Search for a report, a publication, an expert...
Institut Montaigne features a platform of Expressions dedicated to debate and current affairs. The platform provides a space for decryption and dialogue to encourage discussion and the emergence of new voices.
30/03/2021

Cybercrime - Breaking Profitability

Cybercrime - Breaking Profitability
 Gérôme Billois
Author
Partner, Cybersecurity and Digital Trust at Wavestone
 Marwan Lahoud
Author
Partner, Messier & associés

As shown in our previous articles, cybercrime is rising. It benefits from an increasingly articulate and professionalized ecosystem, leading to more lucrative attacks. Reducing financial incentives is a must in order to limit cyberthreats. But how? In this last article, the Institut Montaigne working group that authored the 2018 report, Cybermenace: avis de tempête (Cyberthreat: Storm Warning), shares some insights resulting from interviews with anti-cybercrime actors. 

Drying up criminals’ sources of revenues by blocking ransom payment

As we have seen, ransomware attacks have become more frequent. A Cisco Talos Incident Response (CTIR) study shows that ransomware amounted to 43% of cyberattacks between January and March 2021. The National Cybersecurity Agency of France (Agence nationale de la sécurité des systèmes d'information - Anssi), for its part, notes a 255% increase in ransomware attacks in its scope for the year 2020.

The payment of ransoms has become the main source of revenues for cybercriminals. Previously, the profits of ransom rarely exceeded a few hundred thousand dollars whereas today they routinely amount to several dozens and even hundreds of millions of dollars every year for the main organizations. Limiting the payment of these ransoms is therefore a priority. 

Heterogeneous approaches to the payment of ransoms 

In France, the payment of ransoms is not prohibited and is subject to little oversight. However, the official national position - which the National Cybersecurity Agency of France (Anssi) and the government regularly repeat - is to dissuade companies from doing so, for several reasons: payment is no silver bullet against cyberthreats. Decryption keys may for instance not be provided, or fail to work. Above all else, the loss of confidence in the systems will in any case require a full reconstruction of the information systems and a progressive reboot. In other words, in most cases paying the ransom does not minimize the crisis’ impact, nor the length of disorganization. 

In most cases paying the ransom does not minimize the crisis’ impact, nor the length of disorganization.

Interesting alternatives to the payment of ransoms exist around the world, such as the No More Ransom initiative launched in 2016 by Europol, which provides the tools to decrypt data for free. It claims to have helped over 200 000 ransomware victims get their data back by providing access to decryption keys found either by analyzing and discovering flaws in cybercriminals’ tools or through material seized amidst police operations.

There is another approach, developed by the United States in 2020: the American Department of Treasury published a noteproviding for sanctions - including financial sanctions - against companies and intermediaries that accede to the blackmail. In case of an attack, victims are asked to contact and cooperate with the authorities. 

These approaches have proven unable to curtail the rise of payments on a global scale 

These decisions and initiatives have a limited reach, especially in France. According to the fieldwork conducted by the Wavestone consultancy group, attacked companies pay the ransom in 20% of cases - data confirmed by analyses of the associated electronic currency and financial flows. 

Why do companies pay the ransom? They are usually acting under the (false) pretense that doing so will help them resume their activities faster, but also to ensure that the stolen data is not disclosed. The requested ransom payment is usually reasonable and takes into account the damage caused. Criminals also leave room for negotiations, meaning companies can lower the asking price. A whole ecosystem of negotiation and ransom payment support - negotiation companies, payment intermediaries, etc. - has recently emerged. These actors’ support is most likely linked to the increase in ransom payments. 

Simply banning the payment of ransoms outright is complex, as in some cases the organization’s survival is at stake. This can also be explained by the fact that numerous attacks are only disclosed late, making the application of this ban and the associated sanctions difficult. We should also note that the capacity to track the payment of ransoms is highly dependent on our capacity to trace cryptocurrencies: Bitcoin yesterday and today, probably Monero tomorrow… These cryptocurrencies are criminals’ favorites as they are simple to use and grant them the privacy they need to go about their business. 

These cryptocurrencies are criminals’ favorites as they are simple to use and grant them the privacy they need to go about their business. 

Some suggestions to dry up cybercriminals’ sources of revenue 

Where to go from there? There are no silver bullets. We have, however, identified three challenges. 

