operation. I mean it’s sort of an industry now. Each part focuses on what they’re good at. If I can write a very solid encryption program doesn’t necessarily mean that I can effectively distribute it around the world. Maybe I need someone with that skill. “
Israel Barak is Chief Information Officer at Cybereason, and has spent the last few years studying cyber-criminal organizations. Israel claims that when it comes to talent, crime organizations have a wide array of candidates to choose from.
“[Israel] So, one of the trends that we’re seeing in sophisticated cybercrime organizations is the migration of talent, human talent from nation state actors and certain geographies into cybercrime organizations. So especially when you look at geographies like the Russia, Eastern Europe, and China, you see situations where cybercrime organizations actually ramp up their activities, ramp up the sophistication of their operation based on talent that they acquire from nation state organizations.
At the end of the day, they’re basically able to pay a lot more to those guys than their government employers. It can sometimes be 10 or 100 times more than those guys make with those government employers when they move to work for those crime organizations.
[Ran]: Cyber crook is not the kind of a dumb gangster type we used to deal with maybe in the early phases of cybercrime but more of a high tech developer/engineer who it’s his job, it’s his job do things.
[Israel] Exactly. In a recent year, you can see more and more nation state hacking activity patterns adopted by cybercrime operations. And that’s not a coincidence. This happens because the people that established and worked by those standards and operation procedures are actually now working for those cybercrime operations. And we’ll continue to see this talent transition and migration because those government nation state actors are nurturing and building more and more of those people to support their on-going and scale up of their own operation. But at the end of the day, those people leave their jobs working for the government. And a lot of them end up working especially in certain geographies, working for cybercrime operations. Those people are especially susceptible to outreaches from those cybercrime operations. In many cases, it’s extremely tempting. And in many cases, the cybercrime isn’t being presented as you’re going to do cybercrime. They’re going to work in an R & D shop or they’re going to work in some sort of – it’s an interesting way in which they initially position or pitch this to those people. But those people don’t necessarily migrate based on the understanding that they’re going to do organized cybercrime. But it becomes clearer and clearer as they get more and more involved in the operation. But again, the financial compensation is something that draws them into it.”
What does the future hold for ransomwares? The main trend in recent years is a shift from attacks against ordinary users to attacking organizations: from hospitals to commercial businesses. Uri Sternfeld believes this trend will continue.
“[Uri] So far we talked about mainly about B to C, about the regular people which are being affected by ransomware. Usually they are the least protected, they don’t have backups. But the ransom amount is also pretty small. It ranges from a $100 to a $1000 in bitcoin. The reason for that is simple because their value is mainly sentimental. While I might be willing to pay $200 for my entire picture collection $20,000 is probably too much.
[Ran] It’s not worth that much.
[Uri] Yes, I’m not that photogenic. But for businesses the consideration is different. First of all, it’s a decision based on profit and loss. I mean, if they have back up then they have to consider how much is lost. If you do the back up each day, then you’re probably okay. If you do it each week then you basically lost all the work done in that week. Is that worth more or less to you than the recent? So of course that’s the way of thinking for businesses. The way of thinking for ransomware authors who attack businesses is of course they can charge a much larger amount first of all because the businesses have much more to lose. Second, because they usually infect many different machines inside the organizations if they manage to reach the file server or the database server then they’re golden.
It got to the point that some organizations they started accumulating bitcoin for the inevitable case when they equipped, if it’s when they’re infected with ransomware so that when they’re infected they can immediately pay the ransom and get everything going as fast as they can.”
Other than the business environment, it is likely that in the coming years, we will see ransomwares invading new technological domains, such as wearable technology and internet of things. Stephen Cobb from ESET, who we’ve met in previous episodes, sketches for us a pretty scary scenario named Jackware, which once would have seemed as though it’s taken out of a science fiction film, but today doesn’t seem so farfetched.
“[Stephen] And Jackware is applying ransomware techniques to the internet of things. And a specific example that came to mind after the very public hacking of a Jeep that was done by Wired Magazine was if you apply ransomware to a vehicle. So you go out in the morning. You click on your remote opener to open the car and you get a text message on your phone saying your car has been locked unless you pay so many bitcoin, you can’t use of your car.
And then the step beyond that is you get in a self-driving car and you tell it where you want to go and it comes up with the ransomware message saying, “Well, I’m sorry. But unless you pay so many BitCoin, I’m not going to take you where you go.” And the nightmare-nightmare scenario is you put your children in a self-driving car and tell it to go to music lessons and it drives off with your kids and it has been taken over by ransomware.
[Ran] Yeah, that’s a very frightening future that you’ve just described there. As a father of three kids …
[Stephen] To put this in context, I’ve been at meetings in Washington the last few days and I would not even say which agency this official was from. But somebody on stage said, “Maybe we’re not going to wake up to this problem until your self-driving car gets driven off the road a malicious code.”
So people are thinking about the possibility. And really, I want to use it to – and just to be clear, I know there are a lot of people in the automotive industry really, really working hard on this problem. And one of the saving graces maybe of the new technology in the vehicle space is that you have new generation vehicle companies. So if you look at something like a Tesla, that thing is designed to be securely-coded and securely-updated from the get go. Traditional cars where we’re bolting on digital systems have more issues around patching and things like that.
So I don’t want to scare people necessarily. There are serious, serious computer scientists working making digital automotive systems secure. But the future we face if we don’t do that is kind of scary.”
In the past 6 episodes, we’ve attempted to sketch out for you a fuller picture of the processes and changes that occurred in the world of cyber-crime in the past 40 years. Computer viruses began as semi-mythological monsters whose very existence was doubted even by computer experts – but with the of the personal computer into our personal and business lives, they have become part of our everyday reality. The first virus writers were, almost every last one, bored youngsters who used computer viruses as a virtual alternative to graffiti: Some wrote viruses for fun, some for the challenge, and others, like the Dark Avenger from Bulgaria, used it to channel their angers and frustrations.
The rise of the internet morphed viruses from toys to tools. In a matter of just a few years, criminals and crime organizations replaced the bored youngsters, and the world of computerized crime became more diverse and complex, but at the same time more organized. the burden of developing malwares, distributing, and operating them, was now shared by a larger amount of people, each an expert in his field, and offering his talents and services for money. Computerized crime became a commodity.
Ransomware is the current peak of this professionalization process in computerized crime, but it certainly isn’t its end. Like any other type of technological crime, ransomware will become less popular as soon as security companies and users learn, naturally, to better deal with this threat. When that happens, it is likely that we will discover a new threat beyond the horizon.
**
This concludes the first season of Malicious Life – Thank you for listening, and we hope you’ll join us for the upcoming seasons of Malicious Life, where we will discuss many other aspects of computerized crime: starting from cyber warfare waged by nation states and the threat that it poses to the stability of the modern world, all the way to the tools and technologies used by security experts in order to combat these new threats. Visit Malicious-DOT-Life to subscribe to our podcast, and If you like the show, leave us a 5 star review on iTunes and we’ll send you a Malicious Life t-shirt. That’s Malicious-DOT-Life. Malicious Life is produced by P.I.Media. Thanks again to Cybereason for underwriting the podcast. Learn more at Cybereason.com. Bye Bye.
