{"id":280590,"date":"2021-06-21T16:36:32","date_gmt":"2021-06-21T13:36:32","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/how-dark-webs-of-cybercriminals-collaborate-to-pull-one-off\/"},"modified":"2021-06-21T16:36:32","modified_gmt":"2021-06-21T13:36:32","slug":"how-dark-webs-of-cybercriminals-collaborate-to-pull-one-off","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/how-dark-webs-of-cybercriminals-collaborate-to-pull-one-off\/","title":{"rendered":"#How dark webs of cybercriminals collaborate to pull one off"},"content":{"rendered":"<p>&#8220;<strong>#How dark webs of cybercriminals collaborate to pull one off<\/strong>&#8221;<\/p>\n<div>\n<div class=\"article-gallery lightGallery\">\n<div data-thumb=\"https:\/\/scx1.b-cdn.net\/csz\/news\/tmb\/2021\/inside-a-ransomware-at.jpg\" data-src=\"https:\/\/scx2.b-cdn.net\/gfx\/news\/2021\/inside-a-ransomware-at.jpg\" data-sub-html=\"Victims of ransomware attacks are typically presented with a screen like this. Credit: &lt;a class=&quot;source&quot; href=&quot;https:\/\/i1.wp.com\/www.technollama.co.uk\/wp-content\/uploads\/2017\/05\/ransomware.jpg&quot;&gt;TechnoLlama&lt;\/a&gt;, &lt;a class=&quot;license&quot; href=&quot;http:\/\/creativecommons.org\/licenses\/by\/4.0\/&quot;&gt;CC BY&lt;\/a&gt;\">\n<figure class=\"article-img\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/scx1.b-cdn.net\/csz\/news\/800a\/2021\/inside-a-ransomware-at.jpg\" alt=\"Inside a ransomware attack: how dark webs of cybercriminals collaborate to pull one off\" title=\"Victims of ransomware attacks are typically presented with a screen like this. Credit: &lt;a class=&quot;source&quot; href=&quot;https:\/\/i1.wp.com\/www.technollama.co.uk\/wp-content\/uploads\/2017\/05\/ransomware.jpg&quot;&gt;TechnoLlama&lt;\/a&gt;, &lt;a class=&quot;license&quot; href=&quot;http:\/\/creativecommons.org\/licenses\/by\/4.0\/&quot;&gt;CC BY&lt;\/a&gt;\" width=\"800\" height=\"530\"\/><figcaption class=\"text-darken text-low-up text-truncate-js text-truncate mt-3\">\n                Victims of ransomware attacks are typically presented with a screen like this. Credit: <a rel=\"nofollow noopener\" target=\"_blank\" class=\"source\" href=\"https:\/\/i1.wp.com\/www.technollama.co.uk\/wp-content\/uploads\/2017\/05\/ransomware.jpg\">TechnoLlama<\/a>, <a rel=\"nofollow noopener\" target=\"_blank\" class=\"license\" href=\"http:\/\/creativecommons.org\/licenses\/by\/4.0\/\">CC BY<\/a><br \/>\n            <\/figcaption><\/figure>\n<\/div>\n<\/div>\n<p>In their Carbis Bay communique, the G7 <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.g7uk.org\/wp-content\/uploads\/2021\/06\/Carbis-Bay-G7-Summit-Communique-PDF-430KB-25-pages-5.pdf\">announced<\/a> their intention to work together to tackle ransomware groups. Days later, U.S. president Joe Biden met with Russian president Vladimir Putin, where an <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.ft.com\/content\/81c644d4-811f-4d9c-b4ac-bb0ee1038526\">extradition process<\/a> to bring Russian cybercriminals to justice in the U.S. was discussed. Putin reportedly agreed in principle, but insisted that extradition be <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.telegraph.co.uk\/news\/2021\/06\/14\/putin-says-open-prisoner-swap-russia-us\/\">reciprocal<\/a>. Time will tell if an extradition treaty can be reached. But if it is, who exactly should extradited\u2014and what for?<\/p>\n<p>                                                                                The problem for <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/doi.org\/10.1016\/j.cose.2019.101568\">law enforcement<\/a> is that ransomware\u2014a form of malware used to steal organizations&#8217; data and hold it to ransom\u2014is a very slippery fish. Not only is it a blended crime, including different offenses across different bodies of law, but it&#8217;s also a crime that straddles the remit of different policing agencies and, in many cases, <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.nytimes.com\/2021\/05\/29\/world\/europe\/ransomware-russia-darkside.html\">countries<\/a>. And there is no one key offender. Ransomware attacks involve a distributed network of different cybercriminals, often unknown to each other to reduce the risk of arrest.