By Vitali Kremez, Flashpoint and Travis Farral, Anomali
It’s no secret that the Deep & Dark Web (DDW) is home to illicit marketplaces and forums, as well as an array of cybercriminal communications. Less obvious, however, are the nuances of these communications, the unspoken code of conduct that exists in cybercriminal communities, and the “ethical” dilemma that certain types of attacks can cause.
For example, let’s discuss ransomware.
While monitoring DDW communities in Eastern Europe from early 2014 to early 2016, Flashpoint researchers discovered the forewarnings of a shift in attitude toward ransomware.
Prior to 2016, administrators of the Russian underground stated that ransomware should not be practiced for two reasons:
- It was a waste of botnet installs and exploit kits;
- It was “intellectual death” and therefore a low-end maneuver.
These administrators firmly believed that ransomware attracts too much attention, may impede other types of cybercrime, could be too-easily turned toward Russian targets, and an increase in its use may cause the Russian government to take a harsher stance towards DDW communities.
It’s very important to note that underground administrators are incredibly powerful in the DDW. Regardless of whether administrators are revered or reviled, the community respects their decisions. Those who don’t comply with such decisions risk being exiled from the forums or even doxed.
The Ethical Dilemma
Indeed, on Feb. 5, 2016, an ethical dilemma arose following a ransomware incident at Hollywood Presbyterian Medical Center. The small hospital was demanded to pay 40 bitcoin (roughly $17,000 at the time) or risk a shutdown of its lifesaving equipment. While healthcare companies had been hit with cyberattacks before, the attacks had never before gone as far as to threaten human life. While Hollywood Presbyterian’s management claimed that the hospital’s infrastructure was never truly at risk, they chose to avert the perceived risk and pay the ransom.
Although the unspoken code of conduct amongst Eastern European cybercriminals strictly prohibits any malicious activity directed against citizens of the Commonwealth of Independent States (CIS), the targeting and exploitation of Westerners -- in particular United States citizens – is highly encouraged. Nevertheless, news of the attack against Hollywood Presbyterian was coldly received by Eastern European cybercriminals, many of whom regarded the incident as reckless and unacceptable. While some in the community supported the attack, the majority condemned the unknown assailants, which created an ethical divide in the underground.
One highly reputable member of a Russian top-tier cybercrime forum expressed his frustration with ransomware, writing “from the bottom of my heart, I sincerely wish that the mothers of all ransomware distributors end up in the hospital, and that the computer responsible for the resuscitation machine gets infected with [the ransomware]...”
In response, a prominent ransomware operator countered that view: “[the attackers] scored. It means everything was done properly.” Rather than adhering to the ethical code imposed by administrators, he proposed that targeting places that were guaranteed to pay was not wrong because, at the end of the day, cybercrime is always about making money.
In the following months ransomware increased a staggering 6000%, earning 2016 the title of “The Year of Ransomware”. Of the businesses affected, 70% chose to pay the ransom, making it one of cybercrime’s most profitable ventures.
The WannaCry Shift
Ever since the May 12, 2017 start of the global "WannaCry" (also known as "WanaCry," "W-cry," and "Wcry") ransomware worm attack that largely affected healthcare organizations affiliated with the UK's National Health Service (NHS), criminals debated the ethics behind the attack. Consequently, Russian-speaking cybercriminals revisited the topic of ransomware and its place within the criminal underground. Previously, ransomware presented cybercriminals with the aforementioned ethical dilemma, as it prevented hospital professionals from providing care. However, Flashpoint’s May 2017 review of cybercriminal discussions on ransomware indicated that many threat actors in the Russian-language underground are moving past their ethical concerns and now view banning ransomware as predominantly a business issue.
One threat actor who suggested banning ransomware cited the following reasons:
- “It attracts attention to malware and causes companies to introduce measures to increase their security.
- It increases general awareness of topics related to information security.
- It’s a business which is built not on intelligence and mental dexterity, but on brute-force and luck.”
