Your browser is obsolete!

The page may not load correctly.

Evil Kitchen

Темная кухня

Other issues in this category (13)
  • add to favourites
    Add to Bookmarks

The conscience that never awakens

Read: 12801 Comments: 1 Rating: 10

Monday, November 13, 2017

Administrators on several hacker forums—both those available to the general public and those hiding in the darknet—have extensively been discussing whether they should continue allowing people to discuss selling encryption ransomware on their forums. Experts from the companies Anomali and Flashpoint claim that discussions of this sort first emerged in 2016, and that they spring up after every major ransomware outbreak.

According to Travis Farrell, Anomali’s Director of Security Strategy, and Vitaly Cremez, Flashpoint’s Director of Research, lately forum administrators have been posting a huge number of negative comments about malware developers who use the sites to sell their handiwork.

But if you think that forum owners are driven by compassion for victims, and that they resent attacks being made on hospitals and industrial facilities and abhor the possibility that innocent people could be affected, think again.

The reasons for their discontent are usually four: encryption ransomware draws too much attention, ransomware attacks interfere with other kinds of cybercrime, encryption ransomware may cause the authorities to crack down on the cyber underground, and finally encryption ransomware could easily be unleashed against Russia.

Encryption ransomware attacks attract wide publicity and encourage companies to introduce new security measures and block access to their previously vulnerable networks, making it impossible for other criminals to conduct their covert activities.

In other words, encryption ransomware prevents other criminals from doing their business. Discussions of this kind are inspired only by a selfish interest, nothing more. One group of criminals doesn't like it when the activities of others interfere with its business.

But let's suppose sales are banned. What would happen next?

It won't be the first time an infamous incident caused a negative reaction in the cyber underground. For example, following a DDoS attack involving the Mirai botnet, which took place last year, HackForums prohibited its visitors from selling software that could be used to orchestrate such attacks.

Did the ban decrease the number of attacks carried out via smart devices? If it did, the impact was insignificant.

First, underground forums compete with each other. Should one forum ban something, its visitors will merely migrate to another one.

Only 48.5% of underground forum visitors approved of the ban on selling encryption ransomware. Furthermore, administrators themselves get their cut from ransomware sales, so it won’t be easy for them to give up a portion of their profits.

Second, as they say, man shall not live by darknet alone… Encryption ransomware source code can be found in the public domain as well as on underground forums. And the outcome of that is quite predictable.

It’s not a very good idea to upload the code of a working malicious program to GitHub. A note claiming that the code was written solely for research and educational purposes can save the repository from deletion, but it surely won't stop real criminals, who will be quick to borrow the source code to create real malware. You don't need to search very hard to find an example. Just recall what happened after the source code for Hidden Tear and EDA2, as well as for CryptoTroope and Heimdall, was made available on GitHub.

However, the bad experience of some researchers doesn't stop their colleagues. As long ago as May 2016, brucecio9999 made CryptoWire ransomware source code available on GitHub. The program in question is a functional ransomware species which encrypts data using the AES-256 cipher. And it is still available for download.

Three ransomware strains have already been created using the code. Similarly to the original, they all encrypt data, not just on hard drives but also on USB sticks and removable disks, and they also compromise cloud-sharing applications (Onedrive, Dropbox, Google Drive, and Steam) in an infected system. Even though "out-of-the-box" CryptoWire only encrypts files less than 30 MB in size, this value can be changed.

So to hope that attacks involving ransomware (as well as other malicious programs) will stop merely because criminals will be troubled by their conscience is useless.

#encryption_ransomware #cyber-crime #malware

The Anti-virus Times recommends

News of some hackers embracing the good and expressing their disapproval of cybercrime attracts the attention of the media, which likes to perpetuate the image of hackers as noble highwaymen. As a rule, in reality, all the “good” intentions of criminals never go further than their words. It’s still up to users to protect their systems from cybercriminals. And, of course, security software developers do a lot of work in this arena too.


Tell us what you think

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.