Sherrod DeGrippo himself chased cyber criminals online, and today Proofpoint heads a team that is responsible for analyzing digital threats. The listed IT security company secures company email systems so that phishing emails don’t even appear in employees’ inboxes. DeGrippo’s specialties are “Emotet”, the malware that was declared “the most dangerous in the world” in 2019, as well as gangs that use so-called ransomware to force-encrypt computers and then blackmail their owners. Ransomware is also repeatedly distributed via Emotet, most recently the Bundestag transport service was affected. Emotet is an example of the professionalization of the industry: Different specialized groups work together – one builds the tools, another opens the safe, another clears it out. This makes the job more difficult for authorities and cyber defenders like DeGrippo.
SZ: Ms. DeGrippo, in the IT security sector you keep hearing terms like “Malware-as-a-Service” or “Ransomware-as-a-Service”. What about the new division of labor in ransomware?
I believe that this increasing division of labor in cybercrime has taken place in parallel with developments in normal companies. Everything moves to the cloud. The reason for this is the flexibility it offers. You only pay for the computing power for the services you need. In addition, every device has access to important data via the cloud.
And criminal hackers are doing the same thing now?
Cyber criminals are clever. They are looking for the most efficient ways to do their business. The ability to rent botnets has been around for many years. The first known cybercrime service for this was Distributed Denial of Service (DDoS): You buy control of a few thousand devices, which then simultaneously flood a website with data traffic and bring it to its knees. In the beginning, private websites or political opponents were often attacked; this hacker activism was based on DDoS attacks. Professional cyber criminals are now taking this model to the next level. There is a complete ecosystem of services in which the ingredients for crime can be rented individually: malware program code, infrastructure or even entire service packages. Then you just give the providers an e-mail list and say: ‘Send this malware to these addresses at these times of the day’.
How do you follow such developments? Are you doing covert research in the gangs?
We see trends mainly based on the amount of malware that is sent and stopped by us. But recently, authorities like the FBI, CIA or the Canadian Mounties have repeatedly published documents about investigations against cyber criminals, which show pretty precisely how they work. It is noticeable that they are usually extremely organized. You use the same software as I do in my legal job: Wikipages for knowledge management, Jira [eine Anwendung für Projektmanagement, Anm. d. Red.] for the development of malware. Moving to the cloud makes it easy to share these services with other gangs.
Does that mean anyone could rent ransomware and start a small business?
I don’t think there are any young guys doing ransomware out of their bedrooms these days. It happened a few years ago. It often happened that a gang showed up, blackmailed a few people, and then disappeared again. They were college kids who wanted to buy a car or pay back their tuition fees. You can only get access to the current major malware services via the Internet, such as closed forums, often on the darknet. And of course the criminal operators check whether they can trust newcomers. That scares off private individuals.
So gangs rent malware from other gangs.
Exactly. The malware operators call the other gangs “customers” or “partners”. We can follow that pretty well. When sending phishing e-mails with malware, the malware operators send an identification number, the customer ID, so to speak. From this we can see that they are not sending this for themselves, but for one of these customers. It’s almost like renting out their apartment through AirBnB. We track these IDs and then see, for example, that ID “XY” always attacks online retailers or ID “XYZ” always sends a particularly large number of emails.
It sounds as if cybercriminal gangs are now more like traditional companies than analog organized crime.
I think the groups see themselves more as entrepreneurs than criminals. In the former Soviet states, where the majority of the groups come from, there is a more or less explicit agreement with the authorities: If you attack targets outside the region, we turn a blind eye. If you write banking Trojans and send them to Europe or the USA, we don’t care. This leads to these jobs being seen as legitimate. “And what are you up to?” – “I’m a software designer, I write banking Trojans that we send to the West”, that’s probably a halfway normal conversation there. It is not perceived as really criminal. Probably someone like that works nine-to-five in an office, at least before the pandemic, earns money, his mother is proud of him.
Some time ago there was a dialog between blackmailers and the Read along to the chief financial officer of a blackmailed company. Above all, it was fascinating how polite it was. In the end, the blackmailers gave tips on how the company should secure its network in the future.
The attackers have learned a lot in recent years. You are offering a service. Most importantly, if the victims pay, they must get their data back. If that doesn’t work reliably, the gangs don’t make any money because nobody pays anymore. They have to be professional, explain to their victims how to get Bitcoin in order to pay the ransom. And as an extra service, they’ll tell you at the end what you can do better. It is now common for the gangs to run a chat window that victims can turn to with service requests.
Customer service as with health insurance. “Please give me your insurance number”?
Yes. In the ransom letters there is an ID with which the blackmailers can see exactly on their dashboard which company is involved and how much money is involved. It’s a little crazy, but that also makes it fascinating. Some gangs are starting to lovingly design their websites and logos. “Nemty” works with characters from the comic series Rick & Morty, “Avaddon” has a wizard’s hat in its logo and on the start page Hagrid and Dumbledore tell you how to get your data back.
Company design for extortion gangs. That sounds absurd.
The development of ransomware in recent years is exciting on many levels. A few years ago, for example, the makers of the “Locky” software were still sending millions of e-mails every day, today everything is much more targeted. Once the gangs hack a company, they first try to find out if ransomware is a good idea at all. They check whether they are blackmailing individuals with stolen information or rather distributing a banking Trojan. Only when they have access to the entire system at some point does ransomware become an interesting method again. IT departments simply swap individual infected computers today, but if the blackmailers manage it, paralyzing the whole company, then the bill will look different.
What are the most dangerous ransomware gangs right now?
I can see live what is being sent. Today is Monday, it’s a quiet day, Tuesday, Wednesday, Thursday is a lot, Friday is less.
Are there normal working weeks with the blackmailers?
Yes, as a cybercriminal you send your e-mails when people are at your computer. When it is a public holiday in the US, the attackers do not send anything and the summer is less busy. For us as a company this is useful because it means that we can celebrate Christmas like normal people. “Buran” and “Exorcist” are campaigns that are currently sending a lot. And there is this new provider called “Decr1pt” with a ransom note in Russian, I’m pretty sure it won’t be around for long. I can see where the e-mails are being sent, the destinations are all in Moscow and St. Petersburg. I think the Russians will get hold of these operators quickly.
This rarely happens in the West. The BSI has been warning against malware such as Emotet for years and there are no successes in investigations. What can authorities do?
What if the authorities don’t go to Russia to arrest people? Little. Arrests usually do not reduce the amount of malware sent. If two or three gangs are lost, five new ones appear.
Don’t you believe in the authorities?
The police are powerless against ransomware. It is not equipped for that, and it is just too much. The police should take better care of young victims of online sexual abuse. Go save the children, we’ll take care of the banking Trojans.