Expert Warns: Don’t Trust Ransomware Groups Amid Pandemic

Published at: April 16, 2020

A cybersecurity expert explained why he is convinced that the promises made by ransomware groups amid the pandemic are irrelevant.

Brett Callow — threat analyst at cybersecurity firm Emsisoft — told Cointelegraph that multiple ransomware groups recently made promises to halt their activity against medical organizations amid the coronavirus pandemic. Still, he believes that those promises are irrelevant:

“The claims of a ceasefire made by ransomware groups are irrelevant [and] should be completely disregarded. Would you leave your front door unlocked simply because the local burglars had pinky-promised not to rob you? Probably not. The story of the frog and the scorpion comes to mind.”

Empty promises by ransomware groups

In mid-March, cybersecurity news outlet BleepingComputer, reported that it contacted a number of ransomware groups. At that time, some of them promised not to attack health and medical organizations during the ongoing pandemic. This is in line with Callow’s comment:

“Claims made by ransomware groups should be taken with a grain of salt. They’ve put lives at risk by attacking hospitals in the past, and it would be a mistake to assume that they would hesitate in doing so now.”

It is worth pointing out that — shortly after making the promise — black hat hacker group, Maze, has infected the infrastructure of a firm researching the coronavirus with ransomware. As Cointelegraph reported yesterday, a recent report also suggests that — despite the promises — while global ransomware attacks decreased, hospitals are still being attacked. Because of the unreliability of their promises, Callow advises media outlets to avoid covering the ransomware groups’ promises:

“Personally, I do not think the press should repeat claims made by ransomware groups as there is really no point or benefit in doing so. The details that the criminals choose to release will be cherry-picked and only information that they want to be in the public domain - probably because they believe it will help their cause in some way.  [...] The press should avoid portraying ransomware groups as being in any way Robin Hood-like or repeating claims that assist them.”

The cybercriminal groups behind ransomware attacks are highly organized and — according to Callow — in many ways resemble legitimate companies. He explained:

“Ransomware groups operate like legitimate businesses in a number of ways. They adopt strategies that have been proven to work by other groups. [...] They test price sensitivity in order to determine the optimal ransom demand. They try to make it easy as possible for ‘customers’ to ‘purchase’ their product, which is why Bitcoin, the most widely known and stockpiled cryptocurrency, is their currency of choice.”

Ransomware is a constantly evolving threat

Ransomware is widely believed to be one of the biggest cybersecurity threats in the world. This kind of malware is rapidly evolving in ways that continue to make it even more dangerous. Callow pointed out one such change:

“The biggest changes in the ransomware world have been the transition from encryption-only attacks to encryption [and] exfiltration attacks and, more recently, the weaponization of exfiltrated data. Ransomware groups no longer simply publish their victims’ data; they threaten to sell it to competitors, expose ‘dirty secrets’ and use it to attack companies’ customers and business partners.”

Recently, the ransomware group behind malware Sodinokibi announced its upcoming switch from Bitcoin (BTC) to Monero (XMR) to prevent tracking by law enforcement. Callow pointed out that this may be the start of a new trend among ransomware-specialized cybercrime organizations:

“While there are some instances of demands being made in alternative currencies, this will be the first time that a major ransomware group has settled on a currency other than Bitcoin. Like other businesses, criminal enterprises adopt strategies that have been proven to work and, accordingly, if this switch proves successful for REvil, we’d expect to see other groups begin to experiment with demands in currencies other than bitcoin.”

Tags
Related Posts
Digital intelligence must overcome challenges to solving crypto crimes
While the value of cryptocurrencies has varied wildly in the last year, this has not diminished crypto’s attractiveness to criminals. Many of them are moving their illegal activities underground and outside the view of law enforcement. Because of the public nature of most blockchains, however, this rapid movement shouldn’t be a major concern to law enforcement agencies. With the right tools and training, following the proceeds of crypto-enabled crime is actually not as difficult as it may seem. However, intelligence agencies must have a cryptocurrency investigation plan that includes the right tools to lawfully collect digital evidence and the properly …
Technology / Aug. 20, 2021
Don’t blame crypto for ransomware
Recently, gas has been a hot topic in the news. In the crypto media, it’s been about Ethereum miner’s fees. In the mainstream media, it’s been about good old-fashioned gasoline, including a short-term lack thereof along the East Coast, thanks to an alleged DarkSide ransomware attack on the Colonial Pipeline system, which provides 45% of the East Coast’s supply of diesel, gasoline and jet fuel. In cases of ransomware, we generally see a typical cycle repeat: Initially, the focus is on the attack, the root cause, the fallout and steps organizations can take to avoid attacks in the future. Then, …
Technology / May 30, 2021
Hackers Increasingly Rely on Trojans to Deploy Ransomware Attacks
A study by risk solutions provider, Kroll, identified a growing trend in the use of Qakbot trojan, or Qbot, to launch email thread hijacking campaigns and to deploy ransomware attacks. According to the findings in conjunction with analysts from the National Cyber-Forensics and Training Alliance, or NCFTA, cybercriminals seek to steal financial data from multiple industries like media, education, and academia. However, the COVID-19 pandemic has helped the attacks target the healthcare sector as well. The trojan is reportedly being used as a “point of entry” by the operators behind the ProLock ransomware gang. The report suggests that victims are …
Blockchain / June 10, 2020
Hackers Stole and Encrypted Data of 5 U.S. Law Firms, Demand 2 Crypto Ransoms
Hackers compromised five United States law firms and demanded two 100 Bitcoin (BTC) (over $933,000 at press time) ransoms from each firm: one to restore access to the data, one to delete their copy instead of selling it. According to data shared with Cointelegraph by cybersecurity firm Emsisoft, the hacker group — called Maze — already started publishing part of the data stolen from the aforementioned firms. Two of the five law firms were hacked within the 24 hours leading to Feb. 1. The hackers published the data on two websites that were shared with the author of this article, …
Bitcoin / Feb. 3, 2020
Maze Hacker Group Claims Infecting Insurance Giant Chubb with Ransomware
Black hat hacker group, Maze, claims to have used ransomware to compromise the systems of insurance giant, Chubb. They also claim to have stolen the firm’s data. Brett Callow, threat analyst at cybersecurity firm, Emsisoft, told Cointelegraph on March 27 that Maze published the claim on its website. While the website does not provide any direct proof of the hack so far, Callow pointed out facts that give the claim an air of credibility: “Maze’s past victims include governments, law firms, healthcare providers, manufacturers, medical research companies, healthcare providers and more.” Maze’s modus operandi Callow explained that the group usually …
Bitcoin / March 29, 2020