____________________________________________________________

|
|
Project Counsel Media is part of The Project Counsel Group. We cover the areas of cyber security, digital technology, legal technology, media, and mobile technology.
____________________________________________________________
|
|
THE 28 MAY 2021 WEEKEND "BONG" REPORT:
selected news from the eDiscovery and information governance communities, with additional contributions from our cyber security and digital media communities
This weekend's lead story:
Understanding the underground ransomware economy

|
|
This weekend's edition was curated and written by:
Gregory Bufithis
Founder/CEO
Project Counsel Media
assisted by:
Catarina Conti
Social Media Manager
Project Counsel Media
28 May 2021 (Brussels, Belgium) - In all of our work through the years we have always tried to go beyond the usual legal and technology news to provide a look at the trends and technologies that have accelerated the convergence of the discrete yet mutually inclusive domains we have covered for 20+ years: cybersecurity, digital media, and legal technology.
This year we enhanced our global technology coverage through our partnership with Jonathan Maas who started BONG! 10+ years ago and who graciously allowed us to combine forces. Joining that partnership is Rob Robinson (the brains behind the revered Complex Discovery blog) who is one of the eDiscovery world's premier technology marketers who has held senior leadership positions with multiple top-tier data and legal technology providers.
NOTE: If you are receiving this through a colleague and you have not subscribed, see the end of this post to learn how.
|
|
____________________________________________________________

