by Paul Ducklin
Here on Naked Security, we’ve regularly asked the question, or at least implied it: “Where do you think all those cybercrime payments go?”
When a ransomware victim hands over a largely anonymous, mostly untraceable quantity of Bitcoin, for example, to pay off a multi-million dollar blackmail demand in the hope of recovering their unusable files…
…what happens to that money?
The question, as posed above, is a rhetorical one, given that we can all hazard our own guesses about what the criminals do with the money.
But we have confronted that question quite literally on various occasions before, as we did when several suspects were arrested in Ukraine, allegedly in connection with ransomware attacks attributed to a gang known as “Clop”.
In that case, it seems as though at least some of the money went on fancy cars.
Police videos of those busts show impressive collections of car keyfobs being gathered up in evidence, and numerous flash-looking cars being loaded onto recovery vehicles and confiscated.
We’ve also written before about one of the REVil gang’s spending sprees.
That’s the same REvil ransomware operation that oversaw the infamous “Independence Day Weekend 2021” ransomware attack launched simultaneously on more than 1000 networks via software from IT management company Kaseya.
That attack led to the REvil gang’s almost casually provocative “business offer” that, for a one-off ueberpayment of $70 million in Bitcoin, it would “solve” the entire incident at a stroke by releasing a single, unified decryption tool that contained all the unscrambling secrets needed to restore any computer on any network belonging to any victim.
Presumably conscious of the preceding Colonial Pipeline attack in which a $4.4 million blackmail payoff resulted in a decryptor that, though functional in theory, was worthless in practice because it ran far too slowly, the REvil crew even blithely claimed that their so-called universal decryptor would allow everyone to “recover from attack [sic] in less than an hour”.
Last year, REvil made headlines when the gang infamously paid $1,000,000’s worth of Bitcoins into an underground cybercrime forum as advance payment for services rendered.
The REvil crew couldn’t get this money back – it was basically a million-dollar flash-the-cash exercise aimed at proving to members of the forum that the money it was offering was more than just a promise: it was already invested and committed to being spent on successful “job applicants”:
Well, according to cybersecurity investigator Pierluigi Paganini at Security Affairs, another anonymous cybercrime actor has just done something similar.
Due to fluctuations in the dollar value of Bitcoin, this flash-the-cash bundle now has a value somewhere closer to $888,888 than to a cool one million, but it’s still a staggering cash total to pay out up front: BTC 26.994602, according to Paganini.
When REvil stumped up its $1m cash bounty, the gang said it was looking for techies with a wide range of skills, including the programming language C#, commonly used for building Microsoft .NET apps and very popular with malware writers, virtualisation, and backup tools and technologies.
(Ransomware crooks with on-and-offsite backup skills can serve two devious purposes: finding and trashing any backups a victim already has; and quietly making unauthorised off-site backups to keep stolen data that can be used for extortion.)
This crook, apparently, has other ideas, and is looking to purchase one or more of the following, amongst a longer list:
* I will buy the most clean RAT from detections [...], with the prospect of one hand [...] * Buy unusued startup methods in Windows 10 (fileless software, lives in the registry), up to $150k for the original solution [...] * Buy 0day exploits in one hand under Windows 10 (LPE, RCE) budget up to $3m for RCE 0 Click [...]
To decode the jargon above:
The ability of a RAT to morph into a completely different malware infection on demand means that the risks posed by an undetected RAT are essentially open-ended.
However, some registry entries can contain the actual script or program that Windows should run, encoded directly into the registry data.
Threats stored in this way don’t occupy a file of their own on disk, so they are generally harder to find and remediate.
In Naked Security articles we generally refer to LPE by its synonym EoP, which is the term used by Microsoft in its security bulletins.
Whether you say local privilege escalation or elevation of privilege, the idea is the same: crooks can’t break into your computer with an LPE vulnerability, but if they are in already, then can use an LPE exploit to promote themselves from a regular user account, such as your own, to one that can do much wider and deeper harm to your network.
Account privileges that attackers typically go after include the local SYSTEM account or even Domain Administrator, which puts the attackers on an equal footing with your own sysadmins.
For what it’s worth, we’re guessing that the original poster used some sort of clumsy machine translation to come up with the full English phrases above.
We’re not quite sure what “the prospects of one hand” or “to buy in one hand” really mean, but we’re assuming they are figures of speech from the author’s native language that mean “sold to me exclusively for my sole use“.
With close to a million dollars committed to the kitty already, the advertiser clearly isn’t short of ready money.
We’re not going to say, “Never, ever, pay the ransom,” because for all we know it might be your only chance, no matter how hurtful it might feel, to avoid a business disaster that could put your company and your employees at or even over the edge of economic collapse.
But if you’ve ever wondered where that blackmail money goes, and whether it’s innocent enough to pay the “ransomware fee” just to save the time and effort of activating your backup-and-recovery procedures…
…well, now you know.
PS. Even if you do pay up, decrypting your data may not work out anywhere near as well as you hoped. Ask Colonial Pipeline how that process went… or check out our article “Ransomware: don’t expect a full recovery, however much you pay” to find out the problems experienced by the vast majority of victims in our survey who reported back on their experiences after paying the crooks.