It used to be a rule that there were three main classes of cyber criminals playing in the malware world: clever technologists, lazy opportunists, and state-sponsored professionals. The first group found the vulnerabilities and created the exploits to attack high-value targets. The second group re-used the first group’s work to attack the low-level targets that the first group couldn’t be bothered with. And the third group … they weren’t in it for the money; that’s a whole different level of scary. Now, though, there seems to be a fourth group of cyber criminals rising to prominence that completely changes how we all think about (and defend against!) cybercrime: the consummate professionals.
On 19th July, SC Magazine UK’s Bradley Barth posted a jaw-dropping article about how security experts over at F-Secure went undercover as ransomware victims in order to – get this – evaluate different criminal organizations’ attitudes towards customer service. It turns out that some of the more successful organized criminal enterprises take the same approach to their “customers” (née victims) that you’d expect from a legitimate online business:
“Strange as it sounds, many ransomware companies strive for a positive, polished customer experience and an above-the-board reputation. It seems contradictory to their true nature, but it’s their strategy for encouraging user compliance and ensuring timely payments.”
When you think about it that way, it actually makes sense. The ransomware business is fairly lucrative – but only if the attacker can (a) encrypt the victim’s high-value content to where it can’t be easily recovered, and (b) convince the victim to pay up rather than accept the probable loss of said content. In many cases, Law Enforcement has advised ransomware victims to simply pay the criminals for the decryption key(s) rather than waste everyone’s time trying to recover, retaliate, or investigate.
With that sort of “we just can’t be bothered” attitude, a criminal enterprise that has a sterling reputation for cheerfully and thoughtfully helping their “customers” recovery from the attack action will almost certainly be paid off to go away as a routine response – thereby changing businesses’ perspective to treat them more like an annoying cost-of-doing-business than an existential threat.
On the one hand, you kind of have to admire the criminals’ smooth transition from being perceived as stealthy burglers to pseudo-legitimate businessmen. On the other hand, companies absolutely cannot get complacent about cyber crime. Just because some attackers are organized enough to make the recovery process less painful, it’s still a criminal endeavor! If an attacker managed to compromise a vulnerable node on your production network in order to encrypt a fileshare, then they also had the ability to exfiltrate that data … or corrupt it … or implant more malware in it … or all of the above. Take the threat seriously, and deploy the necessary preemptive countermeasures required to recover from a ransomeware attack without having to pay off the bad guy … no matter how suave and urbane the bad guy’s customer service department may be.