How Cryptocurrency Drives Cyber Threats: Dark Web Panel Discussion
In a recent panel discussion hosted by Chris Pace, Recorded Future’s technology advocate, two members of the Insikt Group (that’s Swedish for “insight” — but say the “k”) and an industry expert held a wide-ranging discussion on the state of the cybersecurity landscape today. The topics included the dark web, the rising trend of ransomware as a service, the causes and effects of cryptocurrency’s use as a medium of exchange among threat actors, and the impacts of the internet of things.
Representing the Insikt Group, Recorded Future’s veteran team of threat researchers, was Allan Liska, a senior security architect with over 15 years of industry experience at organizations like Symantec, iSight, and FireEye; and Andrei Barysevich, who currently specializes in the threat analysis of cybercriminal communities and oversees proactive intelligence operations, and who previously worked as an e-commerce fraud researcher and private consultant for the FBI’s Cyber Crime Unit. Also present was Juan Andrés Guerrero-Saade, an industry expert who previously worked for the Global Research and Analysis (GReAT) team at Kaspersky Lab.
Defining the Dark Web
The discussion began with a focus on the dark web, a topic that remains somewhat ill defined and mysterious to many, perhaps by its very nature (the Recorded Future blog has looked more closely at it before). When asked to define the dark web, Andrei Barysevich gave a simple answer: any digital space where threat actors congregate to trade illegal information, goods, or services. Although many of these communities are now only accessible through Tor browsers, Barysevich made clear that some have existed for at least 20 years, well before Tor was introduced. Considered as another way of describing the digital criminal underground, the dark web has existed just about as long as the web has.
Trends on the dark web change quickly, however, and one of the hottest trends lately has been the sale of ransomware — malicious software that seeks to hold a computer system hostage until a fee is paid. Particularly in the last year or so, the sale of ransomware as a service has grown to represent an outsize share of the commodities offered in dark web spaces. Allan Liska explained that threat actors will build the software, maintain its infrastructure, and then make money by selling it as a service, meaning that for a price, they will deliver the ransomware on behalf of the customer, in many cases taking a cut of whatever profits are made. For the right price, Liska says, sellers will give you the complete package, even providing email lists of victims and making the software executable for buyers.
The Rise of Ransomware as a Service
The panelists attribute the recent focus on ransomware as a service to two factors: tougher security, and the rise of cryptocurrencies.
First, writing good ransomware has become more difficult. Many prospective targets have better cybersecurity and are generally less gullible, making successful ransomware attacks fewer and further between. The bar has been raised on how effective an attack has to be in order to be successful. Because that means fewer threat actors are able to offer good ransomware, it makes more sense for those who can to mitigate financial risk by selling their craft rather than keeping it for themselves.
That’s led to business models that increasingly resemble aboveboard business practices. In the most exclusive cases, says Barysevich, sellers will offer ongoing support and even customer service to build their reputation and open up the market to potential threat actors who have the financial resources but lack the technical know-how. Customer service can even extend to the victims — it can go a long way toward compelling a victim to actually pay up the ransom when the attacker is willing to answer questions like, “How can you guarantee my system will be decrypted once I pay you?” Or even, “How do I pay you?”
The question of payment points to the second reason ransomware has exploded in popularity, according to Juan Andrés Guerrero-Saade. Ransomware has existed for decades, but in its early iterations, it was often as primitive and unreliable as demands like, “Mail us money to this address in Panama,” says Guerrero-Saade. Further, whatever money that was made had to be laundered, requiring the involvement of more traditional channels of organized crime, and ultimately had to end up in banks and other reputable financial institutions. That meant more people involved, lower profits, and greater risk.
Crime and Cryptos
All that changed with cryptocurrency, which comes with numerous benefits for criminals — some a result of market forces, others baked into the technology. According to Guerrero-Saade, cryptocurrency like Bitcoin “has enabled … malware developers [to go] directly towards the victim without ever touching one of these high-powered, really high-security investment institutions.” No more middle-man, fewer people to pay, fewer loose ends. “The process is very binary,” says Barysevich. “You infect the victim, and then you either get the payment or you don’t.”
Benefits like these are rooted in the technology of cryptocurrency, which by its nature is secure, doesn’t require the backing of a financial institution like a bank, and doesn’t need laundering. But the main reason that cryptocurrency has driven the rise of ransomware, Barysevich says, is because users have centralized around Bitcoin in particular.
This might have come as a surprise to many working in the threat intelligence industry just a few years ago. Three years ago, the general consensus among criminals seemed to be that Bitcoin was volatile and its price would inevitably collapse. Using it was hard, too. But in 2015, the vast majority of criminals using digital currencies switched from ones like E-gold, WebMoney, or Liberty Reserve to Bitcoin. No more exchange rates or conversions — just one secure way to get paid. “It’s a unified cryptocurrency which enables a lot of different operations in the dark web,” says Barysevich.
