Ransomware attacks, incl those of the mass destructive and dangerous variety proved difficult to combat comprehensively. Hospitals, government agencies, schools and even critical infrastructure companies continue to face debilitating attacks and large ransom demands from hackers. But as governments around the world and law enforcement agencies in the United States get serious about fighting ransomware and begin to make some progress, researchers are trying to stay one step ahead of attackers and predict where ransomware gangs might head if their basic jostling becomes impractical.
At the RSA Security Conference in San Francisco on Monday, longtime digital fraud researcher Crane Hassold will present findings that warn it would make sense for ransomware actors to eventually convert their operations to business email compromise (BEC) attacks. , as ransomware becomes less profitable or carries a higher risk for attackers. In the US, the Federal Bureau of Investigation has repeatedly found that the total money stolen in BEC scams far exceeds that stolen in ransomware attacks – even though ransomware attacks can be more visible and cause more disruption and related losses.
In a business email compromise, attackers break into a legitimate corporate email account and use the access to send fake invoices or initiate contract payments that trick businesses into transferring money to criminals when they think they’re just paying their bills.
“There’s so much attention on ransomware and governments around the world are taking action to disrupt it, so ultimately the return on investment will be affected,” said Hassold, who is director of threat intelligence at Abnormal Security and a former digital behavior analyst at the FBI. “And ransomware actors aren’t going to say, ‘Oh hey, you got me,’ and walk away.” So you may have this new threat where the more sophisticated actors behind ransomware campaigns are moving into the BEC space where all the money is being made.”
BEC attacks, many of which originate in West Africa and Nigeria in particular, have historically been less technical and more reliant on social engineering, the art of creating a compelling narrative that tricks victims into taking action against their own interests. But Hassold points out that much of the malware used in ransomware attacks is designed to be flexible, with a modular quality so that different types of fraudsters can assemble the mix of software tools they need for their specific job. And the technical ability to establish an “initial access” or digital foothold to deploy other malware would be extremely useful for BEC, where gaining access to strategic email accounts is the first step in most campaigns. Ransomware actors would bring a much higher level of technical sophistication to this aspect of fraud.
Hassold also points out that while the most notorious and aggressive ransomware gangs tend to be small teams, BEC participants tend to be organized into much looser and more decentralized collectives, making it harder for law enforcement to target a central organization or king. Similar to Russia’s reluctance to cooperate in ransomware investigations, it took time for global law enforcement to develop a working relationship with the Nigerian government to counter BEC. But although Nigeria has placed greater emphasis on BEC enforcement, countering the sheer scale of fraudulent operations is still a challenge.