OUR THANKS TO OUR PRINCIPAL CORPORATE SPONSOR HAYSTACKID:
|
|
___________________________________________________________
|
|
This week's lead story:
Understanding the underground ransomware economy
|
|
Ransomware is not just a type of malware – it’s also at the center of a sophisticated, flourishing underground economy that has all the conventions of legitimate commerce.
It’s a community made up of major malware developers, affiliates and channel partners, and those that provide adjacent services, such as selling network access. Operators even have their own publicity arms that put out press releases and maintain their “brands,” and they have customer-service operations.
According to Kaspersky research, the general economy of ransomware is well-developed and complex, with “several actors supplying services to one another". For instance, botmasters offer access to already-compromised devices; software developers improve the malware; and initial access brokers specialize in providing network access via backdoors or security vulnerability exploits for things like Remote Desktop Protocol (RDP). The Kaspersky research notes:
"This access can be sold in an auction or as a fixed price, starting as low as $50. The attackers who create the initial compromise, more often than not, are either botnet owners who work on massive and wide-reaching campaigns and sell access to the victim machines in bulk, or hackers who are constantly on the lookout for publicly disclosed software vulnerabilities to exploit as soon as they are announced and before a patch is applied.”
RaaS Affiliates Are Carefully Vetted
At the center of the scene is the fact that ransomware operators often adopt affiliates, to whom they provide ransomware-as-a-service (RaaS) offerings. Affiliates can be seen as the channel partners of the underground, responsible for ransomware distribution to end victims. They usually pocket between 60 and 80 percent of the ransom, with the rest going into the operators and authors’ coffers.
|
|
These gangs run like legitimate businesses: they have customer service and IT support, and will do what they can to boost their brand reputation, according to experts at Intel 471. So, your most popular variants are those that result in higher payouts and take care of the criminal’s asks once they are brought into an affiliate program.
RaaS operations carefully select their affiliate partners, with requirements that vary from technical expertise to the ability to prove they have roots in Russia or the former Soviet states. Intel 471 notes:
“Well-established ransomware gangs are known to be rather picky. The basic requirement for a candidate willing to enroll into any high-profile RaaS affiliate program is typically to demonstrate availability of compromised accesses or potential sources of such accesses to lucrative corporate networks. Requirements include practical experience with ransomware, confident user of Cobalt Strike, able to escalate local administrator and domain administrator privileges, working knowledge of backup systems and understanding of OpSec.”
Meanwhile, in order to prevent infiltration of affiliate programs by western law-enforcement services and by cyber-threat researchers, some RaaS gangs implement additional precautions, which include vouching by existing members, a requirement for a native command of the Russian language, or vetting of local and cultural knowledge pertaining to Russia and ex-USSR countries.
For example, a posting in the Exploit cybercrime forum by the REvil ransomware gang in fall 2020 noted:
“No doubt, in the FBI and other special services, there are people who speak Russian perfectly, but their level is certainly not the one native speakers have. Check these people by asking them questions about the history of Ukraine, Belarus, Kazakhstan or Russia, which cannot be googled. Authentic proverbs, expressions, etc.”
This complicated vetting processes arises from the fact that criminals who make money illegally from online fraud operate within tight-knit circles by necessity. As Dustin Warren, senior security researcher at SpyCloud, notes:
“It is not uncommon for criminals to be vouched into these trusted circles where they work with other criminals participating in various types of fraud. Reputation is everything to these criminals, and they work for a very long time to establish this reputation so that they can get into these circles where money is being made.”
Competing for Market Share
In the cybercriminal underground, ransomware samples and builders are going for anywhere between $300 to $4,000, with ransomware-as-a-service rentals costing $120 to $1,900 per year. That’s according to a recent analysis by Kaspersky of the three main underground forums where ransomware is circulated. In some cases, this has led to a bit of an arms race to develop the most innovative, advanced or stealthiest code for the market:
“Ransomware is often resold, and malware vendors definitely compete for market share. There are always innovations in the works, especially around evading antivirus protections and other controls that might be in the way, to being able to encrypt files the fastest. They bank on their targets having complicated policies around how they patch their systems and how often.”
Some strains and services are unequivocally more popular than others, simply because they work better than others. Yet, the option that a threat actor ultimately decides to purchase and use often depends on other factors as well, such as the reputation of the author of the malware or operator of the RaaS operation, price, geolocation, how easy the seller is to work with or the target victim’s attack landscape.
Backlash against operators can sometimes happen. For instance, it was recently revealed that cybercriminals who have worked as affiliates with ransomware group DarkSide, responsible for the Colonial Pipeline attack, are having a tough time getting paid for their work now that the group has had its operations interrupted. So, they’re turning to admins of the group’s Dark Web criminal forum to sort things out in what researchers call a “shady version of the People’s Court.”
Also, when a criminal software developer builds a new strand of ransomware, the person will often first share the project for free with a select few other trusted community members. This free copy of the malware is called a "vouched" copy, and its purpose is to enable reputable actors to provide feedback and validate the new piece of malware. Then, after the malware has been effectively peer reviewed and tweaked accordingly, the developer will advertise it publicly, on a forum for example.
Individuals purchase ransomware software based off of price as well as their own use cases. As such, good ransomware strains ultimately get a following; actors will often keep up with and purchase new versions of the same ransomware project as they are released (AZOrult is a good example of this).
Business is booming on the cyber-underground. But that could change; a coalition of 60 global entities (including the U.S. Department of Justice) has proposed a sweeping plan to create a ransomware task force, to hunt down and disrupt ransomware gangs by going after their financial operations.
And, in the wake of the Colonial Pipeline hack, underground forums themselves are looking to take some of the heat off by removing RaaS ads and the like.
Philip Reiner, the CEO of IST and the executive director of the Ransomware Task Force, warned that something has to give.
“The cost of ransom paid by organizations has nearly doubled in the past year, and is creating new risks, many that go far beyond monetary damage,” he said. “In the past 12 months alone, we’ve seen ransomware attacks delay lifesaving medical treatment, destabilize critical infrastructure and threaten our national security.”
We lead off this weekend's BONG! with three more ransomware pieces:
1. the recently concluded RSA Conference 2021 had no less that 6 sessions on ransomware and we have an excellent video interview "Why ransomware attacks keep getting worse and worse"
2. then a piece from The New Yorker magazine on how hacking became a professional service in Russia
3. And last, a survey that shows two-thirds of CISOs (chief information security officers) say they are unprepared for cyber-attack.
|
|
* * * * * * * * * * * * * * * * * * * * * * * *
|
|
Now, a few enlightened selections from the social media firehose last week as selected by our team and Jonathan Maas
|
|
VIDEO: Why ransomware attacks keep getting worse and worse
From the RSA Conference 2021: Security researchers who track ransomware often think such attacks must have hit their peak and can't get any worse - but then they do, say Raj Samani, chief scientist of McAfee, and John Fokker, McAfee's head of cyber investigations. In part, they say, that's because top gangs, in their never-ending quest for greater illicit profits, have successfully become more sophisticated and innovative. For the video interview click here.
|
|
How hacking became a professional service in Russia
The outfit behind the Colonial Pipeline attack had a blog, a user-friendly interface, and a sliding fee scale for helping hackers cash in on stolen information. For more click here.
|
|
Two-thirds of CISOs unprepared for cyber-attack
This widespread lack of readiness was unearthed by California enterprise security company Proofpoint during the creation of its first-ever annual 2021 Voice of the CISO Report. The report examines global third-party survey responses from more than 1,400 CISOs employed by mid-to-large size organisations. For the report click here.
|
|
From phishing to business email compromise: The FBI 2020 Internet Crime Report
In 2020 the FBI's Internet Crime Complaint Center (IC3) received 19,369 Business Email Compromise (BEC) and Email Account Compromise (EAC) complaints with adjusted losses of over $1.8 billion. BEC/EAC is a sophisticated scam targeting both businesses and individuals performing transfers of funds. The scam is frequently carried out when a subject compromises legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorised transfers of funds. For more from Rob Robinson click here.
|
|
How do police and forensic analysts recover deleted data from phones?
If you've watched a crime TV show before, you've probably seen analysts extracting data from a phone. How realistic are these procedures, and can the police recover deleted photos, texts and files from a phone? For more click here.
|
|
Shh, your speaker is listening: California considers consumer privacy protections for smart speaker devices
Existing California law regulates the operation of voice recognition features for smart televisions. Manufacturers and their contracting third parties, for example, are prohibited from selling or using - for any advertising purpose - actual recordings of spoken words collected for a specified purpose through the operation of a voice recognition feature. On May 10 2021 the California Assembly passed AB-1262, which seeks to extend these consumer protections to users of smart speaker devices that have a voice recording feature. For more click here.
|
|
You want to have custodians collect their own email for discovery purposes? You shouldn't.
A major portion of important electronic evidence in legal discovery revolves around emails. They are still the primary way that we communicate with all business partners and colleagues, both internal and external. Email is the first and foremost source of "who said what when" and what work product did they share as part of those communications. Because every email is date- and time-stamped, it even helps self-document a chronology of events in the case! If you are a litigator and you need to collect email from your custodians, it can be tempting to have them collect their own email. But that approach can cause problems and even lead to sanctions. For more click here.
|
|
The Nuix IPO is getting a lot of press and attention Down Under
Australian-based Nuix is one of the biggest and well-known eDiscovery software companies in our industry. Unfortunately for them, they’re also getting a lot of press and attention for the handling of their Initial Public Offering (IPO) on the Australian Stock Exchange (ASX) and their stock has been tanking of late. Australian press outlets have been covering stories related to the Nuix IPO daily, even multiple times a day. The report from Doug Austin can be found here.
|
|
Compliance as a hedge against uncontrollable costs
"So, we fully expect governments rightfully to both scrutinize and adopt regulatory frameworks. Be it Europe with copyright directive or India with information regulation etc, we see it as a natural part of societies figuring out how to govern and adapt themselves in this technology-intensive world. Google engages constructively with regulators around the world, and participates in these processes".
Sounds good but is this the beginning of a Google for the fracture-net? Also, Google's enthusiasm for conforming is a recent development. Google wanted to make the world a better place - once. "Do No Evil". Or was it "Fear No Evil"? I forget. I remember a decade ago when Google seemed to suggest that China had to "change the behavior of its government" if Google was to continue doing business there. That appeared to have triggered a distancing of Google from China. But then we had Dragonfly and that died and Baidu took over search in China.
But with regulators in a number of countries taking action to deal with U.S. technology companies which prefer to break things and apologize after the fact, Google is adapting. But why? Well, because compliance is a money game, about revenue streams. As is everything in the corporate world.
First, the cost of being Google is high and those costs are quite hard to control.
Second, Google's grip on personal data and online advertising revenue is weakening with age. Amazon is in the game Big Time, and as I have written many times before, product search remains Amazon's "go to" horse for the Madison Avenue derby. Hence the massive attention on Amazon of late.
Third, Google has become Google because there has been [a] zero recognition of what the company really does and [b] the thrill of Googling has blunted interest in regulating the company. The same can be said of other U.S. technology giants.
This article about the new Google is less about Google wanting to follow local laws and more about what Google has to do to maintain its revenue streams.
The costs of being Google are high in business and financial terms. The enthusiasm for going local is more about getting into certain markets and keeping the data and money flowing into Google. A failure to do this means that Google's costs will become an interesting challenge.
|
|
The battle to win at legal tech! The Big Four accountancy firms and technology groups are competing with law firms
Legal technology companies are winning big investments from backers that include private equity giants — even the Big Four accountancy firms. And this development is another indication of their move into offering new services to compete with lawyers and consultants — and of their increased firepower in a once nascent market. But Big Four firms have been fighting back. In the past year, they have spent heavily on hiring from high-growth legal technology companies, to expand their own legal departments. For more click here.
|
|
Stop with the damn video chats already! Just make a voice call!
Research shows frequent videoconferences can sap your brain and deplete your energy. So this Wall Street Journal columnist says just make more voice calls. For more click here.
|
|
* * * * * * * * * * * * * * * * * * * * * * * *
MY MOMENT OF ZEN