<\/p>\n<p>So it&#8217;s important to look at these attacks in detail to understand how the U.S. and the G7 might go about tackling the increasing number of ransomware attacks we&#8217;ve seen during the pandemic, with at least <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.itgovernance.co.uk\/blog\/list-of-data-breaches-and-cyber-attacks-in-may-2021-116-million-records-breached\">128 publicly disclosed incidents<\/a> taking place globally in May 2021. <\/p>\n<p>What we find when we connect the dots is a professional industry far removed from the organized crime playbook, which seemingly takes its inspiration straight from the pages of a <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/link.springer.com\/article\/10.1007%2Fs12117-020-09397-5\">business studies manual<\/a>.<\/p>\n<p>The ransomware industry is responsible for a huge amount of disruption in today&#8217;s world. Not only do these attacks have a crippling economic effect, costing <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/blog.emsisoft.com\/en\/38426\/the-cost-of-ransomware-in-2021-a-country-by-country-analysis\/\">billions of dollars<\/a> in damage, but the <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.itgovernance.co.uk\/blog\/list-of-data-breaches-and-cyber-attacks-in-may-2021-116-million-records-breached\">stolen data<\/a> acquired by attackers can continue to <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/papers.ssrn.com\/sol3\/papers.cfm?abstract_id=3429958\">cascade down<\/a> through the crime chain and fuel other cybercrimes. <\/p>\n<p>Ransomware attacks are also changing. The criminal industry&#8217;s business model has shifted towards providing ransomware <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/darkside-affiliates-claim-gangs-bitcoin-deposit-on-hacker-forum\/\">as a service<\/a>. This means operators provide the malicious software, manage the extortion and payment systems and manage the reputation of the &#8220;<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.wired.com\/story\/ransomware-gone-corporate-darkside-where-will-it-end\/\">brand<\/a>&#8220;. But to reduce their exposure to the risk of arrest, they recruit affiliates on generous commissions to use their software to launch attacks.<br \/>\n                                            <!-- Google middle Adsense block --><\/p>\n<p>This has resulted in an extensive distribution of criminal labor, where the people who own the malware are not necessarily the same as those who plan or execute ransomware attacks. To complicate things further, both are assisted in committing their crimes by services offered by the wider cybercrime ecosystem.<\/p>\n<p><b>How do ransomware attacks work?<\/b><\/p>\n<p>There are <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/conference.cepol.europa.eu\/media\/cepol-online-conference-2021\/submissions\/DBR7WE\/resources\/Wall_Cybercrime_and_Covid_CEPO_Zx0nGyn.pdf\">several stages<\/a> to a ransomware attack, which I have teased out after analyzing over 4,000 attacks from between 2012 and 2021.<\/p>\n<p>First, there&#8217;s the reconnaissance, where criminals identify potential victims and access points to their networks. This is followed by a hacker gaining &#8220;initial access&#8221;, using log-in credentials bought on the dark web or obtained through deception.<\/p>\n<p>Once initial access is gained, attackers seek to escalate their access privileges, allowing them to search for key organizational data that will cause the victim the most pain when stolen and held to ransom. This is why <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.nytimes.com\/2020\/11\/26\/us\/hospital-cyber-attack.html?campaign_id=158&amp;emc=edit_ot_20210429&amp;instance_id=29942&amp;nl=on-tech-with-shira-ovide\u00aei_id=95633146&amp;segment_id=56818&amp;te=1&amp;user_id=b427913b60c799d875886038d08ae44e\">hospital medical records<\/a> and <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.databreaches.net\/threat-actors-claim-to-have-attacked-city-of-dade-city-florida\/?campaign_id=158&amp;emc=edit_ot_20210429&amp;instance_id=29942&amp;nl=on-tech-with-shira-ovide\u00aei_id=95633146&amp;segment_id=56818&amp;te=1&amp;user_id=b427913b60c799d875886038d08ae44e\">police records<\/a> are often the target of ransomware attacks. This key data is then extracted and saved by criminals\u2014all before any ransomware is installed and activated.