We don’t give in to blackmailers! Or do we?!  – based on a lecture from György Kollár

We don’t give in to blackmailers! Or do we?! – based on a lecture from György Kollár

Once the red screen appears, it’s already a lost cause – don’t even bother wasting time with it. Instead, let’s look at what is behind ransomware. Who is pulling the strings, and what is the business model of cyber enterprises specialised in online blackmail?

Let’s start by saying this is no joke: in the case of most ransomware attacks, there is indeed a professional customer service that the victims who ran afoul of the blackmailers can call when faced with difficulties. One can easily imagine how a phone call like this goes: the technical manager of the corporation, bank or state agency that suffered the attack is on the line after a few rings, listening to the cheerful jingle of the cybercrime agency, while their call is shortly redirected to a kind and helpful administrator. Although the friendly and helpful tone somewhat eases the anxiety of the sweaty-palmed caller, they are still terrified as the data and IT systems entrusted to their care have become entirely unavailable due to the attack and the ransom fee that is increasing day after day has reached an astronomical amount by now. 

What is there to do in such cases? “We ask you to transfer the bitcoin amount to the appropriate account, and we will instantly provide you with the code to unlock the ransomware,” quips the administrator. What happens if you contact the authorities? “Naturally, we understand if you do not wish to benefit from our services,” comes the kind reply, followed by a brief pause and the following: “yet in this case, I must inform you that within 24 hours, the copy of your data – including all the personal data, account information and passwords of your clients, as well as all the private messages of the management, will be sold to the highest bidder on a dark web marketplace.”

Money or your life!

Sounds persuasive. Although we lack precise information due to the nature of the subject, we are probably not far from the truth by assuming that in the case of about 50 per cent of ransomware attacks, they pay the ransom. Naturally, as in all similar situations, there is no guarantee that the organisation will indeed be able to access their data after paying the ransom – yet in 60-70 per cent of the cases ending in payment, the cybercriminals usually make good on their promise. Interestingly, this rate increases year after year; therefore, there are growing cases when they receive the code that provides access to the system. What could be the reason for this? In short, it’s their identified business interest to earn the trust of their victims; therefore, the more well-known cases of people able to access their files after the transaction there are, the easier it will be for their next victim to agree to make a deal. This is nothing more than an odd form of trust between supplier and client. 

Reputation is so crucial for blackmailers that they took measures that were practically the equivalent of corporate social responsibility initiatives to boost their PR on the international scene in some well-documented cases. For example, there was a well-known case of ransomware infecting the systems of a non-profit organisation, demanding a fee of approximately 5000 dollars. The organisation called the ransomware customer service and explained that they are a non-profit organisation and cannot produce 5000 dollars for such purposes suddenly. After some deliberation, the blackmailers said, “Fine, then make it 50 dollars.” So it goes to show that listening to the lovely jingle isn’t the only reason why it’s worth calling the customer service; you might be the one case cybercriminals will use to show to the world how compassionate they can be.

BlackBelt, blackmailers

Nowhere to run, nowhere to hide!

Now let’s look at what happens if you don’t pay the ransom. Well, as mentioned in the introduction: once the screen turns red, it’s already hopeless. Unfortunately, this is generally true as most ransomware employs well-written code that can only be cracked in decades without a quantum computer. Therefore this gate was locked before you ever had a chance to open it. Your only hope is making system backups – with a bit of luck, a version can be restored, allowing you to side-step the blackmailer. 

However, before anyone is lulled into a false sense of security, let us stress: cybercriminals often consider this method. In the case of some ransomware, they intentionally go unnoticed in the victim’s systems as this most likely allows them to find their way into backups. In these cases, the software imperceptibly encrypts files for weeks or months without activating the encryption or providing users with access to the system. However, as soon as the starting pistol is fired at the “cyber criminal’s” command and control centre, the ransomware is activated and no longer provides access to the system. Even when the desperate system admin tries using the latest backup, it turns out that the system has long been infected with ransomware. 

Please come in, Mr Cyber Criminal!

But how does an application like this end up in the most heavily protected corporate systems? Let’s start at the beginning of the process: a starry-eyed cyber businessman looks around the various dark web marketplaces and purchases a promising ransomware application from a seller for some cold, hard bitcoin. Software of this nature is typically based on some zero-day vulnerability scheme which means they are specifically designed to make use of the previously discovered – and uncorrected – errors, backdoors and vulnerabilities of various widely used applications and operating systems. Once they have the ransomware, they have to get it into the identified organisation. One might think this is the greatest challenge of the project. Still, the reality is far more humorous than that: according to a survey, all it takes is sending an average of 12 e-mails to company addresses for some employees to open the letter and carelessly click on the link to the ransomware.

So what’s the moral of the story? Firstly and most importantly, one cannot overestimate the significance of users’ training and conscious attitude. It is no exaggeration to say that practically all breaches and infections are based on human carelessness. There’s no use for a company to build up a protection system the size of the Great Wall of China if its employees unsuspectingly dump malicious codes into the system. Apart from training and increased mindfulness, one solution can help overcome troubles with a bit of luck: storing backups with a reliable cloud service provider that works with a range of advanced tools. Naturally, even with such precautions, your data might be secretly infected by ransomware. Yet, in such cases, there is still a chance that the service provider’s monitoring system will notice the activation of the infection, giving you a head start. 

Therefore, in summary, it is beneficial to be prepared for ransomware attacks, as the question is not whether you will encounter the infamous red screen but rather when this takes place.

György Kollár
Written by

György Kollár

IT Security Engineer

2022-02-25

We don’t give in to blackmailers! Or do we?! – based on a lecture from György Kollár

6 min

darkweb

cyber crime

criminal

Contact us

+36 1 611 0462

info@blackbelt.hu