In its 2019 Internet Organised Crime Threat Assessment (IOCTA) report on the state of organized cybercrime, Europol highlights that cybercriminals are becoming bolder and more innovative as they deploy a wider range of strategies and tactics designed to circumvent law enforcement authorities and maximize their overall profitability. According to Europol, one of the most prominent new tactics of organized cybercrime is crypto ransomware. While the actual volume of these attacks is on the decline, the size and sophistication of these attacks are markedly on the upswing.
Crypto ransomware as a top cyber threat vector
In the prototypical crypto ransomware attack, a hacker will gain access to an organization’s computer network and proceed to encrypt all of the organization’s data files so that they cannot be used. The hacker then contacts the organization and offers to hand over a cryptographic key to “unlock” the files – as long as a ransom demand is paid out in a cryptocurrency such as Bitcoin. Once the ransom is paid, the files are then decrypted, and the organization can get back up and running. The main infection vectors for crypto ransomware include phishing emails and remote desktop protocol (RDP).
However, as Europol notes in its report, ambitious hackers are upping their game when it comes to crypto ransomware attacks. For one, they are going after large public entities – including hospitals, schools, grid infrastructure companies and municipalities (such as cities and local government). And, secondly, they are not stopping with just encrypting files – they are now going one step further and bringing the entire computer network of the entity to a complete standstill. Thus, if a hospital or school district wants to get back up and running, it has to pay the ransom demand almost immediately. Usually, targets are backed by the deep pockets of the public sector, so hackers have been steadily raising the size of their ransom demands on a commensurate basis. It’s no longer out of the question to hear about ransom demands in excess of €1 million.
And, in perhaps the most disturbing development yet in the rise of crypto ransomware, some hackers appear to be switching up their tactics once again by using what is known as wiper ransomware. This form of crypto ransomware does not merely encrypt files – it actually wipes them clean by rewriting on top of them. When entities agree to pay a ransom in crypto, there is no guarantee that they will be able to get their files back at all. This was the case, Europol says, in the “German Wiper” attacks that targeted a more profitable victim: German public sector entities.
This highlights one key reason why Europol specifically named crypto ransomware as the top priority threat facing European law enforcement officials – crypto ransomware is morphing into a more sinister form of “sabotage” attack, in which the goal is not so much the payment of a huge ransom, but rather, the destruction of an entire computer network or data system.
Raphael Reich, Vice President of CyCognito, comments on why crypto ransomware is on the rise: “Too many organizations are unintentionally opening themselves to these attacks on their sensitive data, with exposed pathways in their IT ecosystems that they are unaware of, because they have not fully mapped their attack surface. They don’t know where they have exposed servers, applications and other IT assets, and they also don’t know when and where their third party vendors, partners or subsidiaries leave systems, applications and infrastructure exposed. This all creates shadow risk.”
Other key threats mentioned in the IOCTA report
Of course, crypto ransomware was not the only threat mentioned by Europol in its 2019 IOCTA report, Other threats on the Europol threat radar include Distributed Denial of Service (DDos) attacks (especially those occurring with online banking providers); a sharp rise in child sexual exploitation material traded over the Dark Web; new forms of self-generated explicit material; new cyber attacks focusing on critical infrastructure targets (such as energy, transport, water and healthcare targets); and the rise of Business Email Compromise (BEC) cyber threats as a major source of financial loss for corporations.
Overall, Europol highlighted ten different threats, some of which are mixing together in dangerous new ways. For example, one of the other European cybercrime threats highlighted in the IOCTA report was the dramatic rise in hacker attacks carried out against local government and municipalities. This ties into the rise in crypto ransomware, as these types of attacks now focus on deep-pocketed municipalities that are willing to pay any ransom amount in order to avoid any interruption in their services. And, in an even more dangerous variant of these crypto ransomware attacks, some are now focusing on grid infrastructure providers.
The Europol report on organized cybercrime also emphasized the various ways that hackers are becoming more devious and innovative in response to intervention efforts by law enforcement authorities. In short, as soon as law enforcement officials shut down the modi operandi of cybercriminals, they will immediately search for new victims and new platforms. The goal of the most prominent threats is simple: easy income for cybercriminals. It is only recently that some have shown a preference for inflicting greater economic damage on victims.
The changing tactics of organized cybercrime
And, they are getting a lot better at covering up their tracks and making it harder for law enforcement officials to find them. There are two great examples here from Europol. One is the fragmentation of the Dark Web. This happened as soon as law enforcement swooped in and broke up two of the biggest Dark Web marketplaces – Wall Street Market and Silkkitie (aka Valhalla Marketplace). Almost immediately, organized cybercrime changed their tactics to create single-vendor stores on the Dark Web, all of them doing business under different names and monikers.
And, secondly, organized cybercrime has been quick to adopt just about any new technology – such as end-to-end encryption, anonymity services, blockchain, and cryptocurrencies – that can help them maintain their anonymity online and move large amounts of money without attracting the attention of law enforcement officials. Thus, technologies such as encryption carry with them new types of risk.
A holistic approach to cybercrime
One major theme that emerged from the Europol report on organized cybercrime was the need for a more “holistic” approach to cybercrime that involves prevention, awareness, cyber education and cyber resilience. It is no longer just enough for individuals, corporations, and public sector entities to wait for something bad to happen and then report it to law enforcement. Instead, they must be taking very proactive steps to avoid such a situation from taking place at all.
Moreover, Europol specifically noted the need for much more coordination between a wide range of law enforcement agencies and private sector entities, often across national borders. One key example of this approach working was the success that Europol had in shutting down global Dark Web marketplaces. Going forward, as organized cybercrime becomes bolder and more innovative, there will be an even greater need for law enforcement to join forces to rid the web of these sinister organized cybercrime organizations.