<\/p>\n<p>Next comes the victim organization&#8217;s first sign that they&#8217;ve been attacked: the ransomware is deployed, locking organizations from their key data. The victim is quickly <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.databreachtoday.com\/maze-promotes-other-gangs-stolen-data-on-its-darknet-site-a-14386?highlight=true\">named and shamed<\/a> via the ransomware gang&#8217;s leak website, located on the dark web. That &#8220;press release&#8221; may also feature <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/therecord.media\/ransomware-gang-threatens-to-expose-police-informants-if-ransom-is-not-paid\/?campaign_id=158&amp;emc=edit_ot_20210429&amp;instance_id=29942&amp;nl=on-tech-with-shira-ovide\u00aei_id=95633146&amp;segment_id=56818&amp;te=1&amp;user_id=b427913b60c799d875886038d08ae44e\">threats to share<\/a> stolen sensitive data, with the aim of frightening the victim into paying the ransom demand.<\/p>\n<p>Successful ransomware attacks see the ransom paid in cryptocurrency, which is difficult to trace, and converted and laundered into fiat currency. Cybercriminals often invest the proceeds to enhance their capabilities\u2014and to pay affiliates\u2014so they don&#8217;t get caught.<\/p>\n<p><b>The cybercrime ecosystem<\/b><\/p>\n<p>While it&#8217;s feasible that a suitably skilled offender could perform each of the functions, it&#8217;s highly unlikely. To reduce the risk of being caught, offender groups tend to develop and master specialist skills for different stages of an attack. These groups benefit from this inter-dependency, as it offsets criminal liability at each stage. <\/p>\n<p>And there are plenty of specializations in the cybercrime underworld. There are <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/krebsonsecurity.com\/2019\/05\/legal-threats-make-powerful-phishing-lures\/#more-47793\">spammers<\/a>, who hire out spamware-as-a-service software that phishers, scammers, and fraudsters use to steal people&#8217;s credentials, and <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/nos.nl\/artikel\/2374024-datalek-bij-autobedrijven-treft-mogelijk-miljoenen-nederlanders.html\">databrokers<\/a> who trade these stolen details on the dark web.<\/p>\n<p>They might be purchased by &#8220;<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.theregister.com\/2021\/06\/09\/trend_micro_nefilim_ransomware_research\/\">initial access brokers<\/a>&#8220;, who specialize in gaining initial entry to computer systems before selling on those access details to would-be ransomware attackers. These attackers often engage with <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/krebsonsecurity.com\/2021\/01\/arrest-seizures-tied-to-netwalker-ransomware\/\">crimeware-as-a-service<\/a> brokers, who hire out ransomware-as-a-service software as well as other malicious malware.<\/p>\n<p>To coordinate these groups, <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.zdnet.com\/article\/us-weve-just-seized-1bn-in-bitcoin-stolen-from-silk-road-by-individual-x-hacker\/\">darkmarketeers<\/a> provide online markets where criminals can openly sell or trade services, usually via the Tor network on the dark web. <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.nytimes.com\/2021\/05\/29\/world\/europe\/ransomware-russia-darkside.html\">Monetisers<\/a> are there to launder cryptocurrency and turn it into fiat currency, while negotiators, representing both victim and offender, are hired to settle the ransom amount.<\/p>\n<p>This ecosystem is constantly evolving. For example, a recent development has been the emergence of the &#8220;<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/geminiadvisory.io\/ransomware-unmasked\/\">ransomware consultant<\/a>&#8220;, who collects a fee for advising offenders at key stages of an attack. <\/p>\n<p><b>Arresting offenders<\/b><\/p>\n<p>Governments and law enforcement agencies <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>ear to be ramping up their efforts to tackle ransomware offenders, following a year blighted by their continued attacks. As the G7 met in Cornwall in June 2021, Ukrainian and South Korean police forces coordinated to arrest elements of the infamous <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.theregister.com\/2021\/06\/16\/clop_ransomware_gang_arrests_ukraine\/\">CL0P ransomware gang<\/a>. In the same week, Russian national <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/us-convicts-russian-national-behind-kelihos-botnet-crypting-service\/\">Oleg Koshkin<\/a> was convicted by a U.S. court for running a malware encryption service that criminal groups use to perform cyberattacks without being detected by antivirus solutions.<\/p>\n<p>While these developments are promising, ransomware attacks are a complex crime involving a distributed network of offenders. As the offenders have honed their methods, law enforcers and cybersecurity experts have tried to keep pace. But the relative inflexibility of policing arrangements, and the lack of a key offender (Mr or Mrs Big) to arrest, may always keep them one step behind the cybercriminals\u2014even if an extradition treaty is struck between the U.S. and Russia.