Inside a ransomware attack: how dark webs of cybercriminals collaborate to pull one off

BeeBright/Shutterstock

David S. Wall, University of Leeds

In their Carbis Bay communique, the G7 announced their intention to work together to tackle ransomware groups. Days later, US president Joe Biden met with Russian president Vladimir Putin, where an extradition process to bring Russian cybercriminals to justice in the US was discussed. Putin reportedly agreed in principle, but insisted that extradition be reciprocal. Time will tell if an extradition treaty can be reached. But if it is, who exactly should extradited – and what for?

The problem for law enforcement is that ransomware – a form of malware used to steal organisations’ data and hold it to ransom – is a very slippery fish. Not only is it a blended crime, including different offences across different bodies of law, but it’s also a crime that straddles the remit of different policing agencies and, in many cases, countries. And there is no one key offender. Ransomware attacks involve a distributed network of different cybercriminals, often unknown to each other to reduce the risk of arrest.

So it’s important to look at these attacks in detail to understand how the US and the G7 might go about tackling the increasing number of ransomware attacks we’ve seen during the pandemic, with at least 128 publicly disclosed incidents taking place globally in May 2021.

What we find when we connect the dots is a professional industry far removed from the organised crime playbook, which seemingly takes its inspiration straight from the pages of a business studies manual.

The ransomware industry is responsible for a huge amount of disruption in today’s world. Not only do these attacks have a crippling economic effect, costing billions of dollars in damage, but the stolen data acquired by attackers can continue to cascade down through the crime chain and fuel other cybercrimes.


Read more: Ransomware gangs are running riot – paying them off doesn’t help


Ransomware attacks are also changing. The criminal industry’s business model has shifted towards providing ransomware as a service. This means operators provide the malicious software, manage the extortion and payment systems and manage the reputation of the “brand”. But to reduce their exposure to the risk of arrest, they recruit affiliates on generous commissions to use their software to launch attacks.

This has resulted in an extensive distribution of criminal labour, where the people who own the malware are not necessarily the same as those who plan or execute ransomware attacks. To complicate things further, both are assisted in committing their crimes by services offered by the wider cybercrime ecosystem.

A hooded hacker
Even a lone hacker draws upon the criminal capabilities of others. trambler58/Shutterstock

How do ransomware attacks work?

There are several stages to a ransomware attack, which I have teased out after analysing over 4,000 attacks from between 2012 and 2021.

First, there’s the reconnaissance, where criminals identify potential victims and access points to their networks. This is followed by a hacker gaining “initial access”, using log-in credentials bought on the dark web or obtained through deception.

Once initial access is gained, attackers seek to escalate their access privileges, allowing them to search for key organisational data that will cause the victim the most pain when stolen and held to ransom. This is why hospital medical records and police records are often the target of ransomware attacks. This key data is then extracted and saved by criminals – all before any ransomware is installed and activated.

Next comes the victim organisation’s first sign that they’ve been attacked: the ransomware is deployed, locking organisations from their key data. The victim is quickly named and shamed via the ransomware gang’s leak website, located on the dark web. That “press release” may also feature threats to share stolen sensitive data, with the aim of frightening the victim into paying the ransom demand.

A ransomware lockout screen
Victims of ransomware attacks are typically presented with a screen like this. TechnoLlama, CC BY

Successful ransomware attacks see the ransom paid in cryptocurrency, which is difficult to trace, and converted and laundered into fiat currency. Cybercriminals often invest the proceeds to enhance their capabilities – and to pay affiliates – so they don’t get caught.

The cybercrime ecosystem

While it’s feasible that a suitably skilled offender could perform each of the functions, it’s highly unlikely. To reduce the risk of being caught, offender groups tend to develop and master specialist skills for different stages of an attack. These groups benefit from this inter-dependency, as it offsets criminal liability at each stage.

And there are plenty of specialisations in the cybercrime underworld. There are spammers, who hire out spamware-as-a-service software that phishers, scammers, and fraudsters use to steal people’s credentials, and databrokers who trade these stolen details on the dark web.

They might be purchased by “initial access brokers”, who specialise in gaining initial entry to computer systems before selling on those access details to would-be ransomware attackers. These attackers often engage with crimeware-as-a-service brokers, who hire out ransomware-as-a-service software as well as other malicious malware.

To coordinate these groups, darkmarketeers provide online markets where criminals can openly sell or trade services, usually via the Tor network on the dark web. Monetisers are there to launder cryptocurrency and turn it into fiat currency, while negotiators, representing both victim and offender, are hired to settle the ransom amount.

This ecosystem is constantly evolving. For example, a recent development has been the emergence of the “ransomware consultant”, who collects a fee for advising offenders at key stages of an attack.

Arresting offenders

Governments and law enforcement agencies appear to be ramping up their efforts to tackle ransomware offenders, following a year blighted by their continued attacks. As the G7 met in Cornwall in June 2021, Ukrainian and South Korean police forces coordinated to arrest elements of the infamous CL0P ransomware gang. In the same week, Russian national Oleg Koshkin was convicted by a US court for running a malware encryption service that criminal groups use to perform cyberattacks without being detected by antivirus solutions.

