{"id":864,"date":"2021-08-04T09:23:00","date_gmt":"2021-08-04T09:23:00","guid":{"rendered":"https:\/\/dev.cryptoloc.au\/?p=864"},"modified":"2023-10-03T06:19:54","modified_gmt":"2023-10-03T06:19:54","slug":"the-new-cartels-whos-behind-the-rise-in-cyber-crime","status":"publish","type":"post","link":"https:\/\/127.0.0.1\/the-new-cartels-whos-behind-the-rise-in-cyber-crime\/","title":{"rendered":"The new cartels: Who\u2019s behind the rise in cyber crime?"},"content":{"rendered":"\n<p><strong>Forget the Hollywood stereotype of the lone hacker living in his mother\u2019s basement and plotting his revenge against the world. Today\u2019s cyber criminals are organised, sophisticated and sometimes state-sponsored.&nbsp;<\/strong><\/p>\n\n\n\n<p>US officials have confirmed the world\u2019s worst kept secret \u2013 that hackers tied to the Chinese government were responsible for the massive Microsoft Exchange hack earlier this year, thought to be one of the largest cyber attacks in history.&nbsp;<\/p>\n\n\n\n<p>Hackers contracted by China\u2019s Ministry of State Security are believed to have gained access to the email systems of tens of thousands of private users and public entities, including schools, hospitals and city councils.&nbsp;<\/p>\n\n\n\n<p>Microsoft&nbsp;<a href=\"https:\/\/blogs.microsoft.com\/on-the-issues\/2021\/03\/02\/new-nation-state-cyberattacks\/\">blamed the attack<\/a>&nbsp;on state-sponsored hackers operating out of China at the time, but it\u2019s taken until now for the US and its global allies \u2013 including Australia, the UK and the EU \u2013 to formally accuse and publicly condemn China for the attacks.&nbsp;<\/p>\n\n\n\n<p>Of course, the Microsoft Exchange breach is just part of a recent uptick in cyber crime, which has seen a&nbsp;<a href=\"https:\/\/www.smh.com.au\/politics\/federal\/illicit-gain-australia-accuses-china-of-criminal-cyber-attacks-20210720-p58b6s.html\">200 per cent increase<\/a>&nbsp;in reports of ransomware to the Australian Cyber Security Centre in recent months.&nbsp;<\/p>\n\n\n\n<p>So how did cyber crime become such serious business, and who\u2019s behind the malware that\u2019s enabling it?<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">The rise of ransomware<\/h3>\n\n\n\n<p>Ransomware \u2013 a form of malware that encrypts the victim\u2019s files, enabling the attacker to demand a ransom for their return \u2013 has come a long way since the early days of the AIDS Trojan in 1989.&nbsp;<\/p>\n\n\n\n<p>The first known instance of ransomware, the AIDS Trojan hid files on the user\u2019s hard drive and only encrypted their names, not the files themselves. It displayed a message demanding a payment of US$189 to the \u2018PC Cyborg Corporation\u2019 in return for the repair tool \u2013 which was actually completely unnecessary, because the decryption key could be extracted from the code of the Trojan itself.&nbsp;<\/p>\n\n\n\n<p>Hackers tied to the Chinese government were responsible for the massive Microsoft Exchange hack earlier this year.<\/p>\n\n\n\n<p>Dr Joseph Popp was identified as the author of the AIDS Trojan and charged with blackmail. A Harvard-trained evolutionary biologist who collaborated with the AMREF Flying Doctors and consulted for the WHO in Kenya, Popp had actually organised a conference for the Global AIDS Program the same year he created the AIDS Trojan, and later promised to donate the profits from the AIDS Trojan to fund actual AIDS research. (He was ultimately declared mentally unfit to stand trial.)&nbsp;<\/p>\n\n\n\n<p>Much like low-rise jeans, trucker hats and velour tracksuits, it wasn\u2019t until the early-to-mid 2000s that ransomware really began to take hold. Trojans known as GPCode, TROJ.RANSOM.A, Archiveus, Krotten, Cryzip, and MayArchive began using more sophisticated encryption schemes \u2013 by June 2008, GPCode was using a 1024-bit RSA public key, which would have taken computers at the time roughly two million years to crack.