This week we talk about virtual reality, the Meta Quest, and the Apple Vision Pro.
We also discuss augmented reality, Magic Leap, and the iPhone.
Recommended Book: Daemon by Daniel Suarez
Transcript
Ransomware is a sub-type of malware, which is malicious software that prevents its victim from accessing their data.
So that might mean keeping them from logging into their cloud storage, but it might also mean encrypting their data so that there's no way to access it, ever again, unless they have the necessary decryptor, which is a piece of software or sometimes just a key that allows for the decryption of that encrypted, that locked-down data.
The specifics of all this, though, are often less important than the practical reality of it.
If you're attacked by a ransomware gang or hacker, your stuff, maybe your personal files, maybe your business files, all your customer information, your valuable trade secrets, anything that's stored digitally, might be completely inaccessible to you, and possibly even prone to deletion, though that might not even be necessary since strong encryption is essentially the same thing as deletion, for most intents and purposes; but all that data is gone, held hostage until and unless you pay some kind of ransom to the person or group that encrypted it, and which holds the key to its decryption.
Most ransomware software is transmitted to its victims' computers via a trojan, which is a kind of malware that seems like real-deal software that you actually want or need to install, and folks are generally tricked into downloading and installing it because of that presumed legitimacy.
So maybe you receive what looks like a software update for a tool you use at work, and it turns out the update was faked and what you installed was actually a trojan that installed malware on your computer, and consequently on your network, instead.
Or maybe you pirated some software, and alongside the fake copy of Photoshop you installed, a trojan also carried another snippet of code that then, in the background, when your computer was hooked up to the internet, downloaded malware that looked for private data and encrypted it.
At some point after ransomware is delivered and installed, your data successfully encrypted and inaccessible, you'll receive the ransom demand.
For a while this was kind of an ad hoc thing, in some cases targeting people randomly on early internet usenet groups, in others big companies and other wealthy entities being specifically targeted and then ransomware teams calling or emailing or texting them directly, because they knew who they were hitting.
In recent years, this has become a more distributed and mainstream effort, akin to an, organized business, and that mainstreamification was partially enabled by the dawn of crypto-currencies like Bitcoin, which allow for relatively anonymous transactions with strangers, and the development of ransomware that is self-contained, in that it can install itself, find the right, valuable files, and then demand a ransom from its victim, providing that victim with the proper bitcoin wallet or other crypto-banking system into which they need to deposit a fixed amount of money in that less-trackable digital currency.
The software can then, still autonomously, either decrypt the files once the ransom is paid, or delete the files, killing them off forever, if the ransom isn't paid by an established deadline.
Other variations on this theme exist, and some ransomware doesn't use encryption as a motivator to pay, but instead locks down users' machines, displays some kind of demand for money, purporting to be a government agency (or lying about having encrypted or stolen something of value), or it threatens to install illegal pornographic images of minors on the victims' machine if they don't pay the ransom.
By far the most popular approach to ransomware, today, though, is encryption-based, and recent evolutions in the business model backing ransomware has escalated its use, especially what's become known as ransomware-as-a-service, which was popularized by a Russian hacker group calling itself REvil that started using it against a variety of targets, globally, to devastating and profitable effect.
What I'd like to talk about today is another group that has made successful use of this business model, and a recent investigation into and operation against that group.
—
First observed by cybersecurity entities in 2019, LockBit quickly became one of the most prolific and effective ransomware-as-a-service providers in the world, their offering, a product called LockBit 2.0, representing the most-used ransomware variant globally in 2022, accounting for something like 23% of all ransomware attacks in the US in 2023, and around 44% of all such attacks globally.
According to the FBI, LockBit has been used to launch around 1,700 ransomware attacks in the US since 2020, and according to the US Cybersecurity and Infrastructure Security Agency, about $91 million worth of ransoms were paid in the US alone over the past three years, and it's estimated that number is in the hundreds of millions when we include targets around the world.
LockBit's offerings work like many other ransomware-as-a-service offerings, in that they provide what amounts to a dashboard filled with tools that allow users, those who wish to deploy ransomware attacks, those users being their customers, everything they need to do so, and most of their offerings allow even folks with little or no technical knowledge to launch a successful ransomware campaign; it's that user-friendly and intuitive.
Hackers using LockBit announced the 2.0 version of the service by attacking professional services giant Accenture in 2021, using what's called a double-extortion approach, which involves encrypting their victim's data, and then threatening to release it if their victim doesn't pay up.
They then hit French electrical systems and administrative and management services companies, alongside a French hospital, a group of British automotive retailers, a French office equipment company, the California Finance Administration, the port of Lisbon, and Toronto's Hospital for Sick Children in 2022—in that latter case backtracking after realizing a children's hospital was hit, the group formally apologizing for what they called a violation of its rules by a member of its group, who it claimed was no longer a part of its affiliate program; it provided a free decryptor for the hospital so it could regain access to its data.
And that response gestures at the larger opportunities and problems associated with this kind of business model.
LockBit is run by a group of people who develop the software tools and provide the services backing up those tools to help anyone who wants to use their product successfully launch ransomware attacks against whomever they want.
There are apparently rules about who they can attack, but that's kind of like being a gun store operator who tells their customers they're not allowed to shoot anyone, and if they do, they'll have their gun taken away: they can certainly have those rules in place, but by the time they take back the gun they sold to someone who ends up shooting someone else with it, some damage has already been done.