First of all, a crystal-clear communication stating that one’s organization - whether corporate or governmental - will categorically refuse to pay any ransom, can strongly dissuade cybercriminals. This is the case today for governmental organizations (local governments, ministries). Companies could do the same, for instance - for public companies - in their annual reports. This measure will obviously not be enough to contain waves of attacks, but it may help deter some cybercriminals. 

The second challenge is to weigh the benefits of paying a ransom. Payment should be considered only if really necessary - for instance, if the company’s survival depends on it, or if one is certain that this will reduce risks and financial impact. This diligence, conducted by independent experts and/or public authorities, could be added to contracts companies enter into with cyber insurance providers. This would also bolster cooperation between victims, insurers and authorities tasked with fighting cybercrime in order to improve tracing of cybercriminals’ actions. This is the solution explored by the United States, as shows the latest note from the Office of Foreign Assets Control (OFAC). 

Finally, the third challenge is to reinforce traceability and identification of crypto-to-traditional currencies transfer capabilities in order to for instance freeze cybercriminals’ assets. This measure is particularly complex as it requires major international cooperation. 

Upsetting cybercriminals’ feeling of impunity 

Cybercrime is attractive in part due to cybercriminals’ apparent impunity. They often take very few risks compared to traditional criminals and often hide in places remote - both geographically and culturally - from their victims. The cybercriminal group Evil Corp is the archetype of this behavior - its members exhibit their excessive lifestyles and their financial gains (which enable them to buy sports cars, organize luxurious parties, etc.). 

2021: a pivotal year in the fight against cybercrime

Cybercrime is attractive in part due to cybercriminals’ apparent impunity. They often take very few risks compared to traditional criminals. 

2021 may be remembered as the year in which this all started changing. Several important operations led by authorities have sought to end cybercriminals’ impunity by dismantling long-established criminal groups. The Emotet botnet - one of the most efficient in the past decade - was among the first to have received the authorities’ warning: cybercriminals operating it on a daily basis were arrested and authorities took over its servers. This joint operation between Europol and several domestic police forces was a success. In fact, the Dutch police did not hold back from disclosing its participation on several specialized forums in order to dissuade other cybercriminals from resuming operations.

Beyond Emotet, cybercriminal groups Netwalker and Egregor have also seen some of their operators and affiliates be arrested in the past few months. The shockwave from these arrests was immediate and led platforms Ziggy and Fonix (see the first article in this series) to announce they would stop their operations as a result. 

It is also worth mentioning the "name and shame" policy that has existed now for several years in the United States - which consists in revealing cybercriminals’ identity. Although this policy’s impact in terms of communication is obvious, its operational efficiency is limited. The United States recognizes this and admits that this measure should only be a last resort when it has become certain that the cybercriminals will not be caught. 

Despite these successes, the cybercriminal ecosystem is resilient and continues to grow 

If the recent dismantlements and shutdowns represent a shift in the evolution of cybercriminals’ activities, the effort must last and intensify. Operators of Ransomware-as-a-Service platforms are for the most part still active and numerous competitors are hoping to carve themselves a share of this particularly lucrative market. 

International cooperation is unsurprisingly fundamental in order to arrest the criminals. However, it remains slow to put in place while cybercriminals collaborate on a daily basis to hone their methods and tools and better evade authorities. To answer these challenges, we agree with the World Economic Forum that suggests the creation of a global partnership with entities responsible for stimulating collaboration and task forces dedicated to specific topics. 

Following the same logic, the pace of judicial procedures remains overall too slow compared with the extremely dynamic environment of cyber-criminality. The drafting and application of laws to limit cyberattacks are time-consuming affairs. The judicial solution is also limited by territoriality: it can be hard to obtain the authorizations required to intervene on another country’s territory. This is why criminal groups tend to emerge in countries that are known to turn a blind eye to their practices (under the condition that cybercriminals don’t target them). 

