The Art of ‘Ware’ - The role of propaganda and branding in the ransomware 'industry'

Published by:
John
Published on:
April 26, 2018

As of the time of writing, the three bitcoin wallets associated with the WannaCry ransomware have received a combined total of about 53.8 BTC – just shy of USD 500,000 at current conversion rates . This is despite the “kill switch” and other implementation flaws that impeded its early propagation. It also flies in the face of the numerous articles circulating in the security community that cast doubt on whether it is even possible for WannaCry victims to consistently get their files back.

Clearly, the fact that the propagators of WannaCry are still receiving payments in February of 2018 – despite the prevalence of media coverage, recovery tools and online guidance for victims – represents a partial vindication for malware authors. Nonetheless, WannaCry is a failure as far as most ransomware campaigns go. Although its rapid spread and subsequent endangerment of critical systems such as ATMs, subways and healthcare devices made for media headlines, it did not translate well into profit for the ransomware authors.

Being very high profile, riddled with implementation flaws and lacking much in the way of “customer” service, WannaCry provoked an immediate and well-coordinated response from the security community that severely impeded its growth. Although USD 500,000 is not an insignificant sum, it pales in comparison to the amounts made by other ransomware campaigns.

Information Warfare

Not every ransomware author makes the same mistakes as WannaCry. To the contrary, most are well aware of the key dynamic they must cultivate in order to thrive: trust. As bizarre as it may seem, trust is one of the most important parts of a ransomware campaign. Users must have faith that if they pay the ransom, they will receive their files and will no longer need to worry about losing their customer records, personal photos or tax returns. The worst possible outcome for a ransomware author is for the majority of their “clients” to write their infected systems off as permanently lost, thus treating ransomware no differently from a run-of-the-mill destructive wiper malware.

Even the author(s) of WannaCry were aware of this dynamic; this is almost certainly why there is an advertised option to decrypt some files for free (to prove that the files are not irretrievably lost), and why a “customer” support email is provided. These features are ubiquitous in the ransomware “industry” even in amateurish variants – though whether they actually work is another matter. More sophisticated operations go to much greater lengths to ensure that paying the ransom is the easiest option for their victims.

The poster boy for customer service in ransomware is Cerber. It announces infection via text-to-speech on the victim’s computer, and it documents every question a victim may have in a handy text file on their desktop. Most importantly, its customer support form purportedly has a same-day response period and – though they will not change the ransom – they will often extend the payment deadline if asked nicely.

Ransomware authors have good reason to be mindful of the reputation of their “brand”. Their credibility is under joint attack from both the security community and amateurs looking to break into the market. The former undermines the victims’ trust by emphasizing that there is no guarantee that payment will ensure your data is recovered, and by producing “unlocker” software where possible. The latter gives credence to the claims of the former by producing poorly designed ransomware, often without the ability to actually decrypt files when payment is received.

A cursory Google search is all you need to find a wide variety of articles discussing whether or not you should pay a ransom. Whether a security professional,  antivirus company or government agency is doing the talking, the message is unanimous: “DON’T PAY!” The respective motivation of both sides is obvious: cybercriminals want to maintain trust in their “industry”, and security professionals want to undermine it.

Follow the Money

Verizon’s annual Data Breach Investigations Report, published this month, shows ransomware maintaining its place as a key threat category. Ransomware is responsible for 39% of the malware-related data breaches included in the report, which is about twice its share from last year. Clearly, ransomware is still on the rise – but the situation isn’t necessarily as bleak as it first appears. While it’s obvious that cybercriminals would not maintain their campaigns if they were not profitable, this still doesn’t tell you much about whether they are successfully monetising their efforts.

In order to get a more in-depth look at the actual money being transferred into the addresses associated with various prevalent malware campaigns, you can sometimes turn to the data on public record at blockchain.info. This service can be used to track transactions of any kind into and out of a bitcoin wallet –

In order to get a more in-depth look at the actual money being transferred into the addresses associated with various prevalent malware campaigns, you can sometimes turn to the data on public record at blockchain.info. This service can be used to track transactions of any kind into and out of a bitcoin wallet – here is an example of one of the addresses used by CryptoLocker 4.0.It is possible to use the data from blockchain.info to compare the revenues over time of various ransomware variants – assuming you have access to the bitcoin addresses being used to store their funds. Taking WannaCry as an example, we find that the vast majority of their payments were received in May 2017, when it first released. As a result of widespread vulnerability to the ETERNALBLUE exploit, it garnered more than 50 BTC in this month alone. Although profits have declined sharply since then, a steady trickle of payments have been coming in since, as demonstrated by the graph below.

These results are what we might expect from a “failed” ransomware. After the initial spike in payments, the results for June barely clear 1 BTC. After this, monthly payments decline even further remaining below 0.3 BTC from there on out. The only exception is in September 2017, when it rises sharply above due to a lump payment of 1.1 BTC (about $4,140) made on the 17th. This is possibly the result of multiple machines belonging to one enterprise that were affected and paid off simultaneously.

Certain ransomware families have sought to limit this kind of analysis. Cerber, for instance, have long since made the transition to generating a per-victim wallet and associated bitcoin address. This is funnelled through a bitcoin mixing service, making individual payments hard to track. As a result, there is a limit to how much information you can gather through open-source means.

Nonetheless, even if hard numbers cannot be obtained, profits can be estimated – as was done by Google researchers in their study, “Tracking Ransomware End to End”. USD 500,000 could be a lot of money for a criminal organisation, but pales in comparison to Cerber’s and CryptXXX’s purported profits of USD7 million and USD2 million respectively. To continue to achieve profitability, the CryptXXX ransomware authors have released multiple versions (currently version 5), three of which were in response to the release of free decrypters by Kaspersky.

Conclusion

The technical and psychological arms race looks set to continue. Criminals will continue to advertise their capability to offer stable decryption services while security companies will release further messages urging victims to resist the urge to pay (exemplified below in an article released by Kaspersky Lab).“Even if there is currently no decryption tool available for the version of malware that encrypted your files, please don’t pay the ransom to criminals. Save the corrupt files and be patient — the probability of a decryption tool emerging in the near future is high. We consider the case of CryptXXX v.3 as proof of this advice. Multiple security specialists around the world are continuously working hard to be able to help victims of ransomware. Sooner or later the solution to the vast majority of ransomware will be found.

Even as they increase in technical sophistication, it is likely that ransomware authors will continue to focus on the human factors which contribute to the success or failure of their extortion rackets. Marketing and branding strategies are applied not just to victims, but in advertising their wares to other criminals; the advent of Ransomware-as-a-Service has created a new niche, making it possible to launch a ransomware campaign with very little technical expertise. Meanwhile, projects like No More Ransom are doing their best to dissuade victims from paying up, collecting decrypters and other resources in one place to raise awareness of the options available to the unfortunate souls that find their data encrypted.

Has ransomware gone too far?

The outcome of this arms race is unclear, but it is highly likely that criminals will see ransomware as a profitable development path for the foreseeable future.