Is Ransomware The Biggest Threat To Everyone? Even To Big Tech Companies?

Europol thinks ransomware is everyone’s problem. But is ransomware really that big of an issue?

Well, if a Europol report is to be believed then ransomware is an ugly manifestation of the biggest cyber threat to everyone on the planet.

Europol published its annual Internet Organised Crime Threat Assessment (IOCTA) report on Thursday and according to the vast research conducted by Europol, it has been revealed that the agency considers ransomware as the number one threat to the world of cyberspace at the moment.

The report from Europol also stated that cryptoware (which is basically encrypting ransomware) had become the most prominent and widespread malware threat and essentially overshadowed data-stealing malware and banking trojans.

The Europol report which branded ransomware as the most prominent hazard to the online word of the internet, also said that with cryptoware becoming a key threat for citizens and enterprises alike, law enforcement and the internet security industry had responded rapidly and in concert, with prevention and awareness campaigns along with technical support and operations that targeted the criminal groups and infrastructure involved.

In the report, Europol also made it clear that ransomware continued to be the dominant concern for EU law enforcement agencies.

There is little doubt in the fact that malware of all shapes and sizes have, in terms of numbers, multiplied exponentially in the past couple of years. Not only that but the other interesting part about malware is that each newer version is  an improvement over the previous one.

In other words, each successive version of  a dangerous malware has some properties which are unique to it alone.

Hence, if security companies find a solution to block one version of the same malware , there is no guarantee if the same solution would work with the newer version of that malware.

With that said, it is also true that  a vast majority of ransomware variants that are looking for their next prey on the internet, utilize the same encryption technologies.

These encryption technologies include but obviously are not limited to, Tor or I2P communication. There are also some other business models but we won’t go into the details of those in this article.

Report from Europol says that ransomware techniques have advanced quite a bit over the years.

The other curious aspect of ransomware is that,  the ransom involved in any criminal deal is almost always paid exclusively in bitcoins.

The only thing readers should know about bitcoin is that it is a decentralized form of  currency that no one really controls.  Government agencies have to put in a lot of effort to track down the individuals involved in any criminal deals that  completed through the use of bitcoin.

Ransomware attacks usually cover diverse the society. To put it another way, ransomware attacks are aimed towards people and entities from all walks of life.

Individuals, institutions, government agencies, businesses, and even healthcare facilities are all possible victims of ransomware attacks.

Crime-as-a-service or CaaS, has become one of the most prominent business models among cyber criminals on the internet. According to some law enforcement agencies, CaaS offers the necessary tools and related services to almost all types of customers on the dark web (dark web is technically different to deep web. Think of the dark web as the  dirty past of the deep web).

The Europol laid out a detailed analysis of how cyber criminals used advanced techniques to  ensure that their ransomware attacks reached the completion stage more often than not.

The report from Europol said that the mature Crime-as-a-Service business model that underpinned cybercrime continued to provide all the tools and services across the entire spectrum of cyber criminality.

It further added that cybercriminals from entry-level to all the way up  to top-tier players and cybercriminal groups, and any other seekers, including parties with other motivations such as terrorists used ransomware attacks to get their way with their  victims.

Europol report also  revealed that the boundaries between cyber criminals, Advanced Persistent Threat (APT) style actors along with other groups continued to  blur and that while the extent to which extremist groups currently used cyber techniques to conduct attacks appeared to be limited.

Europol is seeking help from other authorities to help with cases other than ransomware. Ransomware criminals are reported to be truly transnational.

Furthermore, the Europol report said that the availability of cybercrime tools and services and illicit commodities such as firearms on the darknet provided ample opportunities for the situation to change as far limited ransomware attack techniques were concerned.

Needless to say, ransomware attacks offer quick riches to hackers as  the advanced techniques used to carry out the actual ransomware attack enables hackers to earn  money very quickly without any fear of retribution because of the anonymous status of the involved hackers.

But more importantly, or rather worryingly, ransomware attacks can also be used to  spread information stealer malware.

These are basically malware that steal important information. One form of this malware  is the nasty banking trojan.

These type of malware, information-stealing ones, help cybercriminal to gain access to sensitive data that is considered to be very valuable by the holder.

However, despite the fact that the sensitive data almost always turns out to be valuable , ransomware attack perpetrators have to input  a lot of effort in other to earn any kind of serious money from information stealing malware.

As indicated earlier, information stealing malware can be used to steal any kind of data that might hold some potential value, but cyber criminals along with ransomware  attackers , for the most part, use it loot ample amounts of data related to banking and  other sensitive credit card details.

The Internet Organized Crime Threat Assessment report published by the Europol also  stated that while peer-to-peer, or P2P, networks continued to represent a popular platform for the exchange of child sexual exploitation material, CSEM, a growing number of dark net forums facilitating the exchange of child sexual exploitation material , coupled with the ease of access to these networks, was leading to an increase in the volume of material being exchanged on the darknet.

A short time ago the administrator of the child porn website PlayPen, Steven W. Chase, was  found guilty by the authorities of actually running the website for a considerable period of time.

Coincidently, Steven W. Chase’s case also linked back to Federal Bureau of Investigation’s (FBI) legendary Operation Pacifier in which the Federal Bureau of Investigation  agents hacked around 1300 computer machines that lead to the identification of many users of the darknet site, PlayPen.

Moreover, child porn websites and ransomware attackers aren’t the only menaces  that Federal Bureau of Investigations has to deal with on a regular basis. Money laundering, is another huge concern for agencies such as the Federal Bureau of Investigations and Europol.