The actor went on to say that by “allowing ransomware operators on the forum, we are digging our own grave. Of course, banning this work on the forum doesn’t stop this type of business, but as a minimum we can use community disapproval to make it more difficult to enter into it.”
The post generated multiple unique responses, almost half (48.5%) of which expressed support for the ban.
Threat actors in favor of the ban echoed concerns that Russian underground administrators shared in 2016: ransomware attracts too much attention, may impede other types of cybercrime, could be too-easily turned toward Russia, and may incentivize the government to act more harshly toward underground communities.
Some threat actors, however, suggested that the use of ransomware is still a personal decision -- as long as Russia is protected:
“There is only one rule – don’t target Russia. All other cases depend on one’s degree of perversion. Some people take grandma’s last 10k, some encrypt a corporate company and ransom [their files] for 2k, some brute-force Wordpress control panels, upload shells and then send spam or host their own malware, some install skimmers.
Everyone has their own thing.”
This one example speaks volumes about how the ethics of cybercrime are constantly evolving, often in unanticipated ways. The culture of underground communities, the power of their administrators, and the ethical dilemmas and other criminal disagreements they face cannot be determined by looking at technical indicators of compromise (IOCs) alone. Applying tradecraft, language, vernacular and culture savvy to actively listening in to a group are what truly provide the best perspective for defenders to consider as they work to mitigate their organization’s risk. It’s also important to look at these threat actors as individuals -- not just as shadowy villains. After all, these problems stem from threat actors, are developed by threat actors, and ultimately can be ended by threat actors.
For now, we know that ransomware is no longer off limits and that cybercriminals are being less selective in their targets.
The cybercriminal ecosystem has been historically and traditionally driven by the value of data on the cyber black markets. Recently, successful attacks have illustrated both a shift in cybercriminals’ business models and a nascent understanding in the cybercriminal community of another way to assign value to data: by assessing the value it presents to its owner.
Organizations seeking to mitigate risks posed by threat actors operating on the DDW must first recognize that these actors are human beings and not faceless, shadowy villains. Defenders should continually establish and/or further develop profiles of relevant threat actors, such as those who have previously attacked, targeted, and/or are seen as a threat to that organization. These profiles shouldn’t simply consist of IOCs; they should also provide insights into the human being represented by the profile. What are their preferences? What types of behaviors do they exhibit?
The combination of monitoring activity in the DDW and closely-monitoring observed attacker behaviors inside the organizational environment yields a much deeper perspective on the actors threatening the organization. This dramatically improves situational awareness and provides needed perspective when developing effective mitigation strategies for defense.
Operationally, processes for collecting and storing this information should be implemented to enhance visibility and limit repetitive, low-value tasks from taking time away from analysts. The following suggestions can help operationalize the necessary components of this collection and processing:
- Ensure that incident response processes collect needed details for threat intelligence collection
- Ensure there are mechanisms in place to store collected incident response details along with other observables from the environment such that they can be appropriately processed and searched by analysts
- DDW collection from a professional, trusted provider with data and analysis made available to internal analysts
- Provide needed context via automated means where possible (WHOIS data, passive DNS, connection to other observables and historical data, etc.)
- Ensure that analysts can add their own analysis and notes not only to individual IOCs but also provide the ability to curate and store finished reporting along with associated connections to IOCs and related analysis
Visibility into criminal forums on the DDW is a huge asset for defenders, allowing them to understand the ethics and nuances of the mindsets of cybercriminals. Coupling this information with threat intelligence collections inside an organization helps defensive teams develop deep perspectives and create a “rudder” to guide effective mitigation strategies against current threats. The value this creates is significant for organizations that make investments in these areas versus operating largely in the dark regarding the origins of the attacks seen in the environment every day. As the mindsets and capabilities of cybercriminals change and adapt, so should defenders in how they approach their defensive posture.
This blog post has also been published on Flashpoint's blog, here.