\n                                                                                                                        <\/p>\n<hr\/>\n<div class=\"article-main__explore my-4 d-print-none\">\n<p>                                            NCCoE preliminary draft report on ransomware risk management\n                                        <\/p><\/div>\n<hr class=\"mb-4\"\/>\n<div class=\"d-inline-block text-medium my-4\">\n                                                Provided by<br \/>\n                                                                                                    The Conversation<br \/>\n                                                                                                        <a rel=\"nofollow noopener\" target=\"_blank\" class=\"icon_open\" href=\"https:\/\/theconversation.com\"><br \/>\n                                                        <svg><use href=\"https:\/\/techx.b-cdn.net\/tmpl\/v2\/img\/svg\/sprite.svg#icon_open\" x=\"0\" y=\"0\"\/><\/svg><\/a><\/p><\/div>\n<p class=\"article-main__note mt-4\">\n                                                This article is republished from <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/theconversation.com\">The Conversation<\/a> under a Creative Commons license. Read the <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/theconversation.com\/inside-a-ransomware-attack-how-dark-webs-of-cybercriminals-collaborate-to-pull-one-off-163015\">original article<\/a>.<img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/counter.theconversation.com\/content\/163015\/count.gif?distributor=republish-lightbox-advanced\" alt=\"The Conversation\" width=\"1\" height=\"1\"\/><\/p>\n<p>                                        <!-- print only --><\/p>\n<div class=\"d-none d-print-block\">\n<p>                                                 <strong>Citation<\/strong>:<br \/>\n                                                 Inside a ransomware attack: How dark webs of cybercriminals collaborate to pull one off (2021, June 21)<br \/>\n                                                 retrieved 22 June 2021<br \/>\n                                                 from https:\/\/techxplore.com\/<a href=\"https:\/\/buradabiliyorum.com\/en\/category\/news\/\" data-internallinksmanager029f6b8e52c=\"2\" title=\"News\" target=\"_blank\" rel=\"noopener\">news<\/a>\/2021-06-ransomware-dark-webs-cybercriminals-collaborate.html<\/p>\n<p>                                            This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no<br \/>\n                                            part may be reproduced without the written permission. The content is provided for information purposes only.<\/p><\/div>\n<\/p><\/div>\n<p><script id=\"facebook-jssdk\" async=\"\" src=\"https:\/\/connect.facebook.net\/en_US\/sdk.js\"><\/script><\/p>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more Like this articles, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/science\/\" target=\"_blank\" rel=\"noopener\">Science category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/techxplore.com\/news\/2021-06-ransomware-dark-webs-cybercriminals-collaborate.html\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;#How dark webs of cybercriminals collaborate to pull one off&#8221; Victims of ransomware attacks are typically presented with a screen like this. Credit: TechnoLlama, CC BY In their Carbis Bay communique, the G7 announced their intention to work together to tackle ransomware groups. Days later, U.S. president Joe Biden met with Russian president Vladimir Putin,&#8230;<\/p>\n","protected":false},"author":1,"featured_media":280591,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/scx2.b-cdn.net\/gfx\/news\/2021\/inside-a-ransomware-at.jpg","fifu_image_alt":"","footnotes":""},"categories":[16],"tags":[],"class_list":["post-280590","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-sciencee"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/280590","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=280590"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/280590\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/280591"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=280590"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=280590"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=280590"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}