It's a simple fact: the trend is towards a more and more professional approach by groups of cybercriminals. Using increasingly organised methods, they structure themselves into various “business units”, from design through to sales, including distribution and support. Here’s an update on the emergence of a complete parallel economy.
2021 was marked by the extension of ransomware to larger targets, and by threats to data confidentiality. And the increasingly professional approach taken by cybercriminal groups has been plain to see: the malware industry has grown and, along with it, a whole parallel economy of cyber-threat has sprung up, featuring a variety of different trades. In response to this increasingly organised and industrialised threat, companies and institutions need to be constantly on the lookout for effective countermeasures. But are all these solutions the right ones? Is a bug bounty enough to detect the flaws in a company’s IT systems? Will “cyber-ransom negotiator” be a profession of the future?
Two-million-dollar vulnerabilities
The growth of the cyberattack market is such that “nowadays, we can undoubtedly speak of a parallel economy,” explains Sébastien Viou, Cybersecurity Product Director and Cyber-Evangelist at Stormshield. This parallel economy is thought to be worth nearly 1.5 billion dollars a year. And it's a sector that is now starting to structure itself as a traditional market, with marketplaces, its own communication and distribution channels, supply and demand mechanisms and competitive tendering processes. And even catalogues: at entry level, it’s possible to obtain credit card data for 10 dollars, login IDs for between 100 and 1,000 dollars, and malware for several tens or hundreds of dollars. At the top end of the market are wares such as “zero day” flaws, which can change hands for high-end prices from 500,000 to 2 million dollars. As in any economic sector, agents are on the lookout for the greatest profits. And this means that they’re moving from a “products and tools” philosophy to a service-oriented one; this is the age of malicious turnkey campaigns (Ransomware-as-a-Service and Malware-as-a-Service). By launching a sufficient number of simple attacks – entailing relatively minimal operating and infrastructure costs – cybercriminals stand to make big profits. According to Deloitte, a low-end cyberattack costing 34 dollars per month can yield up to $25,000. And such financial windfalls can later turn into investment funds; in 2021, members of the LAPSUS$ group were regularly posting bribery offers on the Reddit network aimed at employees of large groups who might potentially be prepared to monetise their access to internal networks.
And to cap it all, cybercriminal groups sometimes adopt commercial techniques resembling those used by real bricks-and-mortar companies. Sébastien Viou confirms this: “Nowadays, it’s possible to take out subscriptions for regular access to attack methods. They offer discounts and promotions, such as “buy 11 months, get one free”. And some even offer after-sales service, he adds.
Threat actors are getting better at tailoring their demands to the amounts their victims are likely to pay, given the rising cost of business recovery and the risk of reputational damage if their data were to be leaked.
The exponential growth in this “sector” is being driven by the ransomware ecosystem, for which “the rewards on offer can total several million euros and are being used to finance an entire system that’s becoming increasingly structured, hierarchical and professional,” Viou explains. And this ecosystem is (sadly) a hyperactive one: a new ransomware attack takes place every 11 seconds on average. The ransom market has “probably reached a point of equilibrium,” according to the Canadian Centre for Cyber Security in a bulletin published in late 2021. It claims that “threat actors are getting better at tailoring their demands to the amounts their victims are likely to pay, given the rising cost of business recovery and the risk of reputational damage if their data were to be leaked.” As a result, this booming parallel economy is ringing all manner of alarm bells for cybersecurity players. According to official French guidelines, the ANSSI agency recommends not paying ransoms: this forms part of the initial advice it gives to victims. But this rule isn’t always so easy to follow in practice. In 2020, as revealed by French newspaper Le Canard Enchaîné, France’s national gendarmerie became involved in negotiating a ransom for a major international shipping company. “The company – standing to lose 60 million per day of downtime – chose to pay up to make the problem go away,” the publication quipped. “One year later, thanks to information gathered by the elite GIGN police unit during negotiations, the perps were collared near Kiev.” Other institutions and companies have made similar admissions, such as the University of Maastricht.
Such events demand a response from the cybersecurity sector. But what form should that take?
In cybersecurity terms, the fight-back is starting
In response to this increasingly professional cyber-threat, the cybersecurity economy has also stepped up its game. In Europe alone, the market was valued at €23 billion in 2020, and – according to estimates – is likely to grow to €43.8 billion by 2026.
