Cybercrime - Breaking Profitability

There is another approach, developed by the United States in 2020: the American Department of Treasury published a noteproviding for sanctions - including financial sanctions - against companies and intermediaries that accede to the blackmail. In case of an attack, victims are asked to contact and cooperate with the authorities. 

These approaches have proven unable to curtail the rise of payments on a global scale 

These decisions and initiatives have a limited reach, especially in France. According to the fieldwork conducted by the Wavestone consultancy group, attacked companies pay the ransom in 20% of cases - data confirmed by analyses of the associated electronic currency and financial flows. 

Why do companies pay the ransom? They are usually acting under the (false) pretense that doing so will help them resume their activities faster, but also to ensure that the stolen data is not disclosed. The requested ransom payment is usually reasonable and takes into account the damage caused. Criminals also leave room for negotiations, meaning companies can lower the asking price. A whole ecosystem of negotiation and ransom payment support - negotiation companies, payment intermediaries, etc. - has recently emerged. These actors’ support is most likely linked to the increase in ransom payments. 

Some suggestions to dry up cybercriminals’ sources of revenue 

Where to go from there? There are no silver bullets. We have, however, identified three challenges. 

First of all, a crystal-clear communication stating that one’s organization - whether corporate or governmental - will categorically refuse to pay any ransom, can strongly dissuade cybercriminals. This is the case today for governmental organizations (local governments, ministries). Companies could do the same, for instance - for public companies - in their annual reports. This measure will obviously not be enough to contain waves of attacks, but it may help deter some cybercriminals. 

The second challenge is to weigh the benefits of paying a ransom. Payment should be considered only if really necessary - for instance, if the company’s survival depends on it, or if one is certain that this will reduce risks and financial impact. This diligence, conducted by independent experts and/or public authorities, could be added to contracts companies enter into with cyber insurance providers. This would also bolster cooperation between victims, insurers and authorities tasked with fighting cybercrime in order to improve tracing of cybercriminals’ actions. This is the solution explored by the United States, as shows the latest note from the Office of Foreign Assets Control (OFAC). 

Finally, the third challenge is to reinforce traceability and identification of crypto-to-traditional currencies transfer capabilities in order to for instance freeze cybercriminals’ assets. This measure is particularly complex as it requires major international cooperation. 

Upsetting cybercriminals’ feeling of impunity 

Cybercrime is attractive in part due to cybercriminals’ apparent impunity. They often take very few risks compared to traditional criminals and often hide in places remote - both geographically and culturally - from their victims. The cybercriminal group Evil Corp is the archetype of this behavior - its members exhibit their excessive lifestyles and their financial gains (which enable them to buy sports cars, organize luxurious parties, etc.). 

2021: a pivotal year in the fight against cybercrime

Beyond Emotet, cybercriminal groups Netwalker and Egregor have also seen some of their operators and affiliates be arrested in the past few months. The shockwave from these arrests was immediate and led platforms Ziggy and Fonix (see the first article in this series) to announce they would stop their operations as a result. 

It is also worth mentioning the "name and shame" policy that has existed now for several years in the United States - which consists in revealing cybercriminals’ identity. Although this policy’s impact in terms of communication is obvious, its operational efficiency is limited. The United States recognizes this and admits that this measure should only be a last resort when it has become certain that the cybercriminals will not be caught. 

Despite these successes, the cybercriminal ecosystem is resilient and continues to grow 

If the recent dismantlements and shutdowns represent a shift in the evolution of cybercriminals’ activities, the effort must last and intensify. Operators of Ransomware-as-a-Service platforms are for the most part still active and numerous competitors are hoping to carve themselves a share of this particularly lucrative market. 

International cooperation is unsurprisingly fundamental in order to arrest the criminals. However, it remains slow to put in place while cybercriminals collaborate on a daily basis to hone their methods and tools and better evade authorities. To answer these challenges, we agree with the World Economic Forum that suggests the creation of a global partnership with entities responsible for stimulating collaboration and task forces dedicated to specific topics. 

Following the same logic, the pace of judicial procedures remains overall too slow compared with the extremely dynamic environment of cyber-criminality. The drafting and application of laws to limit cyberattacks are time-consuming affairs. The judicial solution is also limited by territoriality: it can be hard to obtain the authorizations required to intervene on another country’s territory. This is why criminal groups tend to emerge in countries that are known to turn a blind eye to their practices (under the condition that cybercriminals don’t target them). 

