Follow Mark on LinkedIn Follow @marknca on Twitter Follow marknca on GitHub Follow marknca on YouTube


Major Ransomware Services Busted

4 minute read | Last updated 28-Jan-2021 |An icon depicting a retail tag with a heart for 'favourite'CybercrimeCBC

I spoke with Robyn Bresnahan on CBC Ottawa Morning on 29-Jan-2021 about this issue as part of a larger conversation covered a couple of issues. Below is a summary of our chat about two larger cybercrime law enforcement actions.

What Happened?

Two big law enforcement operations unrelated but within days of each, both tackling major ransomware operations. First NetWalker and then Emotet.

Both of these operations were classified as “ransomware-as-a-service” and both have risen to prominence in the past couple of years with Emotet starting 2018 and NetWalker the year after.

Simply put, the technically savvy cybercriminals built out the infrastructure and exploits necessary to conduct a ransomware campaign. Then, instead of conducting that campaign themselves, they offer that infrastructure as a service to other cybercriminals for either a flat fee or a cut of the proceeds, usually 20—40%.

This not only reduces their risk by being one step away from the actual crime but also means they can scale much quicker. A concrete example of how cybercrime has evolved into big business.

Raids were conducted around the world.

Operation “Lady Bird” involved authorities from Canada, Germany, France, the Netherlands, Lithuania, the United Kingdom, the United States, and Ukraine.

NetWalker was a smaller effort involving the United States, Canada, and Bulgaria.

Both operations resulted in the seizure of significant assets (millions of dollars in cryptocurrency and precious metals) and numerous arrests. These are important but probably more important is that both operations removed the vast majority of these malware networks from the internet.

Big Business?

11.5 billion dollars was lost in 2019 to ransomware attacks. This was 43% increase over 2018. Despite this, the volume of ransomware attacks was actually down.

This may seem contradictory, but it’s a sign that cybercriminals have gotten smarter about how they target their ransomware. When this crime first started to become widespread, the strategy was simple. Cybercriminals would infect any vulnerable system and demand a small ransomware as quickly as possible. If the infected system belonged to a Fortune 500 company or an individual, the ransoms were the same…usually $300—500 USD paid in Bitcoin.

Since mid-2018, cybercriminals have changed how ransomware works. It’s now is a much more patient infection. Spreading throughout the local networks in order to infect as many systems as possible and to find the most valuable data.

That allows the cybercriminals to set higher ransoms. Knowing that they’ve encrypted a companies financial information and customer records fetches a higher ransom that is more likely to be paid compared to “capturing” the company lunch menu.

The downside for the cybercriminals? Not much.

Sadly, the riskiest part of this crime is the chance a victim won’t or can’t pay. And by “can’t” pay, I mean technical execute payment through Bitcoin. That’s not something that many organizations or individuals deal with regularly.

Crime And Finally Punishment

Operation Lady Bird and the take down of NetWalker resulted in the indictment of at least one individual in Canada, two in the Ukraine, with more pending in other jurisdictions. Profits from these criminal ventures were also seized.

This has to happen more often. The risk level of committing these types of crimes at this scale, need to be higher.

Unfortunately, we’re still a long ways away from that.

Expect to see these “services” up and running again in the coming months. And if it’s not version 2.0 of NetWalker and Emotet, it’ll be something similar. There’s obviously plenty of demand which means there will be supply soon enough.

More Reading