The market and sector have already demonstrated their ability to adapt via means that include the introduction of bug bounties and pentesting. The concept, which dates back to the mid-1990s, is based on offering rewards to anyone who manages to identify flaws in corporate information systems. Is this likely to be sufficient on its own to herald a new, virtuous system in which publishers identify flaws before cyberattackers do? Not really: although they can be effective, bug bounties have their limits. Cybersecurity researcher and hacker Baptiste Robert believes that “they help to place cybersecurity front and centre stage in the media. But some companies believe – wrongly – that this is enough on its own to protect them.” What’s more, the business model associated with the method is open to criticism: “All workers are worth their hire,”, he asserts. Some amateurs and professionals may spend several weeks looking for a bug, yet receive no compensation if they don’t succeed. As the co-founder of Predicta Lab notes, the method is all the more open to question because participants are often young, and live in countries where average wages are low. In the case of Facebook, for example, the researchers who most commonly pick up the rewards are Russian and Indian. “They are enticed by potentially head-turning rewards, but there’s no guarantee they’ll ultimately get paid,” he says sadly. Some may strike it big (between $100,000 and $1 million), but they are the exception to the rule. Conversely, the sums promised on the darknet for the sale of sensitive information are often more attractive…
So how can we ensure that this cybersecurity economy can respond to evolving threats? Another avenue has been explored: the creation of an economy built on ransomware. This is based mainly on negotiators who act as intermediaries between companies and cybercriminals in relation to ransomware attacks. French daily newspaper Le Monde describes their role as “not being limited merely to negotiating with the hackers; they also help the victims to co-ordinate their response better to get through this experience, which can often feel like a long journey through the wilderness.” The very use of the word “negotiate” makes Renaud Feil wince. The boss of Synacktiv – a company specialising in security audits – believes that the act of negotiating with cybercriminals is “highly controversial. Firstly, because we’re deluded if we think we have any real negotiating leverage. Unlike a hostage-taking situation, where the attacker faces a significant or even existential risk if the authorities get involved, cyberattackers know that the balance of power is pretty much in their favour,” he explains. But in that case, what exactly is the point of using go-betweens in negotiations? Should they be banned? In an attempt to answer this question, the Public Prosecutor's Office of Paris has set up a cybercrime section aimed at preventing such intermediaries from benefiting from the profits of ransomware, as Captain Paul-Alexandre Gillot explained during the FIC 2021 forum. The question of banning them was posed then… and is still being posed now.
“Comprehensive” cyber-insurance: a good idea in theory only?
Could turning to an insurer who offers to cover the consequences of a cyberattack be the miracle solution to the problem, as it is in other insurance matters? Synacktiv’s CEO gives the initiative top marks for effort, but favours an approach where compensation is provided by the State, using the same model that is adopted for natural disasters. “Several insurance companies have tried to enter this market,” Feil says. But they ultimately refused to pay ransoms. Most of them gave up: the risk and cost associated with the insurance was too great, and too hard to predict in future.” Viou shares this cautious attitude: “There are companies out there who, two years after being hit by an attack, still haven’t received any money from their insurers. Furthermore, while it may seem reasonable in theory for a company to insure itself against the theft of its intellectual property – if the insurance company pays the ransom, isn’t it an accomplice to the crime? Isn’t it helping to support the ransomware business? ”
This is a view also held by ANSSI director Guillaume Poupard. At a meeting covering cybsersecurity for VSEs and SMEs held in April 2021, he was quick to criticise the “murky” approach adopted by some insurers. While understanding that a ransom payment may appear rational in the eyes of an insurer, he believes that this strategy is a counter-productive one. “What we need to do is to fight these actors; otherwise, a major ecosystem will start to take shape,” Poupard cautions. The French government has spent a number of months deliberating this issue, considering the prohibition of any ransom payments by insurance companies, and even a ban on such cyber insurance.
But another possible outcome is that the market will simply collapse on its own. In January 2022, the cost of such insurance rose exponentially, with increases of… up to 100%. It’s a case of “take it or leave it,” as the AGEFI financial media group so accurately put it. Some are suggesting that this price trend may signal the end of such offerings. “Five years ago, insurers were falling over themselves to sell cyber-insurance policies. But now, these policies are being stripped of their substance. More than just price increases, the problem is insurers’ ability and appetite for taking on risk,” said Oliver Wild, President of the AMRAE corporate insurance and risk management association. But cyber-insurance has another problem to deal with, this time from the cybercriminals themselves: based on the information they are able to glean, they can factor in whether or not an insurance policy is in place not only when selecting targets, but also when choosing the ransom sums to be demanded. So cyber-insurers could find themselves having to pay out kings’ ransoms…
So how do you prevent the growth of a parallel market with little or no regulatory governance? Baptiste Robert believes we need to bear in mind that “there’s no such thing as maximum security. We might dream of a virtuous system where flaws are discovered ahead of time, and where no sites or systems can be hacked, but that isn’t realistic.” He believes that the best possible solution is still to put up entry barriers against attackers in an attempt to “disincentivise” them as much as possible… and to ensure that the cost of a cyberattack remains higher than its potential benefits.