Ransomware: business model for cyber crooks

We tend to think of criminals as hardened men in masks climbing through windows to burgle homes and offices. In the world of cyber criminals, they are more likely to be young hackers keeping to their own bedrooms, testing the limits of their computer skills.

These stereotypes are seldom associated with a more sophisticated skill: business expertise. Yet, that is exactly what is setting apart the new breed of digital delinquent.

And there is one field of cyber crime in which the business model is at the very heart of the heist. It’s called ransomware.

Global IT security company Kaspersky Lab defines it as “a type of malware that severely restricts access to a computer, device or file until a ransom is paid by the user”. It can be installed through deceptive links in an email message, instant message or website, and can encrypt important files with a password.

That’s just the start, however. Lurking behind the scam – which has caught many South African consumers and businesses with their security pants down – is a sophistication which belies the age of some of the perpetrators.

“People in ransomware are thinking like business people,” said Ton Maas, digital coordinator of the Dutch National Police, in an interview at Kaspersky Lab’s annual Cyber Security Weekend in Malta. Last year he personally arrested two young ransomware creators, brothers who were conducting the business in the home of their oblivious parents.

“In this case, they were both the coders and the distributors,” said Maas. “Usually, you start with the coder, who offers code to distributors, who then target end-users. You even get code specifically written for the distributor, on request.

“The distributors buy the codes and earn their own money, but sometimes have to pay a percentage back to the coder. It is also possible to have a service contract, paying a fixed amount a month, so if you have problems and want to change something in the code, the coder will do it for you. You can call this ransomware-as-a-service.”

Kasperksy Lab’s 2016 Corporate IT security Risks Survey, presented at the Malta event, revealed that 20 per cent of businesses across the world experienced a ransomware attack in the last 12 months. South Africa is not immune, with 19 per cent of businesses here coming under attack. In the past year, ransomware has migrated from PC to mobile, with Kaspersky detecting more than 80 000 malicious installation packages.

The Lab helped the Dutch police track down the hackers responsible for a ransomware program called CoinVault, which added a new element to the business model: if victims did not pay immedately, the ransom “fee” steadily increased. Victims had to pay in Bitcoins, the cyber currency favoured by hipsters and hackers alike.

Once the criminals were bust, the Dutch provided Kaspersky with the encryption keys used by the coders, as well as the IDs for their bitcoin wallets. This allowed them to release a decryption package called Anti-Ransomware Tool for Business. It also prompted the creation of the No More Ransom project, which began as a collaboration between Kaspersky Lab, Europol, the Dutch National Police and Intel Security. Its online portal aimes to educate the public about ransomware and helps victims recover their data without having to pay up.

Its membership now includes national law enforcement agencies from 14 countries. However, no interest has been shown from South Africa.

• This column first appeared in Business Times in the Sunday Times on 30 October 2016.