&nbsp;<\/p>\n\n\n\n<p>The decentralised and anonymous nature of Bitcoin made the digital currency an instant favourite with cyber criminals, which led to the creators of CryptoLocker (no relation) collecting roughly US$27 million with their ransomware. A string of copycat variants with names like CryptoLocker 2.0 and CryptoBlocker followed, all with roughly the same MO \u2013 the victim would have three days to pay a bitcoin ransom, or the files would be deleted.&nbsp;<\/p>\n\n\n\n<p>These early ransomware techniques all relied on the desire of victims to get their files back to motivate them to pay the ransom. But the current ransomware technique&nbsp;<em>du jour<\/em>, \u2018double extortion\u2019, puts a twist on the formula. In a double extortion attack, the criminals don\u2019t just encrypt the victim\u2019s data, but they also copy it to a server of their own.&nbsp;<\/p>\n\n\n\n<p>That way, even once the victim pays the ransom to decrypt the data, the criminals still have their copy, and can demand a second ransom \u2013 a double extortion, if you will \u2013 by threatening to leak it publicly.&nbsp;<\/p>\n\n\n\n<p>Ransomware group REvil were the first to use the double extortion tactic in June 2020, when they began&nbsp;<a href=\"https:\/\/www.itworldcanada.com\/article\/canadian-firm-apparently-victim-of-new-ransomware-tactic-auctioning-stolen-data\/431591\">auctioning off data stolen from a Canadian agricultural production company<\/a>&nbsp;that refused to meet their ransom demands. But since then, a number of ransomware groups have adopted the tactic.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Gangs of New Dork&nbsp;<\/h3>\n\n\n\n<p>Particular ransomware strains have traditionally been associated with particular ransomware groups, who would dissolve after a few big scores and then re-emerge with a new name.&nbsp;<\/p>\n\n\n\n<p>But now, according to&nbsp;<a href=\"https:\/\/insights.cybcube.com\/enterprise-ransomware-report\">a recent report by cyber risk analytics provider CyberCube<\/a>, these groups have evolved into cyber \u2018cartels\u2019 that operate much like the mafia, collaborating as affiliates to infiltrate their targets\u2019 networks. They share resources, pass on stolen data and attack information, and have even developed a Ransomware-as-a-Service model, sharing their wares with lone scammers in return for a slice of their profits.&nbsp;&nbsp;<\/p>\n\n\n\n<p>Under the Ransomware-as-a-Service model, newcomers to the ransomware scene don\u2019t need to have the know-how to develop their own malware, so even the most technically challenged cyber criminal can get amongst it. They\u2019re not likely to pull off big scores on their own, but the relatively small amounts they extort from individuals add up \u2013 a new&nbsp;<a href=\"https:\/\/www.aic.gov.au\/publications\/sb\/sb34\">Australian Institute of Criminology report<\/a>&nbsp;estimated the total annual economic impact of cyber crime at $3.5 billion in Australia alone, with $1.9 billion lost by individual victims.&nbsp;<\/p>\n\n\n\n<p>High-profile cyber gangs include:&nbsp;<\/p>\n\n\n\n<ul>\n<li>The aforementioned REvil (also known as Sodin), the gang that developed the double extortion technique.&nbsp;<a href=\"https:\/\/www.techrepublic.com\/article\/revil-continues-ransomware-attack-streak-with-takeover-of-laptop-maker-acer\/\">REvil recently hit Acer<\/a>&nbsp;with a US$50 million ransom demand, before attacking&nbsp;<a href=\"https:\/\/www.itnews.com.au\/news\/unitingcare-queensland-hit-by-cyber-attack-563812\">UnitingCare Queensland<\/a>, rendering IT systems used by hospitals and aged care facilities inaccessible. REvil is&nbsp;<a href=\"https:\/\/www.secureworks.com\/blog\/revil-the-gandcrab-connection\">said to have evolved from GandCrab<\/a>, which claimed to have raked in more than US$2 billion in ransom payments.&nbsp;<\/li>\n\n\n\n<li>DarkSide, which extorted a US$4.4 million ransom from one of the United States\u2019 major fuel pipeline operators, the&nbsp;<a href=\"https:\/\/www.abc.net.au\/news\/2021-05-20\/colonial-pipeline-ceo-confirms-company-paid-ransom-darkside\/100151094\">Colonial Pipeline Company<\/a>.