The digital souks, where actors buy, sell, and trade criminal goods and services, exist to facilitate anonymity and illicit revenue, and this underground information economy's most popular asset has historically been stolen credit cards. That is changing.
For over 15 years, creating spurious credit cards was the quickest way to a large payday. A payment card's magnetic stripe was easy to clone. Demand for new databases of stolen track data (known as "dumps" in the underground) surged, and never let up.
The financial services industry answered with EMV (chip plus PIN or chip plus sign). Criminals can't clone the encrypted chips (yet) that are embedded in new payment cards. Europe and Asia were the first to mandate compliance with this new payment card standard, but there were still fraud opportunities in the United States, which lagged behind.
Now the payment card industry is forcing American businesses toward EMV compliance. The previously lucrative criminal carding opportunities are disappearing, leaving criminal actors searching for new revenue channels. Ransomware is an enticing replacement, leading to a new de facto criminal commodity and associated revenue stream.
Outside of nation-state offensive cyber campaigns and their goal of persistent information advantage, the largest manual criminal hacks over the past 15 years targeted payment card track data. A horde of willing buyers scooped up the latest stolen credit cards, often numbering in the millions of records. Buyers went shopping with physically cloned credit cards, quickly amassing small fortunes by reselling popular merchandise at 90% of retail value, often on auction websites.
Today, the cyber black market economy for credit cards is ending. Card not present (CNP) fraud — using stolen credit cards over the Internet or phone — will remain a lesser problem, but banks are employing recent technology advances to spot and deny CNP fraud much quicker.
A vibrant market remains for financial malicious code (malware) destined for victims' computers and phones, but monetization of online bank accounts is neither quick nor simple, as defensive technology improvements have also made account takeovers less profitable than they once were.
Ransomware is the new answer to sustainable criminal profits for three reasons:
- Ransomware provides straightforward revenue mechanisms.
- Ransomed data may be far more valuable than payment cards
- Bitcoin provides anonymity for ransom payment tracking
Ransomware is ideal for the online criminal masses because it's simple to purchase, relatively easy to use, and it quickly and directly produces victim payments.
The recent WannaCry ransomware outbreak illustrates the types of data that are far more important than payment card details. When businesses (e.g., hospitals) are victimized by ransomware and backups are unavailable, the decision to pay the ransom becomes binary. Pay the ransom and recover the data, or lose the data.
Criminals love the simplicity of the ransomware business model. No middle men, no social engineering, only a decision. Victims are paying.
In the past, criminals used e-payment systems like eGold and Liberty Reserve to send and receive payments for the tools and cash out services needed to ply their trade. The indictments of both companies' founders and the advent of Bitcoin eventually led to a underground economy shift where the vast majority of transactions now take place using Bitcoin.
Bitcoin payments aren't impossible for researchers and law enforcement to track, but the distributed nature of the blockchain ironically lends itself well to anonymity. If a criminal actor understands how to obfuscate Bitcoin payments, attribution becomes difficult.
The recent explosion of ransomware families corresponds with declining opportunities to monetize stolen credit cards in the developed world. WannaCry is an unusual event driven by the weaponization of a "one day" vulnerability and a corresponding sophisticated publicly available exploit.
However, ransomware business models continue to evolve, and future data breaches may automatically be accompanied by ransomware. Criminals quickly notice models that work, and ransomware as a service (RaaS) has proven itself particularly effective.
Criminal specializations in spam, phishing, drive-by (watering hole) exploit kits, adware/spyware (potentially unwanted programs, or PUP) malvertising, Web server exploitation, and stolen credential reuse are all likely to become more popular as criminal actors continue to improve the RaaS model for the singular goal of delivering ransomware to the maximum number of victims and increasing profitability.
Based on the underground economy's history, the early success of ransomware is an incentive toward further innovation. Mobile operating systems like Android and diverse chip architectures like ARM (that power the Internet of Things) are logical future targets for ransomware developers. The only challenge will be delivering ransomware messaging and payment details after infecting devices such as ovens and washing machines. But devices such as Internet-connected televisions and Amazon's Echo may be part of the next evolution to deliver verbal ransom notices for devices lacking a digital display.
Criminal adoption of ransomware is currently at an inflection point. Until a viable methodology for cloning chipped credit cards (or a practical strategy for subverting EMV point-of-sale terminals) becomes achievable for the criminal masses, ransomware is not only here to stay, it's going to proliferate by orders of magnitude and cause substantial risk to businesses for the foreseeable future.
Of course, the present information security situation isn't all gloom. The 20-year-old advice of patching and disabling unnecessary Windows services (e.g., SMBv1) is sufficient for defending against WannaCry. Yet standard security controls in the vein of defense-in-depth have proven incapable of removing risk from the aforementioned conventional criminal threats. To properly assess risk, especially from ransomware, businesses need relevant and sustainable threat intelligence — the kind that improves business decisions and operational security.