Some suggestions to improve the punishment of cybercriminals 

The sovereign functions of the state (justice, security, diplomacy) are on the front line. However, justice is insufficiently targeted by the French government’s plan to fight cybercrime - announced in great part in reaction to the wave of attacks involving the health sector. The judiciary struggles to tackle cybercrime for several reasons: excessive caseload, a lack of qualified personnel, a criminal code not designed to fighting cybercrime, legislative difficulties linked to the acquiring and validity of digital proofs, fragmentation, a lack of resources to follow virtual currencies flows… 

At the national level, we have to lift certain barriers in order to make up for the accrued delay. One of the main challenges is the lack of cooperation between various institutions, in particular between the justice system and intelligence services. Improved information sharing would go a long way in accelerating inquiries. In this respect, the fight against terrorism from 2015 onwards, which creates a precedent for regulated information sharing between the judiciary and the intelligence community, could serve as an inspiration. 

Making attackers’ targets harder to identity and attacks harder to conduct 

Reinforcing the security of basic network, systems and IT solutions used by corporate and governmental organizations will mechanically increase cyberattack costs for criminals. This is therefore the last essential factor in order to curtail cybercrime profitability. 

Victims’ IT systems reflect vastly different levels of security 

SMEs make good targets for cybercriminals as they rarely have the resources or know-how needed to invest heavily in cybersecurity. The French governmental platform Cybermalveillance.gouv.fr offers a number of awareness, prevention and assistance tools in order to assist them. Since 2020, the platform also runs the ExpertCyber label, which guarantees the level of expertise of specialized companies that can provide assistance to SMEs. We also address in more detail the need to better secure these structures’ IT systems in our 2018 report: Cyberthreat: Storm Warning. 

A reckoning is under way in large companies, as the Wavestone survey of large public corporations shows: 100% of companies listed on the CAC 40 indicate awareness of cyberthreats in their annual reports. However, a lot remains to be done. Analysing budget and staffing dedicated to cybersecurity shows wide industry-related gaps. For the most critical functions - which are of vital importance to the nation - regulatory obligations set a minimum level. But this only applies to 200 organizations in France and to some of their systems (those that ensure the most critical or dangerous services). 

Finally, the public sector is fragile as a consequence of a lack of significant investment for numerous years. The recent wave of attacks on hospitals and city halls proves it. However, as mentioned above, the national strategy launched in 2021 will fill this gap, notably through massive investments: nearly €350M for the health sector, and €160M of the recovery plan for local governments. 

What are the limits? 

Furthermore, digital systems designed and sold today do not always integrate default cybersecurity mechanisms. Securing them then requires an additional effort from users. The whole digital section could seek inspiration of the developments observed in the smartphone industry over the last years, in which data encryption or the default use of access codes have increased devices’ security overall. 

Some thoughts on improving organization security 

The organizations that use digital services can make significant efforts. Having a dedicated budget and staff is a must in order to deploy a minimal cybersecurity hygiene, even if these of course depend on context. Simulating a ransomware crisis is a simple and efficient way to test and validate an organization’s capacity to handle such an incident. This also enables companies and their directors to be mobilized. 

Digital solutions providers (editors, service companies) are also an essential part of the protection chain. It is important to regulate security practices in order to reach a minimal level of cybersecurity in digital products and services. In this respect, the OECD’s work is encouraging, as it provides best practices and recommendations for the security of digital products and services. Discussions can also be held to identify and protect the user systems shared by the clients of a same provider in order to prevent cybercriminals from bouncing from one target to the next (oversight, administration and support systems) through these data managers and hosts. These structures’ clients can be encouraged to integrate these aspects in their service requests in order to hasten these evolutions. 

Fighting cybercrime together 

More than ever, fighting cybercrime has become a transversal challenge and requires cooperation from the entire ecosystem. This affects the main digital actors, who today have an unrivalled capacity to investigate and protect on a large scale; digital designers, who should provide safe systems and services; users, who need to watch out for their own security; and sovereign actors at national and international level, who can hunt and arrest cybercriminals. 

The efficiency of this common fight depends on information sharing, which has a double role: on the one hand, alerting in real-time on the mechanisms used by cybercriminals to improve their detection, interrupting their attacks and tracking their funding in case of a ransom; and on the other, in the medium-term, consolidating information on the groups and their functioning in order to identify and detain them. 

By mobilizing governmental, corporate, national and international actors, we can curb the number of cyberattacks, reduce their impact and reach an acceptable level of risk for our economies and daily security.

We thank the following people for the time they have granted us to help us complete this research. 

Copyright : Saksham Choudhary / Pexels