&nbsp;<\/li>\n\n\n\n<li>DoppelPaymer, known for targeting government organisations around the world. They&nbsp;<a href=\"https:\/\/securityaffairs.co\/wordpress\/110180\/cyber-crime\/doppelpaymer-ransomware-hall-county.html\">published US voter data<\/a>&nbsp;stolen from Georgia and&nbsp;<a href=\"https:\/\/securityaffairs.co\/wordpress\/111654\/cyber-crime\/delaware-county-doppelpaymer-ransomware.html\">extorted US$500,000 from Delaware County, Pennsylvania<\/a>.&nbsp;<\/li>\n\n\n\n<li>Maze, which extorted&nbsp;<a href=\"https:\/\/www.deseret.com\/utah\/2020\/8\/21\/21396174\/cyber-swindlers-take-university-of-utah-for-nearly-500k-in-ransomware-attack\">more than US$400,000 from the University of Utah<\/a>&nbsp;after threatening to leak student data in a double extortion attack.&nbsp;&nbsp;&nbsp;&nbsp;<\/li>\n\n\n\n<li>RYUK, which&nbsp;<a href=\"https:\/\/www.wired.com\/story\/ransomware-hospitals-ryuk-trickbot\/\">targeted a string of hospitals in the US<\/a>&nbsp;amidst the COVID-19 pandemic before closing operations in 2020 and&nbsp;<a href=\"https:\/\/www.zdnet.com\/article\/conti-ryuk-joins-the-ranks-of-ransomware-gangs-operating-data-leak-sites\/\">re-emerging as Conti<\/a>. Conti then targeted New Zealand\u2019s&nbsp;<a href=\"https:\/\/businessdesk.co.nz\/article\/technology\/waikato-dhb-cyber-attack-follows-familiar-global-pattern\">Waikato Hospital<\/a>&nbsp;and&nbsp;<a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/conti-ransomware-also-targeted-irelands-department-of-health\/\">Ireland\u2019s Department of Health<\/a>.&nbsp;<\/li>\n\n\n\n<li>Avaddon, which&nbsp;<a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/insurer-axa-hit-by-ransomware-after-dropping-support-for-ransom-payments\/\">stole health records and other sensitive information from AXA Insurance<\/a>. This was supposedly in retaliation for AXA announcing it wouldn\u2019t cover companies that fell victim to cyber attacks.&nbsp;<\/li>\n\n\n\n<li>Hafnium, the Chinese group&nbsp;<a href=\"https:\/\/blogs.microsoft.com\/on-the-issues\/2021\/03\/02\/new-nation-state-cyberattacks\/\">identified by Microsoft<\/a>&nbsp;as the perpetrators of the Microsoft Exchange attack.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Rogue nations&nbsp;<\/h3>\n\n\n\n<p>Cyber gangs are one thing \u2013 but it now appears that at least some of these gangs are on the payroll of rogue governments, and operating at their behest.<\/p>\n\n\n\n<p>The United States took the unprecedented step of formally attributing the Microsoft Exchange attack to hackers affiliated with China\u2019s Ministry of State Security this month, and charging four Chinese nationals \u2013 three security officials and one contract hacker \u2013 for their role in it.&nbsp;<\/p>\n\n\n\n<p>Pulling no punches, US Secretary of State Anthony Blinken directly accused China of fostering an ecosystem of criminal contract hackers to carry out state-sponsored activities and extort businesses for their own financial gain.&nbsp;<\/p>\n\n\n\n<p>\u201cThese contract hackers cost governments and businesses billions of dollars in stolen intellectual property, ransom payments, and cyber security mitigation efforts, all while the Ministry of State Security had them on its payroll,\u201d Blinken said.&nbsp;<\/p>\n\n\n\n<p>The US was joined by allies&nbsp;<a href=\"https:\/\/www.abc.net.au\/news\/2021-07-19\/australia-us-uk-blame-china-for-microsoft-hack\/100305934\">Australia<\/a>, Canada, Japan, the United Kingdom, New Zealand and the European Union in calling out the Chinese government.<\/p>\n\n\n\n<p>The working theory is that hackers working at the behest of Chinese intelligence learned about Microsoft\u2019s vulnerability in early January. When they learned that Microsoft intended to patch or close the vulnerability shortly, they shared it with other China-based groups, helping them hack Microsoft like a sinister version of Clippy the Office Assistant. This effectively escalated the attack from your typical espionage operation to a smash-and-grab raid.