Enabling ransomware
Cryptocurrencies have a lot to answer for, and governments (and most of Linux Format) have had enough.
We’re not sure about this cryptocurrency malarkey. And we’re even less sure about people co-opting the term ‘crypto’ which for years has been used by cypherpunks as an abbreviation for the nobel art of cryptography. But one thing we can thank cryptocurrency for is ransomware.
If victims were instead asked to pay regular, ‘fiat’ money to a bank account, or money transfer, they’d be much less likely to pay. And, thanks to banks in most countries being pretty wise about knowing their customers, the scammers would be much more likely to be caught. But over the past decade and a bit ‘crypto’ (in particular Bitcoin) has cemented its position as the premiere conduit by which to receive ransomware payments. It’s often said that Bitcoin payments are hard to trace. But this isn’t really true, given that an indelible record of every Bitcoin transfer lives forever on the blockchain, for any inquisitive eyes to see. The hard part is breaking the pseudonymity between wallet addresses and individuals.
However, that might be about to get slightly less hard. Anyone who’s watched popular crime fiction will have heard detectives talking about “following the money”. That’s easy to do with Bitcoin. You can even use a website such as blockchain.com to do it from the comfort of your own browser. For example, https://bit. ly/lxf285-blockchain-payment will show you one of the transactions connected to the Colonial Pipeline payment (of 75BTC, or a cool $3.5 million) to the now shuttered DarkSide organisation.
You probably won’t solve any crimes that way, but boffins are getting very good at their blockchain scanning algorithms. The boffins at analysis firm Elliptic, for example, figured out that Darkside were also responsible for an attack on a German chemical company a few days later. But Elliptic went further still, and identified around 45 other wallet addresses that had all paid an average of $1.9 million. This runs to a total of $90 million, which Elliptic believes that is the total amount of ransom paid through Darkside’s history.
Recovering payments to hackers
It’s not illegal to pay a ransom, and for large companies without time or backups it could be the best (well, least worst) option. Colonial Pipeline stakeholders can take some solace in the fact that DarkSide’s website was seized soon after the incident.
Soon after that the FBI announced it had obtained a wallet key and were able to recover 85 per cent of the ransom paid. It’s been speculated (see https://bit.ly/ lxf285-blockchain-study) that this figure was in fact paid to a DarkSide affiliate (an intermediary hacker who may have gained initial access), with DarkSide keeping the remaining 15 per cent (its RaaS operator fee), as well as all their other ill-gotten gains, in an as-yet unseized wallet.
DarkSide has in the past demanded ransoms in Monero (XMR), a privacy-conscious altcoin that doesn’t record unique addresses on its blockchain. Given its lack of relative popularity though, it’s no good for paying huge sums with. Very few exchanges hold millions of XMR in their coffers. Cryptojacking malware hijacks machines (often through malicious JavaScript) to mine cryptocurrency, and it turns out that Monero is an ideal token for this. It can be mined on modest
hardware, so a large-enough attack can net great profits.
Linux machines have been targeted in this way since at least January 2020 by malware dubbed FritzFrog, which is written in Go and propagates over SSH. It uses a peerto-peer approach, rather than traditional Command and Control (C2) servers, making it hard for investigators to shut it down. Once a machine is compromised a netcat
process is spawned to create an encrypted channel that can receive commands from other peers. And if an infected machine is rebooted then it doesn’t matter, FritzFrog
thoughtfully adds its own SSH key to the machine, creating a persistent backdoor. Oh, and it’s a file-less malware too: peers send ‘proto-files’ to one another by arranging in-memory blobs, which are reconstructed and decrypted at the other side, leaving no trace.
All this might sound like only server operators need worry, but is a desktop not just a server with a screen and less services? Whimsy aside, we should probably not get complacent. Many readers will have devices on their home networks that are reachable by SSH, web or any number of other interfaces. A Raspberry Pi, Kodi instances and NAS boxes can easily be identified (for example, using the https://shodan.io scanning engine) and if they still have the default passwords they are as good as 0wned.
Furthermore, many readers will be running VPSes or cloud instances, and it’s really important to keep the software on these up to date. One of the most popular (and useful) uses for these is running Nextcloud, and no one wants their Nextcloud data lost or held to ransom. If you’re running Nextcloud do yourself a favour and hit up the security scan at https://scan.nextcloud.com. It will grade your security from A+ to F, and give you helpful advice on how to achieve a better grade. This covers simple tasks such as upgrading to a supported version (Nextcloud 22 is out, hooray!) as well as more complex operations such as configuring a Content Security Policy (CSP) on your web server.
You’ve got poisoned mail
Last month we looked at running your own email server with the superb Mail-in-a-Box (MIAB). Good oldfashioned spam never really went out of fashion (and poisoned email attachments are a popular way to spread ransomware), so anyone running a mail server should take extra care. MIAB makes this very easy, but it’s interesting to point out that despite the complications in setting up your own mail server
(we still don’t understand Glue Records), it’s actually trivially easy for malware to set one up in the blink of an eye. This apparent paradox comes from the fact that malware really just wants to send mail, it doesn’t care about receiving it, and it doesn’t even care if most relays reject the spam it spews forth.
It’s been estimated that takings from the ransomware industry run in excess of $20bn per year, and that there’s a ransomware attack every 11 seconds. Despite REvil shutting up shop (or having their shop otherwise shut), there’s no indication that these attacks are slowing down or becoming in any way less lucrative.
However, law enforcement and the industry are fighting back hard against ransomware. In October 2021 Ukranian national Yaroslav Vasinskyi was arrested in Poland, having been indicted earlier in the US in August. Vasinskyi, (alongside the still-at-large Vevgeniy Polyanin) it is alleged, were both involved with REvil.
The “home of the free” has had it with ransomware peddlers, and they’re willing to put their money where their mouths are too. The US government is offering a reward of up to $10 million for information on REvil’s leadership, and $5 million for information on anyone planning to launch an attack with their software.