Skip to content
Naked Security Naked Security

Where do all those cybercrime payments go?

Yes, the headline is a rhetorical question. But sometimes we get literal answers, and they're well worth remembering.
Written by
July 09, 2021
Naked Security cybercrime Dark Web malware

Here on Naked Security, we’ve regularly asked the question, or at least implied it: “Where do you think all those cybercrime payments go?

When a ransomware victim hands over a largely anonymous, mostly untraceable quantity of Bitcoin, for example, to pay off a multi-million dollar blackmail demand in the hope of recovering their unusable files…

…what happens to that money?

The question, as posed above, is a rhetorical one, given that we can all hazard our own guesses about what the criminals do with the money.

But we have confronted that question quite literally on various occasions before, as we did when several suspects were arrested in Ukraine, allegedly in connection with ransomware attacks attributed to a gang known as “Clop”.

In that case, it seems as though at least some of the money went on fancy cars.

Police videos of those busts show impressive collections of car keyfobs being gathered up in evidence, and numerous flash-looking cars being loaded onto recovery vehicles and confiscated.

https://nakedsecurity.sophos.com/2021/06/16/clop-ransomware-suspects-busted-in-ukraine-money-and-motors-seized/

Reinvesting in the business

We’ve also written before about one of the REVil gang’s spending sprees.

That’s the same REvil ransomware operation that oversaw the infamous “Independence Day Weekend 2021” ransomware attack launched simultaneously on more than 1000 networks via software from IT management company Kaseya.

That attack led to the REvil gang’s almost casually provocative “business offer” that, for a one-off ueberpayment of $70 million in Bitcoin, it would “solve” the entire incident at a stroke by releasing a single, unified decryption tool that contained all the unscrambling secrets needed to restore any computer on any network belonging to any victim.

Presumably conscious of the preceding Colonial Pipeline attack in which a $4.4 million blackmail payoff resulted in a decryptor that, though functional in theory, was worthless in practice because it ran far too slowly, the REvil crew even blithely claimed that their so-called universal decryptor would allow everyone to “recover from attack [sic] in less than an hour”.

$1 million paid forward

Last year, REvil made headlines when the gang infamously paid $1,000,000’s worth of Bitcoins into an underground cybercrime forum as advance payment for services rendered.

The REvil crew couldn’t get this money back – it was basically a million-dollar flash-the-cash exercise aimed at proving to members of the forum that the money it was offering was more than just a promise: it was already invested and committed to being spent on successful “job applicants”:

https://nakedsecurity.sophos.com/2020/09/28/revil-ransomware-crew-dangles-1000000-cybercrime-carrot/

Well, according to cybersecurity investigator Pierluigi Paganini at Security Affairs, another anonymous cybercrime actor has just done something similar.

Due to fluctuations in the dollar value of Bitcoin, this flash-the-cash bundle now has a value somewhere closer to $888,888 than to a cool one million, but it’s still a staggering cash total to pay out up front: BTC 26.994602, according to Paganini.

When REvil stumped up its $1m cash bounty, the gang said it was looking for techies with a wide range of skills, including the programming language C#, commonly used for building Microsoft .NET apps and very popular with malware writers, virtualisation, and backup tools and technologies.

(Ransomware crooks with on-and-offsite backup skills can serve two devious purposes: finding and trashing any backups a victim already has; and quietly making unauthorised off-site backups to keep stolen data that can be used for extortion.)

This crook, apparently, has other ideas, and is looking to purchase one or more of the following, amongst a longer list:

* I will buy the most clean RAT from detections [...], with the prospect of one hand [...]

* Buy unusued startup methods in Windows 10 (fileless software, lives in the registry), up to $150k for the original solution [...]

* Buy 0day exploits in one hand under Windows 10 (LPE, RCE) budget up to $3m for RCE 0 Click [...]

What does it mean?

To decode the jargon above:

  • RAT is short for Remote Access Trojan.

    Also known as bots (short for software robots) or zombies, RATs open up unauthorised access holes that let crooks take remote control of your computer at will.

    Some RATs provide explicit remote accesscommands that turn on keylogging, take screenshots, record audio and video, or copy confidential files.

    But almost all RATs also include functions that automatically update the RAT itself, that automatically download and install additional, arbitrary malware, or that quickly shut down and remove evidence of the original RAT.

    The ability of a RAT to morph into a completely different malware infection on demand means that the risks posed by an undetected RAT are essentially open-ended.

  • Fileless software, lives in registry.

    Technically, software that “lives in the registry” isn’t truly fileless, because the registry itself is stored in a file on your hard disk.

    But most software that Windows launches automatically at startup is listed in the registry as filename that contains the program that should be executed, so if that program is malicious or unwanted, a regular scan of the hard disk will find the malicious file and can simply remove it.

    If the reference to the file gets left behind in the registry, no harm is done because the file no longer exists, and therefore cannot be executed in future.

    However, some registry entries can contain the actual script or program that Windows should run, encoded directly into the registry data.

    Threats stored in this way don’t occupy a file of their own on disk, so they are generally harder to find and remediate.

  • LPE is short for Local Privilege Escalation.

    • In Naked Security articles we generally refer to LPE by its synonym EoP, which is the term used by Microsoft in its security bulletins.

    Whether you say local privilege escalation or elevation of privilege, the idea is the same: crooks can’t break into your computer with an LPE vulnerability, but if they are in already, then can use an LPE exploit to promote themselves from a regular user account, such as your own, to one that can do much wider and deeper harm to your network.

