InfoGuard Cyber Security and Cyber Defence Blog

Father Christmas gets in quietly, bringing lots of presents with him – but they’re not always the ones you want [Part 1]

Geschrieben von Stefan Rothenbühler | 01 Dez 2021

The year is slowly drawing to a close and the festive season is right around the corner. It’s time to look back over the past year. What a year it has been! Countless cyber-attacks, often involving ransomware, have kept InfoGuard CSIRT on its toes this year. The result is a somewhat different Advent story this time around. In this three-part Advent blog series, we look at the background to the massive increase and what this has to do with presents, Father Christmas and Jack Frost.


Just three years ago, when I moved from the InfoGuard penetration testing team into defensive security at CSIRT, things were quieter – and not just during Advent. Every now and then, we would support a client with forensics and incident response during a cyber incident. Above all, however, we helped to expand the services in the InfoGuard Cyber Defence Center and worked on new detection mechanisms.

Today, hardly a day goes by that we aren’t supporting companies after a security incident. Last year, there were just under 50 cases, whereas this year already, there have been over 100. This is not always ransomware; often it’s also phishing, business email compromise or forensic support, and in individual cases it is also espionage and intelligence activities. In other blog articles we have already looked at the reasons why companies are encrypted and which gateways the attackers use to do so. In this year's Advent blog series, we are looking at the background to this.

Christmas gifts that are a bit different

Who doesn't wish for lots of Christmas presents under a beautifully decorated Christmas tree? But that costs money – often lots of money... And if in the end, Father Christmas turns out to be a cybercriminal, the nice presents are definitely gone in a flash.

You are probably familiar with the terms Ethereum, Monero, Bitcoin and even Doge, right? If you had bought Bitcoins 10 years ago for 10 Swiss francs, today you would own Bitcoins worth around one million Swiss francs. If only we had known what we know now back then! 😄

As fascinated as people may be by blockchain technology and they may even own a few, they also need to think about the downsides associated with cryptocurrencies. I won't even go into ecological issues here, but rather the fact that cryptocurrencies are inherently difficult to regulate and they are anonymous. This makes them perfect for use in money laundering, organised crime and players in cybercrime.

Anonymity is not always a good thing – keyword: money laundering

In a cryptocurrency transaction, only the wallet address of the recipient is known, so the recipient remains anonymous. Of course, it is possible to track bitcoin transactions very easily, as the whole system is based on it. Therefore every transaction is stored and validated in the blockchain. It will also be a problem to convert the coins back into Fiat money, or at least in amounts that are customary in the trade. But depending on the country where the attackers are based, paying out the coins in fiat money is also not exactly monitored.

However, with Bitcoin, there are services that can "launder" the money. Tumbler services let the Bitcoins flow into thousands of transactions with many different wallets. This mixes up the transactions in such a way that it is no longer possible to identify where the (ransom) money paid out has finally ended up. Of course, this service is not free of charge. This is probably also the reason why many hacker groups sometimes grant quite large discounts on payment using Monero, as Monero is more anonymous than Bitcoin, making it more difficult to track transactions.

So what can be done about this? There are moves to regulate cryptocurrencies more effectively. This would certainly have a significant impact on the ransomware business. Ultimately, however, all players would have to cooperate globally to achieve this. Another idea is to make paying ransomware demands a criminal offence. This would make a company think twice about whether paying is an option or not, but sometimes a company has no other choice if this is the only way to restore the encrypted data and systems. So it's a double-edged sword.

Rich pickings for cyber criminals

We will not get a hold on the crypto-currency issue in the near future, and that means that attackers will (unfortunately) be able to treat themselves to one or two bigger gifts at Christmas. It is sometimes also possible to get the money back, as was shown by the example of one of the largest and most significant ransomware incidents this year. In that case, the gas supplier Colonial Pipeline was encrypted by Darkside Ransomware. But I'll tell you about that and what "Jack Frost" had to do with it in the second part of our Advent story.

Do you want to make sure you don’t miss the next part? Then either subscribe to our blog updates and/or follow us on LinkedIn – that way, you’ll always stay up-to-date, and not just during Advent.