Ransomware attacks, including those of the massively disturbing and dangerous variety, have proved to be difficult to combat completely. Hospitals, government agencies, schools and even critical infrastructure companies continue to face disabling attacks and large demands for ransom from hackers. But as governments around the world and law enforcement agencies in the United States have become serious about cracking down on ransomware and have begun to make some progress, researchers are trying to stay one step ahead of attackers and predict where ransomware gangs may turn next. , if their main bustle becomes impractical.
At the RSA Security Conference in San Francisco on Monday, longtime researcher Crane Hassold will present results that warn that it would be logical for ransomware players to ultimately convert their operations into business email compromise (BEC) attacks, as ransomware becomes less profitable or carries a higher risk of attackers. In the United States, the Federal Bureau of Investigation repeatedly found that the total amount of money stolen in BEC scams far exceeds that stolen in ransomware attacks – although ransomware attacks may be more visible and cause more disruption and associated losses.
By compromising corporate email, attackers infiltrate a legitimate corporate email account and use the access to send fake invoices or initiate contract payments that trick companies into transferring money to criminals when they think they’re just paying their bills.
“So much attention is being paid to ransomware, and governments around the world are intervening to disrupt it, so ultimately the return on investment will be affected,” said Hassold, director of threat intelligence at Abnormal Security and a former digital behavioral analyst for the FBI. “And ransomware actors will not say ‘Oh, hey, you got me’ and walk away. So it’s possible you would have this new threat where you have the more sophisticated actors behind ransomware campaigns moving over to The BEC space, where all the money is earned. “
BEC attacks, many of which originate from West Africa and specifically Nigeria, are historically less technical and are more dependent on social engineering, the art of creating a compelling narrative that tricks victims into acting against their own interests. But Hassold points out that much of the malware used in ransomware attacks is built to be flexible with a modular quality, allowing different types of scammers to put together the combination of software tools they need for their specific busyness. And the technical ability to establish “initial access” or a digital foothold and then implement other malware would be extremely useful for BEC, where accessing strategic email accounts is the first step in most campaigns. Ransomware players would bring a much higher level of technical sophistication to this aspect of fraud.
Hassold also points out that while the most notorious and aggressive ransomware gangs are typically small teams, BEC actors are usually organized into much looser and more decentralized collectives, making it harder for law enforcement to target a central organization or kingpin. Similar to Russia’s unwillingness to cooperate on ransomware investigations, it has taken time for global law enforcement to develop cooperative relations with the Nigerian government to counter BEC. But even though Nigeria has placed more emphasis on BEC enforcement, it is still a challenge to address the scale of the fraudulent operations.