Mining for Digital Gold
Lately, however, Bitcoin has grown unwieldy. Its blockchain technology means that each successive exchange adds to the ledger, slowing down transfer speeds, and its exploding popularity coupled with limited availability has made it too expensive to use for many day-to-day purchases.
Following the chatter among cybercriminals at the ground level, many in the security industry speculated that a more secure cryptocurrency like Monero would soon surpass Bitcoin in popularity. Instead, it’s been Litecoin, which is faster and cheaper than Bitcoin, but otherwise mostly uses the same technology and is no safer to use.
Barysevich says the reason for this is that big sellers ultimately have the most power in dictating which currency will see the most use, and Litecoin already had an established infrastructure worldwide — just about all the places that bought or sold Bitcoin also traded in Litecoin, something that’s not the case for most other cryptocurrencies.
So cryptocurrencies, in one form or another, seem to be here to stay. But their peculiarities — like why they’re secure and how they’re generated — not only facilitate cybercrimes, but create incentive to commit them in the form of cryptomining.
Guerrero-Saade gave some background on how cryptocurrencies are generated to explain how this incentivizes illicit activity:
The limitations around fiat currency were that you have materials being used to print something that is in short supply, so possessing that physically was equivalent to the proof of work of saying, ‘I won this currency, I have this piece of paper.’ The equivalent for cryptocurrency is to say that a certain amount of cryptographic operations have been undertaken by a person that yields this piece of currency that you happen to possess or have access to.
In short, cryptocurrency is generated by computers performing calculations and generating secure hashes that are noted on a single digital ledger representing a chain of these operations — that’s the basic concept of a blockchain. This unbreakable chain of information both creates value and provides a record of transaction. Because computers are performing these operations, there is a real-world cost associated with “minting” new bitcoins, in terms of computing power. As these operations become increasingly complex, the limiting factor in profits becomes the cost of electricity required to power computers fast enough to perform these operations in a reasonable span of time.
For many cryptominers, these costs have quickly become prohibitively expensive. But for cybercriminals, this cost has simply become a new opportunity — take over other people’s systems and use them to generate cryptocurrency, and you’re mining on somebody else’s dime. “It’s essentially free money,” Guerrero-Saade says. “You’ve built a printing press using somebody else’s resources.”
Nevertheless, the panelists found that most customers weren’t terribly concerned about cryptocurrency miners hijacking their networks — the electric bills just haven’t been high enough yet, maybe. According to Barysevich, the real profits are still to be made with ransomware, especially as the prices of cryptocurrencies have deflated after last year’s spike, and he predicts that ransomware will come back soon as the dominant threat.
Whether it’s using hijacked machines to mine cryptocurrency or getting into a network through compromised machines and planting malware, each panelist agreed that the sprawling hinterlands of the so-called internet of things represents a significant and growing threat to security.
The internet of things (IoT) encompasses all of the new “smart” devices that are being released with web access, from WiFi-enabled home thermostats and kitchen appliances, to tablets installed in cars and voice-controlled home speakers. The problem is, “there is no such thing as IoT, really,” says Guerrero-Saade. “That envisions a uniform problem, and the lack of uniformity is exactly the issue.” Products run on stripped-down versions of Linux or bespoke operating systems that have no endpoint protection or are “mis-configured by default,” he says. “Basically, it’s like going back to the ‘90s.”
The growing number of unsecured devices that every business and individual now owns “serves as a foothold for all kinds of interesting attacks,” he goes on to say, from simpler ones like more effective botnets and distributed denial-of-service (DDoS) attacks, up to much more serious advanced persistent threat (APT) attacks.
And threat actors are capitalizing on these possibilities. According to Barysevich, Recorded Future has found “at least 50 different vendors who sell plug-and-play access to DDoS capabilities.” When these attacks are targeted and not just random, they can be quite profitable.
When it comes to what can be done to confront these issues, “there’s no distinction between what you need to patch inside your network and outside your network,” Liska says. “It can all lead to your organization being compromised.”
Guerrero-Saade advises each organization to take inventory. “If the question is, how do we leverage threat intelligence to better protect ourselves, there’s nothing … that makes up for how well you know what it is you’re meant to be protecting.” Many organizations may have perfectly patched desktops running Windows, but then have an office filled with personal smartphones and unsecured devices running on the same network, opening the door to potential threats.
That issue is tied to a decline in the use of antivirus software, or in the case of many mobile devices, a complete lack of options. As we continue to hurtle toward an “always-connected” future where the internet of things pervades every space and circumvents the walled gardens of networks running comprehensive antivirus solutions, Guerrero-Saade says that “things are going to become deadlier.”
If you’re interested in seeing the full dark web panel discussion, download the free webinar recording.