On the Tuesday before Christmas, employees of the Funke media group saw an unusual picture on their computer screens. In white letters on a blue background, it said in English: “Your network has been hacked”. An internet address followed for further information. A digital blackmail letter was found there. The Funke group was the victim of a ransomware gang.
Ransomware attacker (from English ransom: Ransom) break into networks, steal data, then encrypt everything they can find with software for which only they have the key. For the decryption they demand a ransom, mostly in the digital currency Bitcoin. They also published stolen data to create additional pressure.
Many German companies fared like Funke in 2020. In a recent survey by the IT security company Crowdstrike, 50 percent of the companies surveyed around the world said they had experienced a ransomware attack; in Germany the rate is even around 60 percent. Ransomware attacks are economic normal in this country. The industry association Bitkom calculated the overall economic damage caused by cybercrime at more than 100 billion euros in 2019. A good part of that is likely to be ransomware. However, not all German companies are prepared, on the contrary. Experts suspect that Germany is the focus of blackmailers for two main reasons. On the one hand, many companies are in good financial shape; on the other hand, cybersecurity is often below average. A fatal combination.
One gang of cyber criminals in particular occupied German medium-sized businesses last year, the Clop Group. She successfully attacked at least eight companies, but the number of unreported cases is likely to be considerably higher.
Two inventions of the Internet age are primarily responsible for the triumphant advance of ransomware. One is anonymous communication via encrypted channels, for example in the darknet. This makes it easy for blackmailers to contact their victims without running the risk of being discovered. The second and even more important invention are digital currencies such as Bitcoin. It was only with the help of currencies whose cash flows could not be tracked by banks that digital blackmail began to pay off financially.
If blackmailers were caught earlier, it was often at the time the money was handed over. Digital transfers of money, on the other hand, are virtually risk-free for blackmailers. The extorted money is transferred to an anonymous account. Investigators can watch where Bitcoin ends up. But only when the coins are exchanged for analog currency at some point will the police have a chance to expose the blackmailers. Further developments of the Bitcoin approach such as Monero are even more difficult to track.
The blackmailers: Clop or Fin11
It is no longer so easy to keep track of the numerous gangs that make their money with ransomware. Their names are cryptic: Avaddon, Maze, Doppelpaymer, Ragnar Locker, Nemty are some of the most internationally active gangs at the moment. Another group seems to be ahead in Germany. The blackmailers have named their ransomware “Clop”, which is why experts call them the Clop group. The US cybersecurity firm Fire Eye calls it Fin11.
In the course of the past year alone, Fin11 attacked half of all German medium-sized companies, in many cases with success. Companies don’t like to talk about cyber attacks, especially not about successful ones. The fact that the Clop Group has temporarily paralyzed many German companies, this claim comes from the blackmailers themselves. Since around the second half of 2019 there has been a new trend among gangs. Since then, many of them have operated a rudimentary web presence on the darknet, the anonymous part of the Internet. If you know where to look, you will find regular messages from the groups there, and the attackers will also publish data from the stolen companies if they refuse to pay.
Jeremy Kennelly leads Fire Eye’s technical analysis team for the financially motivated hacker groups. Few ransomware blackmailers get their own label on Fire Eye. The rule for the names is simple: “Fin” for “financial” and a sequential number. Until last fall, there were only ten such actors. The Clop gang is now Fin11. The group is a special case for Kennelly for several reasons. On the one hand, it has been active in several fields for many years, the lucrative ransomware business is a comparatively new line of business for Fin11.
The second unique selling point is the sheer volume of attacks the Clop group drives. The volume of phishing emails sent, i.e. emails with malware hidden in the attachment, is significantly higher with Fin11 than with most other groups. This is also due to the fact that Fin11 does not use any technical security gaps. Clops vulnerability is human. When employees open the documents attached to the phishing emails, all they need to do is click and the group is in the system. IT expert Kennelly takes a pragmatic view of the matter: “Technical security gaps are expensive and have a limited shelf life, and phishing emails are enough.”
According to Fire Eye, the heads behind Clop are somewhere in the former Soviet republics, out of reach for German investigators. You can still communicate with them via anonymous e-mail. How much is true of what the blackmailers tell the SZ can hardly be verified. However, the type of communication is revealing. It’s like speaking to the press department of a company: polite and aloof. Nothing personal, just “business”. That is the image they want to convey. That too is part of the business. Companies can only trust that they will get their data back by paying a ransom if the criminals are perceived as serious.
One of the German companies that were attacked by the Clop Group in 2020 is the mechanical engineering company Netzsch, which has its headquarters in Selb in Upper Franconia. Netzsch is typical of the victims of Fin11. 3700 employees worldwide, the turnover is around 500 million euros, the company is doing well. The fact that Netzsch was ready to talk is probably due to the mild course of the blackmail. Company spokesman Yann Jeschke admits: The company was lucky. The attack was noticed when the attackers began to encrypt data. The company reacted quickly, paused the largely virtualized systems and pulled the Internet plug. The attack took place on a Friday, the last back-up was on Thursday. So there was only about 20 hours of data missing. “Manageable,” says Jeschke. Still, the company spent more than two weeks restoring and safely reorganizing the systems. Two weeks in which the company could not be reached by e-mail and orders could not be processed.
In Netzsch’s case, too, the attackers published stolen data on the Darknet in order to blackmail the company. These can be company secrets, spicy e-mails or copies of employee IDs. Jeschke says the company downloaded and viewed the data itself. The Netzsch data was not worth paying a ransom.
Pay or not pay is the question that all blackmailed companies face. There is no clear answer. In most cases, investigators and authorities advise companies against responding to the demands of blackmailers. But an experienced cyber investigator tells the SZ that he also knows that the decision is ultimately a business one. If paying the ransom is cheaper than restoring the systems, companies will at least consider paying.
The chance of finding the criminals and prosecuting them is in most cases almost zero, even if the investigators could trace an attack back. Many of the heads of the gangs are based in countries that have shown themselves to be uncooperative when it comes to requests for legal assistance. Until that changes, companies only have to invest: in attentive employees, IT security and good backups.