Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

11:30 AM
Levi Gundert
Levi Gundert
Connect Directly
E-Mail vvv

Ransomware: Carding's Replacement for the Criminal Masses

Ransomware is not only here to stay, it's going to proliferate by orders of magnitude and cause substantial risk to businesses for the foreseeable future.

The digital souks, where actors buy, sell, and trade criminal goods and services, exist to facilitate anonymity and illicit revenue, and this underground information economy's most popular asset has historically been stolen credit cards. That is changing.

For over 15 years, creating spurious credit cards was the quickest way to a large payday. A payment card's magnetic stripe was easy to clone. Demand for new databases of stolen track data (known as "dumps" in the underground) surged, and never let up.

The financial services industry answered with EMV (chip plus PIN or chip plus sign). Criminals can't clone the encrypted chips (yet) that are embedded in new payment cards. Europe and Asia were the first to mandate compliance with this new payment card standard, but there were still fraud opportunities in the United States, which lagged behind.

Now the payment card industry is forcing American businesses toward EMV compliance. The previously lucrative criminal carding opportunities are disappearing, leaving criminal actors searching for new revenue channels. Ransomware is an enticing replacement, leading to a new de facto criminal commodity and associated revenue stream.

Outside of nation-state offensive cyber campaigns and their goal of persistent information advantage, the largest manual criminal hacks over the past 15 years targeted payment card track data. A horde of willing buyers scooped up the latest stolen credit cards, often numbering in the millions of records. Buyers went shopping with physically cloned credit cards, quickly amassing small fortunes by reselling popular merchandise at 90% of retail value, often on auction websites.

Historically, criminal data breaches are the product of hunting for payment card data. Image source:
 Recorded Future

Historically, criminal data breaches are the product of hunting for payment card data. Image source: Recorded Future

Today, the cyber black market economy for credit cards is ending. Card not present (CNP) fraud — using stolen credit cards over the Internet or phone — will remain a lesser problem, but banks are employing recent technology advances to spot and deny CNP fraud much quicker.

A vibrant market remains for financial malicious code (malware) destined for victims' computers and phones, but monetization of online bank accounts is neither quick nor simple, as defensive technology improvements have also made account takeovers less profitable than they once were.

Ransomware is the new answer to sustainable criminal profits for three reasons:

  • Ransomware provides straightforward revenue mechanisms.
  • Ransomed data may be far more valuable than payment cards
  • Bitcoin provides anonymity for ransom payment tracking

Ransomware is ideal for the online criminal masses because it's simple to purchase, relatively easy to use, and it quickly and directly produces victim payments.

The recent WannaCry ransomware outbreak illustrates the types of data that are far more important than payment card details. When businesses (e.g., hospitals) are victimized by ransomware and backups are unavailable, the decision to pay the ransom becomes binary. Pay the ransom and recover the data, or lose the data.

Criminals love the simplicity of the ransomware business model. No middle men, no social engineering, only a decision. Victims are paying. 

In the past, criminals used e-payment systems like eGold and Liberty Reserve to send and receive payments for the tools and cash out services needed to ply their trade. The indictments of both companies' founders and the advent of Bitcoin eventually led to a underground economy shift where the vast majority of transactions now take place using Bitcoin.

Bitcoin payments aren't impossible for researchers and law enforcement to track, but the distributed nature of the blockchain ironically lends itself well to anonymity. If a criminal actor understands how to obfuscate Bitcoin payments, attribution becomes difficult.

What's  Next?
The recent explosion of ransomware families corresponds with declining opportunities to monetize stolen credit cards in the developed world. WannaCry is an unusual event driven by the weaponization of a "one day" vulnerability and a corresponding sophisticated publicly available exploit.

However, ransomware business models continue to evolve, and future data breaches may automatically be accompanied by ransomware. Criminals quickly notice models that work, and ransomware as a service (RaaS) has proven itself particularly effective.

Surging interest in ransomware is leading to an explosion of ransomware families.
Image source:  Recorded Future

Surging interest in ransomware is leading to an explosion of ransomware families. Image source: Recorded Future

Criminal specializations in spam, phishing, drive-by (watering hole) exploit kits, adware/spyware (potentially unwanted programs, or PUP)  malvertising, Web server exploitation, and stolen credential reuse are all likely to become more popular as criminal actors continue to improve the RaaS model  for the singular goal of delivering ransomware to the maximum number of victims and increasing profitability.

Based on the underground economy's history, the early success of ransomware is an incentive toward further innovation. Mobile operating systems like Android and diverse chip architectures like ARM (that power the Internet of Things) are logical future targets for ransomware developers. The only challenge will be delivering ransomware messaging and payment details after infecting devices such as ovens and washing machines. But devices such as Internet-connected televisions and Amazon's Echo may be part of the next evolution to deliver verbal ransom notices for devices lacking a digital display.

Criminal adoption of ransomware is currently at an inflection point. Until a viable methodology for cloning chipped credit cards (or a practical strategy for subverting EMV point-of-sale terminals) becomes achievable for the criminal masses, ransomware is not only here to stay, it's going to proliferate by orders of magnitude and cause substantial risk to businesses for the foreseeable future.

Of course, the present information security situation isn't all gloom. The 20-year-old advice of patching and disabling unnecessary Windows services (e.g., SMBv1) is sufficient for defending against WannaCry. Yet standard security controls in the vein of defense-in-depth have proven incapable of removing risk from the aforementioned conventional criminal threats. To properly assess risk, especially from ransomware, businesses need relevant and sustainable threat intelligence — the kind that improves business decisions and operational security. 

Related Content:

Levi Gundert is the vice president of intelligence and risk at Recorded Future where he leads the continuous effort to measurably decrease operational risk for customers. Levi has spent the past 20 years in both government and the private sector, defending networks, ... View Full Bio
Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
I 'Hacked' My Accounts Using My Mobile Number: Here's What I Learned
Nicole Sette, Director in the Cyber Risk practice of Kroll, a division of Duff & Phelps,  11/19/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-11-21
Multiple cross-site scripting (XSS) vulnerabilities in Chyrp before 2.1.2 and before 2.5 Beta 2 allow remote attackers to inject arbitrary web script or HTML via the (1) content parameter to includes/ajax.php or (2) body parameter to includes/error.php.
PUBLISHED: 2019-11-21
The web administrative portal in Zhone zNID 2426A before S3.0.501 allows remote authenticated users to bypass intended access restrictions via a modified server response, related to an insecure direct object reference.
PUBLISHED: 2019-11-21
Multiple cross-site request forgery (CSRF) vulnerabilities in Synametrics Technologies SynaMan before 3.5 Build 1451, Syncrify before 3.7 Build 856, and SynTail before 1.5 Build 567
PUBLISHED: 2019-11-21
rConfig 3.9.2 allows devices.php?searchColumn= SQL injection.
PUBLISHED: 2019-11-21
An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the function gb18030_mbc_enc_len in file gb18030.c, a UChar pointer is dereferenced without checking if it passed the end of the matched string. This leads to a heap-based buffer over-read.