|
|
Something away-from-the-pedantic-stuff I find each week, either a video or photo. Sometimes two things, like this week.

|
|
It used to be much harder to find Belarus on a map: |
|
VIDEO
Greenpeace has unveiled an animated film that attacks the UK’s plastic policy - one that claims to be a leader in tackling plastic pollution. Environmental activists have exposed the fact that 1.8 million kilograms of the UK’s plastic is exported to other countries every single day and to amplify the message, the film shows what this amount would look like if dumped in downing street.
The 2-minute film below was created and produced by my mates at Creative Collective Studio and Park Village Studios. I've showed you their incredible stuff in many of my blog posts. The set you'll see below was built at the Park Village film production facility in London.
|
|
* * * * * * * * * * * * * * * * * * * * * * * *
ENDNOTE
Jonathan Maas started BONG! in 2011 and we've enhanced it with our global legal technology team. Where does the name come from? Jonathan explains:

For those outside the UK (or in the UK but without televisions), BONG! is a reference to the main evening TV news in the UK, on which headlines are read out between strikes (bongs) of the now-silent Big Ben, the bell in the Elizabeth Tower (renamed from the Clock Tower in honour of the Queen's Diamond Jubilee) at the Palace of Westminster. You can thank a particularly persistent pedant early on in the life of my BONG! for this rather precise explanation.
* * * * * * * * * * * * * * *
|
|
If you .....
• have comments on this issue (suggestions for improvements, topics you'd like to see covered)
• are not subscribed to our newsletter and want to be
• want to learn about content contribution and sponsorship opportunities, or promote your event or webinar
... then just pop us an email: operations@infotecheurope.com
|
|
|
|
|
|
|
