News & Commentary

11:30 AM
Levi Gundert
Levi Gundert
Connect Directly
E-Mail vvv

Ransomware: Carding's Replacement for the Criminal Masses

Ransomware is not only here to stay, it's going to proliferate by orders of magnitude and cause substantial risk to businesses for the foreseeable future.

The digital souks, where actors buy, sell, and trade criminal goods and services, exist to facilitate anonymity and illicit revenue, and this underground information economy's most popular asset has historically been stolen credit cards. That is changing.

For over 15 years, creating spurious credit cards was the quickest way to a large payday. A payment card's magnetic stripe was easy to clone. Demand for new databases of stolen track data (known as "dumps" in the underground) surged, and never let up.

The financial services industry answered with EMV (chip plus PIN or chip plus sign). Criminals can't clone the encrypted chips (yet) that are embedded in new payment cards. Europe and Asia were the first to mandate compliance with this new payment card standard, but there were still fraud opportunities in the United States, which lagged behind.

Now the payment card industry is forcing American businesses toward EMV compliance. The previously lucrative criminal carding opportunities are disappearing, leaving criminal actors searching for new revenue channels. Ransomware is an enticing replacement, leading to a new de facto criminal commodity and associated revenue stream.

Outside of nation-state offensive cyber campaigns and their goal of persistent information advantage, the largest manual criminal hacks over the past 15 years targeted payment card track data. A horde of willing buyers scooped up the latest stolen credit cards, often numbering in the millions of records. Buyers went shopping with physically cloned credit cards, quickly amassing small fortunes by reselling popular merchandise at 90% of retail value, often on auction websites.

Historically, criminal data breaches are the product of hunting for payment card data. Image source:
 Recorded Future

Historically, criminal data breaches are the product of hunting for payment card data. Image source: Recorded Future

Today, the cyber black market economy for credit cards is ending. Card not present (CNP) fraud — using stolen credit cards over the Internet or phone — will remain a lesser problem, but banks are employing recent technology advances to spot and deny CNP fraud much quicker.

A vibrant market remains for financial malicious code (malware) destined for victims' computers and phones, but monetization of online bank accounts is neither quick nor simple, as defensive technology improvements have also made account takeovers less profitable than they once were.

Ransomware is the new answer to sustainable criminal profits for three reasons:

  • Ransomware provides straightforward revenue mechanisms.
  • Ransomed data may be far more valuable than payment cards
  • Bitcoin provides anonymity for ransom payment tracking

Ransomware is ideal for the online criminal masses because it's simple to purchase, relatively easy to use, and it quickly and directly produces victim payments.

The recent WannaCry ransomware outbreak illustrates the types of data that are far more important than payment card details. When businesses (e.g., hospitals) are victimized by ransomware and backups are unavailable, the decision to pay the ransom becomes binary. Pay the ransom and recover the data, or lose the data.

Criminals love the simplicity of the ransomware business model. No middle men, no social engineering, only a decision. Victims are paying. 

In the past, criminals used e-payment systems like eGold and Liberty Reserve to send and receive payments for the tools and cash out services needed to ply their trade. The indictments of both companies' founders and the advent of Bitcoin eventually led to a underground economy shift where the vast majority of transactions now take place using Bitcoin.

Bitcoin payments aren't impossible for researchers and law enforcement to track, but the distributed nature of the blockchain ironically lends itself well to anonymity. If a criminal actor understands how to obfuscate Bitcoin payments, attribution becomes difficult.

What's  Next?
The recent explosion of ransomware families corresponds with declining opportunities to monetize stolen credit cards in the developed world. WannaCry is an unusual event driven by the weaponization of a "one day" vulnerability and a corresponding sophisticated publicly available exploit.

However, ransomware business models continue to evolve, and future data breaches may automatically be accompanied by ransomware. Criminals quickly notice models that work, and ransomware as a service (RaaS) has proven itself particularly effective.

Surging interest in ransomware is leading to an explosion of ransomware families.
Image source:  Recorded Future

Surging interest in ransomware is leading to an explosion of ransomware families. Image source: Recorded Future

Criminal specializations in spam, phishing, drive-by (watering hole) exploit kits, adware/spyware (potentially unwanted programs, or PUP)  malvertising, Web server exploitation, and stolen credential reuse are all likely to become more popular as criminal actors continue to improve the RaaS model  for the singular goal of delivering ransomware to the maximum number of victims and increasing profitability.

Based on the underground economy's history, the early success of ransomware is an incentive toward further innovation. Mobile operating systems like Android and diverse chip architectures like ARM (that power the Internet of Things) are logical future targets for ransomware developers. The only challenge will be delivering ransomware messaging and payment details after infecting devices such as ovens and washing machines. But devices such as Internet-connected televisions and Amazon's Echo may be part of the next evolution to deliver verbal ransom notices for devices lacking a digital display.

Criminal adoption of ransomware is currently at an inflection point. Until a viable methodology for cloning chipped credit cards (or a practical strategy for subverting EMV point-of-sale terminals) becomes achievable for the criminal masses, ransomware is not only here to stay, it's going to proliferate by orders of magnitude and cause substantial risk to businesses for the foreseeable future.

Of course, the present information security situation isn't all gloom. The 20-year-old advice of patching and disabling unnecessary Windows services (e.g., SMBv1) is sufficient for defending against WannaCry. Yet standard security controls in the vein of defense-in-depth have proven incapable of removing risk from the aforementioned conventional criminal threats. To properly assess risk, especially from ransomware, businesses need relevant and sustainable threat intelligence — the kind that improves business decisions and operational security. 

Related Content:

Levi Gundert is an internationally recognized information security expert and risk management leader with over 15 years of experience. In his current role as vice president of threat intelligence at Recorded Future, Gundert leads the continuous development of strategic ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
[Strategic Security Report] Cloud Security's Changing Landscape
[Strategic Security Report] Cloud Security's Changing Landscape
Cloud services are increasingly becoming the platform for mission-critical apps and data. Heres how enterprises are adapting their security strategies!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.