Ransomware attacks, including those of the massively disruptive and dangerous variety, have proved difficult to combat comprehensively. Hospitals, government agencies, schools, and even critical infrastructure companies continue to face debilitating attacks and large ransom demands from hackers.
But as governments around the world and law enforcement in the United States have grown serious about cracking down on ransomware and have started to make some progress, researchers are trying to stay a step ahead of attackers and anticipate where ransomware gangs may turn next if their main hustle becomes impractical.
At the RSA security conference in San Francisco on Monday, long time digital scams researcher Crane Hassold will present findings that warn it would be logical for ransomware actors to eventually convert their operations to business email compromise (BEC) attacks as ransomware becomes less profitable or carries a higher risk for attackers.
In the US, the Federal Bureau of Investigation has repeatedly found that total money stolen in BEC scams far exceeds that pilfered in ransomware attacks—though ransomware attacks can be more visible and cause more disruption and associated losses.
In business email compromise, attackers infiltrate a legitimate corporate email account and use the access to send phoney invoices or initiate contract payments that trick businesses into wiring money to criminals when they think they’re just paying their bills.
“So much attention is being paid to ransomware, and governments all over the world are taking action to disrupt it, so eventually the return on investment is going to be impacted,” says Hassold, who is director of threat intelligence at Abnormal Security and a former digital behaviour analyst for the FBI. “And ransomware actors are not going to say, ‘Oh, hey, you got me’ and go away. So, it’s possible that you would have this new threat where you have the more sophisticated actors behind ransomware campaigns moving over to the BEC space where all the money is being made.”
BEC attacks, many of which originate in West Africa and specifically Nigeria, are historically less technical and rely more on social engineering, the art of creating a compelling narrative that tricks victims into taking actions against their own interests. But Hassold points out that a lot of the malware used in ransomware attacks is built to be flexible, with a modular quality so different types of scammers can assemble the combination of software tools they need for their specific hustle.
And the technical ability to establish “initial access,” or a digital foothold, to then deploy other malware would be extremely useful for BEC, where gaining access to strategic email accounts is the first step in most campaigns. Ransomware actors would bring a much higher level of technical sophistication to this aspect of the scams.
Hassold also points out that while the most notorious and aggressive ransomware gangs are typically small teams, BEC actors are usually organised into much looser and more decentralised collectives, making it more difficult for law enforcement to target a central organisation or kingpin.
Like Russia’s unwillingness to cooperate on ransomware investigations, it has taken time for global law enforcement to develop working relationships with the Nigerian government to counter BEC. But even as Nigeria has put more emphasis on BEC enforcement, countering the sheer scale of the scam operations is still a challenge.
“You can’t just cut off the head of the snake,” Hassold says. “If you arrest a dozen or even a few hundred of these actors, you’re still not making much of a dent.”
For ransomware actors, the most difficult aspect of transitioning to BEC scams would likely be the dramatic difference in collecting stolen money. Ransomware gangs almost exclusively collect victim payments in cryptocurrency, while BEC actors primarily use local networks of money mules in the markets where they launch their scams to launder fiat currency. Ransomware actors would need to plug into existing networks or invest in establishing their own to monetise BEC scams and have somewhere for the errant payments to go.
Hassold points out, though, that as law enforcement becomes increasingly adept at tracing and freezing cryptocurrency payments—and as the value of cryptocurrencies continues to fluctuate wildly—ransomware actors may be motivated to learn new techniques and switch gears.
Crucially, Hassold notes that while he and his colleagues have not seen evidence of active collaboration between Eastern European ransomware gangs and West African BEC actors, he does see evidence on criminal forums and in active engagement with attackers that ransomware actors are interested in BEC and have been learning about it. Whether this exploration is simply for, ahem, professional enrichment, remains to be seen.
“All of these types of attacks are very serious, and the stakes are very high, so it got me thinking about what things will look like in the future when ransomware eventually gets disrupted,” Hassold says. “It’s possible that these two threats on opposite sides of the cybercrime spectrum will converge in the future—and we need to be ready for that.”