Joint Effort Snares Gang of Cyberthugs
One of cybercriminals' strengths has been the whack-a-mole tactic. If an operation is disrupted in one country, all they have to do is move to another and ramp up again. That advantage is dissipating, however, as international collaboration among law enforcement and security experts accelerates. Spanish police, Europol and Trend Micro worked together this week to break up a gang of cybervillains.
Feb 14, 2013 4:43 PM PT
Europol announced Wednesday the breakup of a gang of cybercriminals who allegedly ran a ransomware scheme to extract money from online users in 30 countries. Spanish police, working alongside Europol's European Cybercrime Center (EC3), made 11 arrests in an action dubbed "Operation Ransom."
The cyberthieves are accused of paralyzing computers with a virus, then masquerading as police agencies and telling the owners that illegal online activity had been detected. In some cases, the thieves even masqueraded as Europol itself.
Users were told they would have to pay a fine to have their computers unlocked. The gang reportedly persuaded at least 3 percent of its victims to pay fines of 100 euros (US$134).
Investigators found up to 48 variants of the malware, which typically installs itself on a computer by tricking users into downloading a malicious executable code.
Among the 11 people netted by Operation Ransom are a 27-year old Russian, believed to the be the ringleader, who was arrested this week while vacationing in the United Arab Emirates.
The EC3 did not respond to our request for further details.
Holding Computers for Ransom
Unlike cybercriminals who steal information directly from computers, this ring relied on ransomware, a type of scareware designed to look legitimate in order to fool users. Unlike malware that operates in the background, ransomware makes itself known to users.
"The malware would freeze infected PCs and display a message purporting to be from law officials saying the end user had visited an illegal website -- file-sharing, child pornography and terrorist sites, for example -- and that his/her PC had been disabled as a result," said Charles King, principal analyst at Pund-IT. "Then the user was offered an option to unfreeze the PC by sending a fee -- or ransom -- of 100 euros to an online account for so-called 'PaySafeCard/UKash' vouchers."
In this case, Trend Micro helped play a key role in the takedown and was able to determine the large number of variations of the original virus.
Given that the ransomware looks official yet then asks for money to be paid with a voucher, it seems that the scam would be easy to detect -- and, as noted, only a small portion of users actually paid. However, many more people's computers were infected.
"The thing that is challenging with malware of this type is that potentially anyone can get caught with it," said Christopher Budd, threats communications manager at Trend Micro. "The threat environment has become dangerous to an extreme degree."
Thus, while savvy users may know not to go to certain sites or click on certain types of links, cybercriminals are looking at hacks in legitimate sites and taking advantage of security holes in popular software, including Java and Flash.
"Pretty much anyone can be at risk," Budd told TechNewsWorld. "Technical advances in the latest malware in untested platforms including social media have also created a computing environment that is dangerous to an unprecedented degree. We're all at risk."
Breaking a Gang
Just as law enforcement continues to fight a long-running war on drug and human traffickers, it will take more than one high- profile gang bust before the tide can be turned.
"It isn't a drop in the ocean, but one event in itself isn't a deterrent," said Budd.
That said, "a series of events can over time raise the bar, making it uncomfortable and less profitable -- and too much of a hassle," he noted.
"The simple fact is that criminals are at heart lazy," Budded added. "They go where the easy money is. We want to make it more difficult in this arena."
While criminals may be lazy, many law enforcement agencies are ever vigilant. Just 10 years ago, there was only the FBI to call in the United States, and that agency hardly ever worked with software firms. Today it is a different story.
"In this case, Trend Micro helped track down the origins of the malware, assisting European law enforcement officials much as they did the FBI in pursuing the group behind the 2011 DNS Changer virus," said King. "There have been similar efforts by other IT companies, including Microsoft, Symantec and F-Secure."
War Dance Against the Cybercriminals
Over the past half-decade, there's been a growing realization that cybercriminals are moving much faster than many government agencies, King told TechNewsWorld.
"The assistance Trend Micro provided to Spanish officials is simply the latest instance of what will be increasing, continuing cooperation between law enforcement and technology/security vendors," he emphasized.
Thus there has been a growth of cooperation between private firms and public law enforcement.
"It is one of those things that is like a dance between the companies and law enforcement," said Budd. "We came to the dance five years ago and started to dance, now we've hit our groove."