To seek help in solving more cyber crimes in much shorter time, Europol announced  a partnership with the Interpol and the Basel Institute on September 9, 2016, whose  objective was to battle crimes related to bitcoin and the finance industry.

But Are Ransomware Attacks the Biggest Form of Cyber Threat To Everyone? What About All The Silicon Valley Technology Giants? Do They Become Victims Too?

Are giant tech companies or businesses safe from ransomware?

If recent reports are anything to go by then no. Technology companies are more likely to be targeted by hackers who just want to steal data for either money, fame or fun.

In fact, just a couple of days ago a research firm was able to find that  Yahoo along with Dropbox and LinkedIn were hacked by the same hacking group.

According to a recent report published by Infoarmor, which is a  cyber security research firm,  it was revealed that there was actually a total of five hackers that were involved in the most recent hacks that wrecked havoc on technology companies such as Yahoo, Dropbox, and LinkedIn.

Moreover, the evidence for the “five hackers” claim was announced to the media after the recent data breach that shook Yahoo, which is still in the middle of a  sale deal with  Verizon,  that showed a link that lead to the discovery.

This discovery allowed investigators to connect the data breach to the previous hacks that affected the likes of Dropbox and LinkedIn.

The Chief Intelligence Officer (CIO) of InfoArmor, Andrew Komarov, while talking to reporters claimed that many of the published reports on recent database breaches were noticeably erroneous.

Moreover, he also said that the fresh attacks  which were  executed against big technology companies such as Yahoo, LinkedIn and Dropbox along with Tumblr (assuming it is still a big technology company) were all associated with a hacking group called “Group E.”

Group E, the hacking group, is a relatively small hacking group that is based in Europe. Group E has been noted to only carry out data breaches that are  large-scale.

After securing important data, Group E makes money from the stolen property by selling the acquired data to the highest bidder.

Andrew Komarov, while speaking to The Register in an interview that took place a couple of days ago, said that Group E dealt with brokers to  trade the massive amounts of hacked data for money.

He also said that one such broker was actually registered on a number of communities that existed only in the underground market.

Hackers did breach Yahoo’s database but did not go for the ransomware route. Instead of ransomware, they sold the data on the deep web.

The broker had registered with the name “tessa88” on these communities and  became  the first individual to have been recorded while mentioning that Yahoo had been hacked . Tessa88  was also recorded to have made statements about the hacked Yahoo accounts, noting that those were for sale now.

Komarov further added that the broker then changed roles and  acted as a proxy  to finish the deal between Group E and interested buyers. The dealings were negotiated on the deep web.

It was revealed that Tessa88 also posted more content on several underground forums after the LinkedIn breach was made known to the public. Tessa 88 reportedly offered to sell Yahoo credentials back then as well.

InfoArmor managed to discover the details of the aforementioned data breaches and the connection between them by following these secret conversations in hidden underground forums.

Tessa 88 also interacted with other forums users. One of those forum users was responsible  for listing the Yahoo database dumps on several underground marketplaces  in return for profits.

IN Yahoo’s case, the database dumps were put on sale by the user  on TheRealDeal underground marketplace.

InfoArmor provided further details about the operation by revealing that the actor “Peace_of_mind” (POM), was a well-known member of the community  and had gained  much reputation from his activities at The Real Deal Market  and The Hell forums.

He had gained even more fame because of his posts connected with the stolen data  that were published at one of the underground forums.

POM contacted Tessa 88 and proposed some sort of cooperation  in exchange for some of the stolen data.

Yahoo along with Dropbox and LinkedIn may not have been ransomware victims but did get their data stolen by hackers.

Readers should know that before this first contact, the stolen database dumps were published for sale by Tessa 88. These same database dumps were then resold by Peace of Mind  on various TOR networks at The Real Deal Marketplace.

It was further revealed that  the scale of the operation was truly  transnational since one of the individuals involved in the cooperation was a Russian-speaking actor while the other was an English speaking actor.

This case also presented a neat example that cyber crime literally as no boundaries in terms of participation from different individuals.

InfoArmor, after doing more of the same, found out that  almost all recent database dumps that were gained as a result of data breaches were put up for purchase one either The Real Deal Marketplace or The Hell Forums.

Tessa 88 was also contacted by other vendors who had been involved in publishing the database listings on other sites.

Komarov believes that Tessa 88 was the primary connection between the hacking group Group E and a second hacking group named For Hell.

Both groups sold the database dumps on multiple marketplaces and their members included some high profile hackers.

POM put the Yahoo database dump up for sale on The Real Deal Marketplace sometime in August.

Yahoo, of course, did not announce or even acknowledge the data breach hack well after POM had started to advertise the Yahoo database dump.

Though it has to be mentioned that the veracity  of the database dumps  offered by POM is still not known. According to Komarov, Group E was able to damage in the region of 1 billion user email accounts, a figure which is double of what Yahoo officially announced.

POM claimed that the database dumps in his custody had over  200 million  user accounts while we now know that the actual database included over 500 million accounts. Group E, till now, has not published the whole of the database dump it stole from the Yahoo data breach.


Zohair A. Zohair is currently a content crafter at Security Gladiators and has been involved in the technology industry for more than a decade. He is an engineer by training and, naturally, likes to help people solve their tech related problems. When he is not writing, he can usually be found practicing his free-kicks in the ground beside his house.
Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.