Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

11:30 AM
Levi Gundert
Levi Gundert
Connect Directly
E-Mail vvv

Ransomware: Carding's Replacement for the Criminal Masses

Ransomware is not only here to stay, it's going to proliferate by orders of magnitude and cause substantial risk to businesses for the foreseeable future.

The digital souks, where actors buy, sell, and trade criminal goods and services, exist to facilitate anonymity and illicit revenue, and this underground information economy's most popular asset has historically been stolen credit cards. That is changing.

For over 15 years, creating spurious credit cards was the quickest way to a large payday. A payment card's magnetic stripe was easy to clone. Demand for new databases of stolen track data (known as "dumps" in the underground) surged, and never let up.

The financial services industry answered with EMV (chip plus PIN or chip plus sign). Criminals can't clone the encrypted chips (yet) that are embedded in new payment cards. Europe and Asia were the first to mandate compliance with this new payment card standard, but there were still fraud opportunities in the United States, which lagged behind.

Now the payment card industry is forcing American businesses toward EMV compliance. The previously lucrative criminal carding opportunities are disappearing, leaving criminal actors searching for new revenue channels. Ransomware is an enticing replacement, leading to a new de facto criminal commodity and associated revenue stream.

Outside of nation-state offensive cyber campaigns and their goal of persistent information advantage, the largest manual criminal hacks over the past 15 years targeted payment card track data. A horde of willing buyers scooped up the latest stolen credit cards, often numbering in the millions of records. Buyers went shopping with physically cloned credit cards, quickly amassing small fortunes by reselling popular merchandise at 90% of retail value, often on auction websites.

Historically, criminal data breaches are the product of hunting for payment card data. Image source:
 Recorded Future

Historically, criminal data breaches are the product of hunting for payment card data. Image source: Recorded Future

Today, the cyber black market economy for credit cards is ending. Card not present (CNP) fraud — using stolen credit cards over the Internet or phone — will remain a lesser problem, but banks are employing recent technology advances to spot and deny CNP fraud much quicker.

A vibrant market remains for financial malicious code (malware) destined for victims' computers and phones, but monetization of online bank accounts is neither quick nor simple, as defensive technology improvements have also made account takeovers less profitable than they once were.

Ransomware is the new answer to sustainable criminal profits for three reasons:

  • Ransomware provides straightforward revenue mechanisms.
  • Ransomed data may be far more valuable than payment cards
  • Bitcoin provides anonymity for ransom payment tracking

Ransomware is ideal for the online criminal masses because it's simple to purchase, relatively easy to use, and it quickly and directly produces victim payments.

The recent WannaCry ransomware outbreak illustrates the types of data that are far more important than payment card details. When businesses (e.g., hospitals) are victimized by ransomware and backups are unavailable, the decision to pay the ransom becomes binary. Pay the ransom and recover the data, or lose the data.

Criminals love the simplicity of the ransomware business model. No middle men, no social engineering, only a decision. Victims are paying. 

In the past, criminals used e-payment systems like eGold and Liberty Reserve to send and receive payments for the tools and cash out services needed to ply their trade. The indictments of both companies' founders and the advent of Bitcoin eventually led to a underground economy shift where the vast majority of transactions now take place using Bitcoin.

Bitcoin payments aren't impossible for researchers and law enforcement to track, but the distributed nature of the blockchain ironically lends itself well to anonymity. If a criminal actor understands how to obfuscate Bitcoin payments, attribution becomes difficult.

What's  Next?
The recent explosion of ransomware families corresponds with declining opportunities to monetize stolen credit cards in the developed world. WannaCry is an unusual event driven by the weaponization of a "one day" vulnerability and a corresponding sophisticated publicly available exploit.

However, ransomware business models continue to evolve, and future data breaches may automatically be accompanied by ransomware. Criminals quickly notice models that work, and ransomware as a service (RaaS) has proven itself particularly effective.

Surging interest in ransomware is leading to an explosion of ransomware families.
Image source:  Recorded Future

Surging interest in ransomware is leading to an explosion of ransomware families. Image source: Recorded Future

Criminal specializations in spam, phishing, drive-by (watering hole) exploit kits, adware/spyware (potentially unwanted programs, or PUP)  malvertising, Web server exploitation, and stolen credential reuse are all likely to become more popular as criminal actors continue to improve the RaaS model  for the singular goal of delivering ransomware to the maximum number of victims and increasing profitability.

Based on the underground economy's history, the early success of ransomware is an incentive toward further innovation. Mobile operating systems like Android and diverse chip architectures like ARM (that power the Internet of Things) are logical future targets for ransomware developers. The only challenge will be delivering ransomware messaging and payment details after infecting devices such as ovens and washing machines. But devices such as Internet-connected televisions and Amazon's Echo may be part of the next evolution to deliver verbal ransom notices for devices lacking a digital display.

Criminal adoption of ransomware is currently at an inflection point. Until a viable methodology for cloning chipped credit cards (or a practical strategy for subverting EMV point-of-sale terminals) becomes achievable for the criminal masses, ransomware is not only here to stay, it's going to proliferate by orders of magnitude and cause substantial risk to businesses for the foreseeable future.

Of course, the present information security situation isn't all gloom. The 20-year-old advice of patching and disabling unnecessary Windows services (e.g., SMBv1) is sufficient for defending against WannaCry. Yet standard security controls in the vein of defense-in-depth have proven incapable of removing risk from the aforementioned conventional criminal threats. To properly assess risk, especially from ransomware, businesses need relevant and sustainable threat intelligence — the kind that improves business decisions and operational security. 

Related Content:

Levi Gundert is the vice president of intelligence and risk at Recorded Future where he leads the continuous effort to measurably decrease operational risk for customers. Levi has spent the past 20 years in both government and the private sector, defending networks, ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-03-08
Oryx Embedded CycloneTCP 1.7.6 to 2.0.0, fixed in 2.0.2, is affected by incorrect input validation, which may cause a denial of service (DoS). To exploit the vulnerability, an attacker needs to have TCP connectivity to the target system. Receiving a maliciously crafted TCP packet from an unauthentic...
PUBLISHED: 2021-03-08
The package github.com/pires/go-proxyproto before 0.5.0 are vulnerable to Denial of Service (DoS) via the parseVersion1() function. The reader in this package is a default bufio.Reader wrapping a net.Conn. It will read from the connection until it finds a newline. Since no limits are implemented in ...
PUBLISHED: 2021-03-07
An issue was discovered in MantisBT before 2.24.5. It associates a unique cookie string with each user. This string is not reset upon logout (i.e., the user session is still considered valid and active), allowing an attacker who somehow gained access to a user's cookie to login as them.
PUBLISHED: 2021-03-07
This affects all versions of package github.com/nats-io/nats-server/server. Untrusted accounts are able to crash the server using configs that represent a service export/import cycles. Disclaimer from the maintainers: Running a NATS service which is exposed to untrusted users presents a heightened r...
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is adversely affected by the ability of an unprivileged user to craft Netlink messages.