The two gangs behind Emotet and Trickbot turned the blackmailing of companies into the cash cow of organized crime. Using methods that until now had only been seen in targeted attacks (Advanced Persistent Threats, APT), they extorted many-digit sums of money from companies and organizations – in series. How they do this is explained in the article Emotet, Trickbot, Ryuk – an explosive malware cocktail.
However, the competition is stepping up and using their methods to raise the risk for companies to an even higher level. Extortion sums in the millions are not uncommon. Maze, Ragnar Locker, REvil, Doppelpaymer and Co. have also specialized in blackmailing companies and organizations. And they have landed some spectacular coups in the past few months.
On Tuesday, August 18th, 2020, the author of the article Jürgen Schmidt and Heise legal advisor Jörg Heidrich will discuss the topic of “Cybercrime: Blackmail on a new level” with interested security professionals. All members of heise Security Pro are cordially invited.
At the end of July, for example, after being infected with the WastedLocker ransomware, Garmin probably paid several million US dollars in Bitcoin in order to be able to get its IT infrastructure back up and running. The US travel organizer CWT made $ 4.5 million. And the cases that have become known are – as always when it comes to extortion – only a comparatively small part.
What is interesting about the CWT case is that the negotiations with Ragnar Locker were conducted in a publicly accessible forum and could therefore be documented. The chat history published on Twitter reveals extremely interesting insights that criminal psychologists are sure to enjoy. What is noticeable is the almost compulsive effort on both sides to use a professional tone. Both want to make the blackmail negotiations look like a normal business transaction.
But the CWT case is also interesting from a technical point of view, as it reveals a new strategy for the cybercrime gangs. The criminals didn’t just encrypt data on over 30,000 PCs. Previously they also uploaded 2 terabytes of internal company data to their own servers.
That put Ragnar Locker in the position of making a double “offer” to CWT: For 10 million US dollars they would not only give out the keys to the encrypted data but also delete the stolen data from their own servers.
Their publication would cost the company dearly, it said in the blackmail letter. Ragnar Locker threatened not only with a loss of reputation but also with enormous “litigation costs” that the company would then have to face. After some back and forth, they agreed on the complete package at a bargain price of 4.5 million in Bitcoin.
Even after the failure of negotiations, the criminals do not give up and continue to try to squeeze money from the captured data. When the Canadian company Agromart refused to pay in June, the REvil / Sodinokibi group gradually escalated.
First they published documents with lists of customers and their orders and some internal sales forecasts. After Agromart remained tough, the REvil gang announced that the data would now be auctioned off to third parties. More than 22,000 PDF, Word and Excel files are up for auction – entry-level bid 50,000 US dollars; Buy it now for $ 100,000.
When the pressure from stolen business data is not enough, the blackmailers sometimes resort to really dirty tricks. At Agromart, for example, they indicated that the stolen data documents how company employees are involved in insurance fraud. In another case, blackmailers threatened to publish private e-mails about the sex life of a board member and illustrated this with corresponding pictures. The blackmailers also do not shy away from calling business partners of those affected.
Only recently had the companies Xerox and LG found out that the blackmailers are serious about publishing the data. The cybercrime gang Maze had apparently already broken into both of them in June. And after various announcements, it finally published data packets with 26 and 50 GByte on its own leak portal, which it allegedly claims to have stolen from these break-ins. The data records contain, among other things, source code for firmware.
Thus, ransomware victims now not only have to be prepared for data that is no longer accessible, but also for being systematically blackmailed with the stolen data. You don’t even want to imagine what else we can expect.
The Burglary – Initial Access
Cybercrime gangs are also creative when breaking into company networks. While Emotet is still – and still very successfully – clinging to dynamite phishing, the other gangs are experimenting. Entry via insufficiently protected RDP systems is very popular. Earlier this year, the FBI estimated that around 70 percent of all ransomware incidents in the United States began with a break-in via RDP.
The ransomware gangs often do not even crack the RDP systems themselves. There are specialized groups that do this on a large scale and sell large amounts of complete access data sets on underground markets. Replenishment is provided: Shodan still lists around 4.4 million directly accessible RDP systems, over 170,000 of them in Germany.
Maze & Co buy a few hundred data records from their preferred RDP dealers and see what they can do with them. The calculation is simple: access costs a few dollars and there are generous discounts when purchasing large quantities. The investment is worth it if there is only one single RDP server among them, which is suitable as a starting point for further expansion in the network and ultimately a blackmail campaign (more on this in Remote Desktop via RDP: Dearest child of the cybercrime scene).
Another popular gateway is VPN access such as Citrix / NetScaler, Pulse Connect Secure or Fortigate SSL-VPN. Especially if they also have known security vulnerabilities such as CVE-2019-11510 and CVE-2019-19781, which some companies have still not closed. Alternatively, credential stuffing has to be used. The criminals systematically try otherwise stolen access data in order to gain access to company resources.
Of course, the focus is not only on RDP and VPN, but also on all company resources that can be accessed from the network: from e-mail to SSH to the administration of the CMS or social media access. With one foot in the door, the attackers then use every conceivable method to work their way further from there.