Cybercrime - A Peek at the Cybercriminal Ecosystem

ARTICLES - 23 March 2021

By Gérôme Billois

Partner, Cybersecurity and Digital Trust at Wavestone

By Marwan Lahoud

Executive Chairman and Managing Director, Ace Capital Partners

Our previous article presented the challenges of ransomware. These attacks have grown exponentially due to a highly structured cybercriminal ecosystem in which Internet black markets, attack tools and money laundering platforms have merged. In order to combat these threats it is necessary to understand how the ecosystem is structured and how it generates profits. This is the aim of the analysis below.

Here is a realistic (hypothetical) preparation and launch simulation for a cyber attack by a group of criminals targeting twenty companies. The figures used are based on Wavestone's field observations and on various other sources of both public and private analysis (i.e. the French National Agency for Information Systems Security, the National Cyber Security Center, Symantec, McAfee, Talos (Cisco), X-Force (IBM), Microsoft Security Response Center, FireEye, Intel471 and ChainAnalysis).

Our hypotheses have been tested and verified by the work group in charge of Institut Montaigne’s report Cyberthreat: Storm Warning (Cybermenace: avis de tempête).

Find a target and build an infrastructure

All attacks require initial access to the target's information system. Practically speaking, the cybercriminal's goal is to seize control of at least one computer connected to a company’s network. To achieve this, groups specialized in obtaining and selling access to public or private company networks can be found on underground markets. Sales are usually made through a third party service (an online forum or the dark web) in order to avoid any direct contact between the criminal and the access seller.

These access sellers conduct phishing campaigns (fraudulent emails) or massive network scans to find vulnerabilities in websites or remote access systems. Once a vulnerability is identified, they break into the targeted machine to set up a remote access that can be used later on. This access information is then sold to the highest bidder.

It is common to find a six-month-old access code on the black market at prices ranging from a few hundred to over $150,000. The price depends on the quality of the access: it will fetch a high price if the access information serves to infiltrate the most critical networks within a company, making it likely to pay a high ransom, or to steal particularly sensitive and confidential data.

In our simulation, our group of cybercriminals has chosen to acquire about 20 good quality remote accesses for about $60,000.

To conduct the attacks, the cybercriminals then need anonymous and protected servers to host their attack tools and to hide their tracks - especially if law enforcement is on their trail. Many hosting companies provide this service - called "bulletproof hosting services" - regardless of their customers' activities. They fall into two categories: those who own and operate their own physical infrastructure, and those who hijack and resell existing traditional services while hiding the activities of their end users (i.e. cybercriminals).

In our simulation, our group of cybercriminals has opted for secure hosting and a VPN to guarantee their anonymity, costing around $1,200 per month.

Join a cartel and make the attack a success

Groups specialized in obtaining and selling access to public or private company networks can be found on underground markets.

A quick look at the latest ransomware attacks shows the massive increase in the use of Ransomware-as-a-Service platforms. These cybercrime cartels provide their affiliates with attack tools as well as various services (trading, payment recovery, etc.). Their guarantee is threefold: one, these tools will not be detected by standard protection mechanisms; two, data encryption will be effective; three, victims will be able to recover their data once they have paid the ransom. Moreover, they also provide technical support. To achieve this level of service, these platforms have dedicated staff members. For instance, the REvil group mentions a team of 10 developers.

In exchange for these "quality" tools and services, these cybercriminal platforms receive a portion of the ransoms as payment. These platforms charge various fees: 20% for Netwalker and up to 70% for other groups.

In our simulation, our group of cybercriminals has chosen to affiliate itself with the Egregor cartel, giving them about 30% commission for successful attacks.

Outsourcing parts of their cyberattacks allows less experienced cybercriminals to conduct more complex and ambitious raids and increase profits for the platforms. Thus, a team of affiliated cybercriminals will lead the attacks, heavily assisted by the Ransomware-as-a-Service cartel.

When cybercriminals are affiliated with a platform, their task becomes much easier. They no longer have to develop ransomware and an interface to drive the attack, nor do they have to manage the negotiations or the collection of the ransom. However, these affiliates maintain responsibility for the intrusion (via previously purchased access), the theft of data to facilitate negotiations and the ransomware deployment.

Relationships on these platforms are primarily based on trust between the seller (the platform) and the buyer (the cybercriminal conducting the attack). Affiliated cybercriminals must first prove themselves in basic attacks, before earning the necessary trust to conduct more ambitious operations.

In our simulation, we have assumed that of the 20 companies attacked by the criminals, a large number of the attacks have succeeded. Hence, we have estimated that only 4 victims (20%) have ultimately paid a ransom (negotiated at 20% cheaper on average).

Cover your tracks and launder your money

Once the cyberattack is successfully completed, cybercriminals have obtained a ransom paid in cryptocurrencies - usually in Bitcoins. Although more confidential cryptocurrencies exist, such as Monero, Bitcoin’s popularity has made it a perennial favorite.

The cybercriminals’ first step is to ensure that the ransom cannot be traced back to them. To do so, they use Bitcoin mixers, mixing ransom Bitcoins with "clean" Bitcoins. These "clean" Bitcoins belong to people who use these same platforms to keep their anonymity during Bitcoin transactions.

Once the cyberattack is successfully completed, cybercriminals have obtained a ransom paid in cryptocurrencies.

In our simulation, our cybercriminal group, now affiliated with the Egregor cartel, has demanded Bitcoin payments. Our hypothesis is that they have used a Bitcoin mixing service to cover their financial tracks. This has cost them 0.5% of the money laundered.

Finally, cybercriminals must find a way to launder their money and get it into their actual physical wallets. One way to do this is to use specialized money laundering groups who rely on money couriers, or "money mules", taking the money out of the country and turning it into cash. To recruit couriers, cybercriminals abuse the trust of relatively naïve people through scams, such as false job offers, or blackmail.

According to cybersecurity expert Brian Krebs, the cost of laundering is estimated at 50% of the profits and is usually outsourced.

In our simulation, our cybercriminal group has called on a specialized group for laundering and money mule management. These services have cost close to 50% of the money laundered.

What is then the profitability of an attack campaign on 20 targets by a group affiliated to a ransomware cartel?

The "platformization" of cybercrime provides attackers with impressive financial means and allows them to grow exponentially. Recently, the REvil cartel (also known as Sodinokibi) reported earning a minimum of $100,000,000 per annum, with its affiliates’ earnings ranging from $30,000 to $8,000,000 for each attack (depending on its size). The X-Force Threat Intelligence 2020 report (IBM) estimates that this cartel made at least $123 million in profits in 2020, stealing approximately 21.6 terabytes of data. The example of Ryuk is also striking. The platform, created in mid-2018, collected $3,000,000 in its first year according to FBI analysis, then $60,000,000 in its second, reaching a total of $150,000,000 from mid-2018 to the end of 2020.

In our simulation, we have calculated profitability margins ranging from 250% to almost 1000% for a cybercriminal group conducting an attack. Profits are even higher for platforms that manage ransomware from multiple attacks.

These figures vary greatly depending on which platform is used, the level of expertise and seniority of the affiliate groups, or the demands for ransom payments.

At present, cybercriminal groups have human and technological resources rivalling those of state offensive cybersecurity departments, allowing them to grow considerably. Until we are able to better apprehend cybercriminals, it seems impossible to slow down this phenomenon. However, international law enforcement operations in early 2021 bring hope, proving that coordinated legal actions can be taken to stop cybercriminals. How can this phenomenon be significantly curbed? The third and final post of our series will offer suggestions.

Copyright: DAMIEN MEYER / AFP