&nbsp;<\/p>\n\n\n\n<p>US Secretary of State Anthony Blinken directly accused China of fostering an ecosystem of criminal contract hackers.<\/p>\n\n\n\n<p>By the time Microsoft closed the vulnerability in March, about a quarter of a million email systems around the world had been exposed, and at least 30,000 had been compromised, including schools, hospitals, cities and pharmacies.&nbsp;<\/p>\n\n\n\n<p>According to a memo released by the White House, hackers linked to China are still \u201caggressively\u201d targeting US and allied defence and semiconductor firms, as well as medical institutions and universities, with the intent of stealing their data.&nbsp;<\/p>\n\n\n\n<p>This isn\u2019t the first time China has been linked to these sorts of shenanigans. Australia\u2019s decision to name and shame China comes after&nbsp;<a href=\"https:\/\/www.theguardian.com\/australia-news\/2020\/jun\/19\/australia-cyber-attack-attacks-hack-state-based-actor-says-australian-prime-minister-scott-morrison\">Prime Minister Scott Morrison warned<\/a>&nbsp;that a state-based actor was behind a series of cyber raids on hospitals, councils and state-owned utilities in June 2020 \u2013 but although Australian security agencies believed China was behind those attacks, Morrison stopped short of identifying them then.&nbsp;<\/p>\n\n\n\n<p>One nation that\u2019s probably happy to see China under the spotlight is Russia, which has tended to get the most attention for these types of attacks. DarkSide, the group that extorted a US$4.4 million ransom from the Colonial Pipeline Company in the US, is&nbsp;<a href=\"https:\/\/www.newsweek.com\/darkside-hacker-group-russia-colonial-pipeline-1590352\">believed to be based in Russia<\/a>, although it\u2019s unclear if they\u2019re actually state-sponsored or if Russia simply serves as a \u2018<a href=\"https:\/\/www.cnbc.com\/2021\/05\/26\/darkside-will-be-back-as-russia-creates-safe-haven-for-hackers-feds.html\">safe haven<\/a>\u2019 for hackers.&nbsp;<\/p>\n\n\n\n<p>Russian hackers are generally considered to have a looser connection to official Russian intelligence agencies than their Chinese counterparts, although&nbsp;<a href=\"https:\/\/www.theverge.com\/2021\/4\/15\/22385371\/russia-sanctions-solarwinds-biden-white-house-putin-hack\">sanctions were recently placed on Russia<\/a>&nbsp;for the infamous \u2018Sunburst\u2019 attack on US software company SolarWinds.&nbsp;<\/p>\n\n\n\n<p>The attack affected thousands of governmental and private organisations around the world, and while its full impact is yet to be calculated, it\u2019s been reported to have cost cyber insurance firms&nbsp;<a href=\"https:\/\/www.crn.com\/news\/security\/solarwinds-hack-could-cost-cyber-insurance-firms-90-million?itc=refresh\">at least US$90 million<\/a>.&nbsp;&nbsp;<\/p>\n\n\n\n<p>While China and Russia get the bulk of the publicity, they\u2019re far from the only governments to have been involved in malicious cyber activity. But when nations are involved, the line between cyber crime (bad) and espionage (good?) often becomes murky.&nbsp;<\/p>\n\n\n\n<p>After being accused of cyber crime by most of the free world, China responded with an official statement that called the US \u201cthe world champion of malicious cyber attacks\u201d.&nbsp;<\/p>\n\n\n\n<p>\u201cIt is well known that the US has engaged in unscrupulous, massive and indiscriminate eavesdropping on many countries, including its allies,\u201d the statement read.&nbsp;<\/p>\n\n\n\n<p>\u201cAustralia also has a poor record, including&nbsp;<a href=\"https:\/\/www.abc.net.au\/news\/2013-11-18\/australia-spied-on-indonesian-president,-leaked-documents-reveal\/5098860?nw=0\">monitoring the mobile phone of the president of its biggest neighbour country<\/a>, not to mention acting as an accomplice for the US\u2019 eavesdropping activities under the framework of the&nbsp;<a href=\"https:\/\/edition.cnn.com\/2017\/05\/25\/world\/uk-us-five-eyes-intelligence-explainer\/index.html\">Five Eyes alliance<\/a>.&nbsp;<\/p>\n\n\n\n<p>\u201cWhat the Australian government has done is extremely hypocritical, like a thief crying \u2018stop the thief\u2019,\u201d the statement continued.