Malware now comes with customer service

The criminal operators are acting like legitimate firms, offering support services and even hiring graphic designers, researchers tell a Black Hat panel.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
3 min read
Watch this: Ransomware is so big, hackers are staffing help desks

Hackers behind some of the most notorious ransomware around are taking some hints from legit Wall Street companies.

Malware strains like Locky and Cerber helped make ransomware a $25 million industry in 2016 and its operators are starting to operate like conventional corporations with "customer" service staff and outsourced resources, researchers explained Wednesday at Black Hat.

Ransomware has devastated hospitals, universities, banks, and essentially any computer network with weak security over the last 10 years, but attacks have become even more prevalent as infection rates and payments grow. The malware encrypts files on a victim's computer and demands payments -- one that reached $1 million -- if the victim ever wants to get data back.   

Researchers at Google , Chainalysis, New York University and University of California San Diego followed the money trail and got a look at the evolving ecosystem of ransomware. During the presentation at the Las Vegas conference, the team showed a new professional side to ransomware.

Instead of working as criminals, ransomware attackers are treating their victims as "customers" and bringing in support staff to deal with their "sales." Yes, just like how your phone providers and banks have customer service, now, so does ransomware.

"It's become a well-oiled machine," said Elie Burzstein, Google's anti-abuse research team lead. "It operates like a real company, that shows how mainstream it's become and how much it's here to stay."

Customer service reps help victims find out how to buy cryptocurrency, like bitcoin, to pay the ransom and negotiate with victims to decrypt specific files. They also offer immunity packages to ensure victims can't get hit again.

Burzstein said the development has been staggering, as ransomware has evolved into organized crime. Cybercriminals have even hired graphic designers to give their websites and malware a more inviting aesthetic.

Google's research team also found that ransomware attackers have been outsourcing much of the heavy lifting to massive botnets to get people infected. Locky and Cerber both rented out the Necurs botnet to spam millions of emails in the hopes of spreading its ransomware around the world.

The outsourcing paid off, as Locky made $7.8 million in 2016, while Cerber raked in $6.9 million that year.

Cerber also lets criminals who can't code malware get in on the cut by renting its ransomware out, Burzstein said. Low-tech crooks can buy Cerber's ransomware as a service and rake in crumbs off the table based on how many people they've infected.

The strategy helped Cerber earn more than $200,000 a month and become the fastest-rising ransomware of 2017.

"Ransomware as a service has become a dominant model," Burzstein said. "All you have to do is infect people, and then you get a cut."

The researchers also found new variations of the Cerber ransomware that have been tweaked to get past anti-virus scanners. In 2017, there had been 23,000 new binaries for the Cerber ransomware, while Locky had 6,000 new variations.

Hackers are working around the clock to keep ahead of the competition to make as much money as possible. These sophisticated attacks, with business-minded infrastructure, make ransomware like WannaCry and NotPetya -- which last month locked up devices at multibillion-dollar companies -- look like imposters.

While Locky and Cerber pull in millions of dollars every year, WannaCry and NotPetya have struggled to break five figures. It's more likely that WannaCry and NotPetya are covers for wipeware, attacks disguised as ransomware that are really after just destroying your data. They don't have a supporting network, and in NotPetya's case, the email to pay the ransom didn't even work. 

Google researcher Luca Invernizzi said the organization of ransomware in the last two years should be a "wake-up call." He found that only 30 percent of people back up their data, making the majority vulnerable to ransomware attacks. As ransomware dives into organized crime, the rate of infection will only increase.

"This has become a full ecosystem where you have people who write the ransomware, people who manage the botnet, customer service, and people designing their payment sites," Invernizzi said.

Intolerance on the Internet: Online abuse is as old as the internet and it's only getting worse. It exacts a very real toll.

It's Complicated: This is dating in the age of apps. Having fun yet? These stories get to the heart of the matter.