Only a few more days left until Christmas, so it's time for the last part of our Advent story. Do you remember part one, where I wrote about Christmas presents, making an analogy with blockchain and crypto? Or how about part two, where I described the link between “Father Frost” and the unmasking of hacker groups? In the last part, I will tell you about what was at the very top of my Christmas wish list when I was a child, a Lego building set, and of course, what that has to do with cybercrime.
Right on top of the wish list: a Lego building set
As a child, what gift was at the top of your wish list? Were you as fascinated by Lego as I was? I have always been spellbound by the great instructions and simplicity of these building sets - even now, after all these years.
However, kits like these are not only available from Lego, but for ransomware as well. And this is the third problem area in our Advent story and also one of the main reasons why ransomware attacks have increased so greatly. Just a few years ago, hackers had to go to enormous lengths to hack into a company, encrypt it and then blackmail it. However, many successful hackers had a “real" job on the side or other sources of income, apart from just encrypting and blackmailing companies. Consequently, this type of attack was a pretty rare occurrence.
Modern ransomware is nothing more than the building block principle
This all changed drastically in 2019 and 2020, when the well-known ransomware groups transformed themselves into Ransomware-as-a-Service (RaaS) service providers. From this point onward, you no longer needed to be a programmer to develop ransomware. You just needed to buy it from a RaaS – like buying a Lego kit from a toy shop. Nor do you necessarily have to be a hacker to gain access to a company; all you have to do is go to your Dark Web marketplace of choice and pay for access. You're in for as little as 10 dollars!
In a nutshell, anyone can get into the ransomware business even without in-depth computer and hacking knowledge. Access to the Darknet is rapidly created thanks to the 20-year-old acquaintance who knows a lot about computers, and they are paid a small sack of money for doing it. They then branch out into the Darknet and buy what is known as the REvil kit in order to encrypt the company. This is where so-called "affiliates" come in. They transfer a ransom amount to the service provider who remains in the background. It is suspected that an affiliate was also involved in the Colonial Pipeline Hack (see Parts 1 and 2), but it went a bit too far and encrypted critical infrastructure in the US. This is what got the RaaS operator (Darkside) into quite a pickle. The attribution of black matter by the encryptor’s reverse engineering and the fact that large fragments of code were probably taken over by Darkside eventually led to there being too much pressure on Blackmatter so that it went out of business.
So, even if we don‘t believe in the Christ Child, Father Christmas or Father Frost any more, all the work behind attribution still pays off, as it gives us a better understanding of the interaction between affiliates and RaaS groups. Ultimately, it may even lead to us getting to grips with this problem area as well. If it becomes too dangerous for the RaaS groups to provide the petty criminals on the block with their powerful encryptions, this could also be a way to solve the problem.
In this spirit, I and the entire InfoGuard team would like to wish you happy and ransomware-free holidays, lots of presents under the Christmas tree and, above all, a somewhat quieter festive season. Unfortunately, the Russian holidays do not start until January, so we will be here for you over the holidays too, should Father Frost show up instead of the Christ Child.
Don’t miss out on our competition!
And before I forget – have you read all three parts of the Advent blog carefully? Then you will definitely be able to easily answer the questions for our competition.
In the next door, which opens on 17 december, there is an attractive competition with prizes for you personally and your company. To make sure you don't miss out, subscribe to our blog updates and/or follow us on LinkedIn. We are crossing our fingers for you!! Featured image
![[Video] InfoGuard Incident Response − a real Ransomware attack on a Swiss customer](https://www.infoguard.ch/hubfs/infoguard-incident-response.jpg)