The business models of ransomware-as-a-service schemes vary, and some groups allow their customers to just pay a set licensing fee, once or reccuringly, others have profit-sharing schemes, while others have affiliate programs of some flavor.
LockBit seems to have landed on a scheme in which they take something like 20% of whatever their customers, those using their LockBit service, are able to get as a ransom.
And just like other software-as-a-service companies, LockBit is thus incentivized to continue providing better and better services, lest their customers leave and use one of their competitor's offerings, instead.
Thus, in mid-2022, they release LockBit 3.0, and among other innovations it offered a bug bounty program, which provides payouts to security researchers who find errors in their code—something that companies like Microsoft and Google do, but not something other ransomware gangs have done in the past.
The attacks kept coming through 2022 and 2023, and though the US Department of Justice announced criminal charges against one Russian national for his alleged connection to LockBit as an affiliate, and the arrest of another for his participation in a LockBit-oriented campaign, the hits just kept coming, LockBit affiliates attacking a French luxury goods company, a Germany car equipment manufacturer, a chain of Canadian bookstores, the Hong Kong branch of the China Daily newspaper, the Taiwanese TSMC semiconductor company, the Port of Nagoya in Japan, US aerospace and defense company Boeing, the Chicago Trading Company, and Alphadyne Asset Management, and it kicked off 2024 by encrypting the computer system of Fulton County, Georgia.
On February 19, 2024, the UK's National Crime Agency, working with Europol and agencies from 9 other countries seized LockBit's online assets, including more than 200 crypto wallets, 34 servers located in eight countries, and about 11,000 domains used by LockBit and its affiliates as part of its ransomware-installation and payout process.
They discovered that some of the data supposedly deleted by the group when their victims paid their ransoms wasn't deleted as promised, and they released decryptors to free the data of victims who hadn't paid ransoms, and who had thus been going without access to their data, in some cases for a long time.
They also issued three international arrest warrants and five indictments that target other people related to LockBit's operations, and they've issued a reward of up to $15 million for information about LockBit associates.
This operation, called Operation Cronos, took years to set up and months to complete, once it was ready to go, and though the agencies behind the operation say they've still got plenty left to do—as those in charge of LockBit are still in the wind, some ransomware tools are still functioning, at least partially, and thousands of accounts associated with LockBit affiliates have been identified, but not yet shut down—it's also being seen as a pretty solid success, allowing them to develop a universal decryptor for LockBit 3.0, and taking out much of the online infrastructure LockBit relied upon to function, not to mention, no doubt, a fair bit of its reputation, as it's likely many of its potential customers will now flee to other offerings for their ransomware-as-a-service needs.
All that said, ransomware continues to be a significant threat, for individuals, but especially for business entities, agencies, and organizations of any size, and there are plenty of other options out there for such tools, and only so many cybercrime agencies capable of tackling them; and it seems to take a lot longer to do the tackling than it does to set up a successful, large-scale ransomware-as-a-service business.
So the combination of potent encryption tools, automated services, and a potent means of earning fairly consistent income seems likely to keep ransomware tools of this kind in the money for the foreseeable future, and that means, even with these periodic takedowns of people involved with the larger-scale entities in this space, this approach to siphoning money from wealthy entities from a distance will probably continue to grow, until the next, more profitable and effective version of the same comes along.
Show Notes
https://www.bleepingcomputer.com/news/security/police-arrest-lockbit-ransomware-members-release-decryptor-in-global-crackdown/
https://www.bleepingcomputer.com/news/security/lockbit-ransomware-disrupted-by-global-police-operation/
https://www.bleepingcomputer.com/news/security/ransomware-gang-apologizes-gives-sickkids-hospital-free-decryptor/
https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-lockbit
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a
https://www.bbc.com/news/world-us-canada-63590481
https://www.justice.gov/usao-nj/pr/russian-and-canadian-national-charged-participation-lockbit-global-ransomware-campaign
https://krebsonsecurity.com/2024/02/feds-seize-lockbit-ransomware-websites-offer-decryption-tools-troll-affiliates/
https://www.washingtonpost.com/business/2024/02/20/lockbit-ransomware-cronos-nca-fbi/
https://www.axios.com/2024/02/19/lockbit-ransomware-takedown-operation?utm_source=substack&utm_medium=email
https://www.washingtonpost.com/business/2024/02/20/lockbit-ransomware-cronos-nca-fbi/
https://www.bleepingcomputer.com/news/security/police-arrest-lockbit-ransomware-members-release-decryptor-in-global-crackdown/
https://www.reuters.com/technology/cybersecurity/us-offers-up-15-mln-information-lockbit-leaders-state-dept-says-2024-02-21/
https://arstechnica.com/security/2024/02/after-years-of-losing-its-finally-feds-turn-to-troll-ransomware-group/
https://arstechnica.com/information-technology/2024/02/lockbit-ransomware-group-taken-down-in-multinational-operation/
https://www.bloomberg.com/news/articles/2024-02-21/russia-s-lockbit-disrupted-but-not-dead-hacking-experts-warn
https://en.wikipedia.org/wiki/Lockbit
https://en.wikipedia.org/wiki/Ransomware
https://en.wikipedia.org/wiki/Ransomware_as_a_service
LockBit