While these developments are promising, ransomware attacks are a complex crime involving a distributed network of offenders. As the offenders have honed their methods, law enforcers and cybersecurity experts have tried to keep pace. But the relative inflexibility of policing arrangements, and the lack of a key offender (Mr or Mrs Big) to arrest, may always keep them one step behind the cybercriminals – even if an extradition treaty is struck between the US and Russia.

David S. Wall, Professor of Criminology, University of Leeds

This article is republished from The Conversation under a Creative Commons license. Read the original article.

Fastly’s global internet meltdown could be a sign of things to come

Fastly’s global internet meltdown could be a sign of things to come

David S. Wall, University of Leeds

For an hour on the morning of June 8, dozens of the world’s most-visited websites went offline. Among those affected were Amazon, Reddit, PayPal and Spotify, as well as the Guardian, the New York Times and the UK government website, gov.uk. Together, these websites handle hundreds of millions of users.

The issue was quickly traced to Fastly, a cloud computing company which offers a content delivery network to the affected websites. Designed to alleviate performance bottlenecks, a content delivery network is essentially a system of computers or servers that hold copies of data across various points of a network. When it fails, the websites it supports cannot retrieve their data and are forced offline.

The outage to Fastly’s content delivery network appears to have been caused by an internal software bug that was triggered by one of their customers. Yet even though it was resolved within an hour, it’s estimated to have cost Fastly’s global clientele hundreds of millions of dollars.


Read more: Fastly global internet outage: why did so many sites go down — and what is a CDN, anyway?


This case illustrates the fragility of an internet that’s being routed through fewer and fewer channels. When one of those major channels fails, in what is called a “single point of failure”, the results are dramatic, disruptive and incredibly costly.

This hasn’t been lost on cybercriminals, who know that one targeted hack can bring down or breach a number of organisations simultaneously. It’s urgent we address this significant vulnerability if we’re to avoid another global internet meltdown – but this time caused by criminals, not code.

Warning signs

Given that it came hot on the heels of the ransomware attack on the Colonial oil pipeline in the US, experts initially speculated that Fastly’s outage could have been caused by a cyberattack.

It’s easy to see why. Drawing upon an analysis of over 4,000 ransomware attacks, my research has revealed a massive acceleration in major cyberattacks that target organisations, conducted by ransomware gangs looking to extort cash from businesses they manage to hack.

These attacks are taking advantage of vulnerabilities caused by remote working arrangements. But there’s also been a noticeable shift in attacks upon organisations like Fastly, which provide core services to other organisations and their own clientele.

A graph showing the increase in cyberattacks on multiple service organisations
Cyberattacks targeting platforms similar to Fastly have risen sharply since 2019. David S. Wall, Author provided

This trend is unlikely to stop. Ransomware has become a sophisticated billion-dollar business, and attackers are supported by an increasingly professional ecosystem that’s incentivised by the high yield generated by such attacks. A 2020 Verizon report found 86% of hacks are financially motivated, while less than 10% are motivated by espionage.


Read more: Ransomware gangs are running riot – paying them off doesn’t help


Two high-profile hacks that targeted organisations with access to thousands of other organisations have recently shown just how fragile centralised internet systems can be. The SolarWinds and Microsoft Exchange Server hacks, which took place in early 2020 and early 2021 respectively, breached tens of thousands of companies. Both have been attributed to state-backed hackers, rather than ransomware gangs.

But cybercriminals have deliberately targeted multiple service providers and critical supply chains too in order to upscale the impact, and therefore the potential payout, of their hacks. Blackbaud, Accellion and other key online service providers have been victim to such attacks.

Centralisation of the internet

All these particularly disruptive hacks are partially the result of the drive towards centralisation of online services, which may be efficient for businesses, but is counter to the founding principles of the internet.

The initial appeal of the internet was that it was a distributed network designed to resist attacks and censorship. When released for public use in the early 1990s, the internet became popular for commerce as well as being regarded as a beacon of free speech. But market logic, rather than free speech, has driven developments since the early days.

Today, cloud computing firms and multiple service providers manage large chunks of internet traffic, causing single points of failure where internet flows can be accidentally or deliberately disrupted. Even something as simple as a typo can cause significant disruption, as was the case in 2017 when several of Amazon’s servers – which power large swathes of the internet – went temporarily offline due to an inputting error.

We should take our hats off to Fastly for quickly rectifying the June 8 outage. But this case has revealed the dangers of consolidating key internet infrastructure, resulting in the emergence of costly single points of failure. It’s another stern wake-up call for law enforcement and the cybersecurity community, giving renewed emphasis to the mission of the US and European ransomware taskforces.

Avoiding internet meltdowns

But are taskforces enough to address this problem? What this event has really shown is how firms like Fastly are in effect privately-owned public spaces, which not only blur the lines between business and national infrastructure, but have, in effect, become “too big to fail”.

All this suggests that the solution to this dilemma must be found beyond multi-sector taskforces, requiring full-blown political debate over what we want the internet to look like in the latter three-quarters of the 21st century. If we fail to make that decision, then others will for us.

David S. Wall, Professor of Criminology, University of Leeds

This article is republished from The Conversation under a Creative Commons license. Read the original article.