    Account privileges that attackers typically go after include the local SYSTEM account or even Domain Administrator, which puts the attackers on an equal footing with your own sysadmins.

  • RCE is short for Remote Code Execution.

    The name RCE means exactly what it says, namely that attackers can get into your computer, and run a program of their own choosing, without needing a username or password to login in the first place.

    Some vulnerabilities, such as the notorious PrintNightmare bug in the Windows Print Spooler that was revealed in late June 2021, combined RCE with LCE/EoP, which makes them even more useful to cybercriminals because it means they can “get in and go up” in one attacking move.

  • 0-Day or zero-day exploits are ones with no patch available.

    The term zero-day was borrowed from computer game piracy, where the phrase “a zero-day crack” referred to a copy-protection hack that was found so quickly that it came out on the same day as the game itself, thus giving the software vendor zero days to be ahead in the anti-piracy race.

    Where software vulnerabilities are concerned, a zero-day exploit generally refers to any vulnerability that cybercriminals know how to abuse in advance of the Good Guys having an official update against it, so that there were literally zero days that even a well-informed system administrator could have patched in advance.

  • 0-Click attacks work without any user action required.

    Even so-called 1-click or multi-click attacks can be truly dangerous, if those clicks don’t produce any obvious “Are you sure?” warnings that might indicate that an attack was underway.

    For example, a 1-click attack that only required you to open or to preview an email, without further clicking on or opening any attachments in it, would be harmful because merely reading email is considered uncontroversial and is supposed to be safe.

    But a 0-click attack typically works not only without any user action required, but also if the computer is locked, or even if no one is logged in at all, as is often the case on servers.

For what it’s worth, we’re guessing that the original poster used some sort of clumsy machine translation to come up with the full English phrases above.

We’re not quite sure what “the prospects of one hand” or “to buy in one hand” really mean, but we’re assuming they are figures of speech from the author’s native language that mean “sold to me exclusively for my sole use“.

With close to a million dollars committed to the kitty already, the advertiser clearly isn’t short of ready money.

What to do?

We’re not going to say, “Never, ever, pay the ransom,” because for all we know it might be your only chance, no matter how hurtful it might feel, to avoid a business disaster that could put your company and your employees at or even over the edge of economic collapse.

But if you’ve ever wondered where that blackmail money goes, and whether it’s innocent enough to pay the “ransomware fee” just to save the time and effort of activating your backup-and-recovery procedures…

…well, now you know.

PS. Even if you do pay up, decrypting your data may not work out anywhere near as well as you hoped. Ask Colonial Pipeline how that process went… or check out our article “Ransomware: don’t expect a full recovery, however much you pay” to find out the problems experienced by the vast majority of victims in our survey who reported back on their experiences after paying the crooks.

About the Author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too.

Follow him on Twitter: @duckblog

Read Similar Articles

2 Comments

I don’t get it. So Colonial Pipeline paid and got an inefficient decoder that ran slowly. It contained the keys needed for decryption, right? And it executed the decryption algorithm, right? So why didn’t experts like Sophos reverse-engineer the decryptor and extract the keys and algorithm and then rewrite it to run more efficiently?

Reply

The first answer to this question is, “We weren’t asked to.” We weren’t given any decryption keys and we weren’t asked to try to improve on work the crooks were already supposed to have coded to a “suitable standard.” (You can’t do what you can’t do, even if you want to!)

The second answer is, “How would that have helped?” Colonial Pipeline had the backups it needed to recover by itself, but apparently decided to pay up in the hope of cutting a few corners in terms of time. It didn’t work, so the decryptor had already cost them the time they thought they’d save. It’s unlikely they would ever have caught back up by getting *another* decryptor hacked together in a tearing hurry, no matter how talented the new coding team might be. That would be like paying for a faster runner to take your place in a race that you had already lost.

The third answer is that, for all we know, accelerating the decryption part to an acceptable speed might very well have been impossible. (Let’s assume that the problem was not in the performance of the code in the decryptor that enumerates directories and files and performs the disk access. Let’s assume, as you just did, that the speedup would be needed *in the cryptographic implementation itself*.)

Well, a lot of the time these days, ransomware crooks use C# and the Microsoft .NET runtime to access the built-in Windows crypto libraries. Your hand-tuned, 100% pure assembler, hacked-to-pieces-at-the-cost-of-reliablity implementation of, say, AES-256-GCM might be 1.25x faster in the best case, but even that’s unlikely. Chances are that there isn’t much, or even any, room for speedup in the underlying cryptographic code itself. The “slowness” might be that the crooks chose a way of performing the encryption that was unavoidable inefficient.

(Sometimes, as you know, cryptographic processes are deliberately designed so that they can’t easily be accelerated. Indeed, most cryptocurrency mining works that way. So does the process of salting-hashing-and-stretching when storing passwords in a database. Those processess are *meant* to consume large chunks of time.)

For example, I once examined a ransomware sample that encrypted surprisingly slowly, but given that it ran in the background you probably wouldn’t notice. That’s because it chose a time-consuming encryption algorithm to do the work – it encrypted the raw data *directly* with an RSA key instead of encrypting the data with a random AES key and then encrypting the AES key using RSA. The code surprised me, but the crooks seems to have done it that way because it made the code easier to write. But RSA is much slower than AES, which is why it’s rarely used for bulk encryption. That’s an example of a slow decryptor that you couldn’t have “sped up” by hacking on the code, only by transplanting the encrypted disk into a faster computer.

HtH.

Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!