<\/p>\n\n\n\n<p>At roughly the same time that the US accused China of the Microsoft Exchange attack, a new investigation dubbed \u201c<a href=\"https:\/\/www.amnesty.org\/en\/latest\/news\/2021\/07\/the-pegasus-project\/\">the Pegasus Project<\/a>\u201d revealed the extent of Israeli technology firm NSO Group\u2019s involvement in targeting thousands of heads of state, activists, journalists and dissidents around the world.&nbsp;<\/p>\n\n\n\n<p>Their Pegasus spyware, which is licensed to foreign governments by the Israeli Ministry of Defence, is said to have enabled human rights violations on a global scale, including the murder of reporter Jamal Kashoggi by agents of the Saudi government with a bone saw in the Saudi Arabian consulate \u2013 a scenario that sounds like a cross between Clue and Cards Against Humanity.<\/p>\n\n\n\n<p>Pegasus infects iPhones and Android devices, allowing operators to extract messages, photos and emails, record calls and secretly activate microphones and cameras.&nbsp;<\/p>\n\n\n\n<p>Of course, you don\u2019t have to be a head of state, a CEO or a crusading reporter to be concerned about cyber crime. The purpose of these attacks is to steal data \u2013 and if you\u2019ve ever been a customer or a client of a targeted organisation, then that includes&nbsp;<em>your<\/em>&nbsp;data.&nbsp;<\/p>\n\n\n\n<p>For instance, the intent of the Microsoft Exchange attack might have been to gather intelligence, but there was little rhyme or reason to who was targeted. The method was simply to hack as many people and organisations as possible in a short time frame and make sense of the data later.&nbsp;<\/p>\n\n\n\n<p>So while Xi Jinping may not harbour a personal vendetta against you, the collateral damage of an attack like this could see your personal data and private records leaked for the world to see, leaving you open to identity theft, phishing attacks, or worse.&nbsp;<\/p>\n\n\n\n<p>The rise in cyber crime, then, is&nbsp;<em>everyone\u2019s<\/em>&nbsp;problem \u2013 no matter who turns out to be behind it.&nbsp;<br><em>Recognised by Forbes as one of the 20 Best Cybersecurity Startups to Watch in 2020, Cryptoloc has developed the world\u2019s strongest encryption technology and the world\u2019s safest cybersecurity platform, ensuring clients have complete control over their data. For more information, visit&nbsp;<\/em><a href=\"https:\/\/127.0.0.1\/\"><em>cryptoloc.com<\/em><\/a><em>.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Forget the Hollywood stereotype of the lone hacker living in his mother\u2019s basement and plotting his revenge against the world. Today\u2019s cyber criminals are organised, sophisticated and sometimes state-sponsored.&nbsp; US officials have confirmed the world\u2019s worst kept secret \u2013 that hackers tied to the Chinese government were responsible for the massive Microsoft Exchange hack earlier [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":1126,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"_links":{"self":[{"href":"https:\/\/127.0.0.1\/wp-json\/wp\/v2\/posts\/864"}],"collection":[{"href":"https:\/\/127.0.0.1\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/127.0.0.1\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/127.0.0.1\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/127.0.0.1\/wp-json\/wp\/v2\/comments?post=864"}],"version-history":[{"count":2,"href":"https:\/\/127.0.0.1\/wp-json\/wp\/v2\/posts\/864\/revisions"}],"predecessor-version":[{"id":1140,"href":"https:\/\/127.0.0.1\/wp-json\/wp\/v2\/posts\/864\/revisions\/1140"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/127.0.0.1\/wp-json\/wp\/v2\/media\/1126"}],"wp:attachment":[{"href":"https:\/\/127.0.0.1\/wp-json\/wp\/v2\/media?parent=864"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/127.0.0.1\/wp-json\/wp\/v2\/categories?post=864"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/127.0.0.1\/wp-json\/wp\/v2\/tags?post=864"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}