Ransomware hackers have built their own VC ecosystem


Over the past few years, ransomware operations have grown increasingly sophisticated as they rock daily internet users, giant corporations and government agencies for ransoms that can sometimes run into the millions of dollars. Now, according to the cybersecurity firm LIFARS, the ransomware underworld is essentially developing its own venture capital ecosystem, with ransomware attackers pooling their funds to support further criminal operations in return for reduced future income.

“Outside of ransomware, I don’t think this has ever happened, that you had a VC ecosystem in a criminal cyberscape,” said LIFARS co-founder and CEO Ondrej Krehel. “It’s really unique.”

Much like in Silicon Valley, investor appeals are often accompanied by descriptions of the founders and their past accomplishments – in this case, notable past hacks, Krehel says. Calls to invest that LIFARS is aware of take place through secure chat apps like Telegram, where certain groups are only accessible to people who can demonstrate they are already involved in digital crime, usually by sending a token amount of crypto. -currency traceable to ransomware. incident or something similar at a certain address.

Ransomware attacks typically encrypt files on a victim’s computers, promising to provide a decryption key in return for a ransom usually paid in cryptocurrency. Some also threaten to disclose sensitive data to further encourage victims to pay.

In recent months, ransomware attacks have shut down operations at Colonial Pipeline, a fuel transportation company, causing panic gas shortages on the east coast. Another attack hit meat processing giant JBS, which reportedly paid $ 11 million in ransom. And many other institutions, from from school districts to hospitals has a Massachusetts ferry service, have all been disturbed by a ransomware infection.

While ransomware operations can effectively self-finance on the basis of their own ill-gotten gains, the burgeoning investment ecosystem offers players in the data ransom industry a way to diffuse their risk, Krehel explains. (He declined to comment in too much detail on exactly what the company saw and how it gained access to the information to avoid compromising its methods.)

“You can put all your money in one basket or branch out,” he says.

New ransomware operations have start-up costs, depending on what exactly they’re trying to accomplish, Krehel explains. They may need skilled coders to create or modify the malware itself, and they need a server infrastructure to process payments and distribute passwords to allow payers to decrypt their files. They also need to have access to valuable targets, which they can organize themselves through phishing attacks or by probing networks for vulnerabilities, or by working with a class of cybercriminals called initial access brokers, which do this work and then sell access to the compromised systems.

Intel 471 cybersecurity company recently underlined that a Russian-language cybercrime forum hosted a technical papers competition showcasing new ways to hack cryptocurrency-related technology, including crypto wallet theft, with more than $ 100,000 in prizes offered. It follows on from previous contests with smaller scholarships sponsored by other underground forums and even some ransomware groups in an ongoing cat-and-mouse game with well-funded cybercriminals on one side and vendors and researchers from cybersecurity on the other.

Everyone is trying to innovate, even the criminals.

Brandon Hoffman, Intel 471

“It’s very similar to the conferences that we on the defensive side try to organize,” says Brandon Hoffman, head of information security at Intel 471. “Everyone is trying to innovate, even criminals.

In general, experts have said that cybercrime, especially ransomware, is becoming more and more prominent, with so-called ransomware-as-a-service companies offering ransomware to others with access to particular victims to use in return. reduction in product. . DarkSide, the allegedly extinct group believed to be behind the Colonial Pipeline hack, has been double “Ransomware-as-a-corporation” by the cybersecurity company Digital shadows for its focused approach and the professional level of its communications, including press releases.

For Krehel, the danger is that the venture capital approach will lead to the same kind of rapid advances seen previously in other areas of software and digital technology, making it increasingly easier to execute a transaction. of ransomware, just as it was previously easier to run an online store or other digital business.

“It’s like what happened in Silicon Valley when all the investment money came in,” he says. “These businesses are going to be a lot smoother to operate.”


Comments are closed.