Some suggestions to improve the punishment of cybercriminals 

The sovereign functions of the state (justice, security, diplomacy) are on the front line. However, justice is insufficiently targeted by the French government’s plan to fight cybercrime - announced in great part in reaction to the wave of attacks involving the health sector. The judiciary struggles to tackle cybercrime for several reasons: excessive caseload, a lack of qualified personnel, a criminal code not designed to fighting cybercrime, legislative difficulties linked to the acquiring and validity of digital proofs, fragmentation, a lack of resources to follow virtual currencies flows… 

We observe that cybercrime repression is today hampered by two factors, whether in France or abroad: on the one hand, the headcounts of competent and specialized staff are too low at all levels (judiciary police, gendarmerie, Tracfin, Europol, Eurojust and the judiciary); on the other hand, the technical arsenal is limited, with a lack of sovereign and functional tools to lead digital investigations (among other things, the collecting of evidence and the tracking of cryptocurrency transactions). 

The pace of judicial procedures remains overall too slow compared with the extremely dynamic environment of cyber-criminality.

At the national level, we have to lift certain barriers in order to make up for the accrued delay. One of the main challenges is the lack of cooperation between various institutions, in particular between the justice system and intelligence services. Improved information sharing would go a long way in accelerating inquiries. In this respect, the fight against terrorism from 2015 onwards, which creates a precedent for regulated information sharing between the judiciary and the intelligence community, could serve as an inspiration. 

Making attackers’ targets harder to identity and attacks harder to conduct 

Reinforcing the security of basic network, systems and IT solutions used by corporate and governmental organizations will mechanically increase cyberattack costs for criminals. This is therefore the last essential factor in order to curtail cybercrime profitability. 

Victims’ IT systems reflect vastly different levels of security 

SMEs make good targets for cybercriminals as they rarely have the resources or know-how needed to invest heavily in cybersecurity. The French governmental platform Cybermalveillance.gouv.fr offers a number of awareness, prevention and assistance tools in order to assist them. Since 2020, the platform also runs the ExpertCyber label, which guarantees the level of expertise of specialized companies that can provide assistance to SMEs. We also address in more detail the need to better secure these structures’ IT systems in our 2018 report: Cyberthreat: Storm Warning

A reckoning is under way in large companies, as the Wavestone survey of large public corporations shows: 100% of companies listed on the CAC 40 indicate awareness of cyberthreats in their annual reports. However, a lot remains to be done. Analysing budget and staffing dedicated to cybersecurity shows wide industry-related gaps. For the most critical functions - which are of vital importance to the nation - regulatory obligations set a minimum level. But this only applies to 200 organizations in France and to some of their systems (those that ensure the most critical or dangerous services). 

Finally, the public sector is fragile as a consequence of a lack of significant investment for numerous years. The recent wave of attacks on hospitals and city halls proves it. However, as mentioned above, the national strategy launched in 2021 will fill this gap, notably through massive investments: nearly €350M for the health sector, and €160M of the recovery plan for local governments. 

What are the limits? 

Beyond financial efforts, we observe a lack of experts in cyber issues. 

Cybercrime is constantly evolving. The current investment effort in cybersecurity must be sustained through time if it is to weaken cybercrime. However, beyond financial efforts, we observe a lack of experts in cyber issues. This situation may last, although the new governmental strategy aims to boost recruiting in the cybersecurity industry. 

Furthermore, digital systems designed and sold today do not always integrate default cybersecurity mechanisms. Securing them then requires an additional effort from users. The whole digital section could seek inspiration of the developments observed in the smartphone industry over the last years, in which data encryption or the default use of access codes have increased devices’ security overall. 

Some thoughts on improving organization security 

The organizations that use digital services can make significant efforts. Having a dedicated budget and staff is a must in order to deploy a minimal cybersecurity hygiene, even if these of course depend on context. Simulating a ransomware crisis is a simple and efficient way to test and validate an organization’s capacity to handle such an incident. This also enables companies and their directors to be mobilized. 

We should note that the reinforcement of cyber insurance terms (a rise in premiums, in-depth due diligence to evaluate the risks) could lead to improved organization security. For the public sector, it is possible to imagine national security measures, such as messages and flows filtering, along with the resolution of domain names linking servers’ IP addresses to their commercial names… These measures can reinforce country-wide security. The United Kingdom has followed this path and may serve as inspiration. 

Having a dedicated budget and staff is a must in order to deploy a minimal cybersecurity hygiene. 

Digital solutions providers (editors, service companies) are also an essential part of the protection chain. It is important to regulate security practices in order to reach a minimal level of cybersecurity in digital products and services. In this respect, the OECD’s work is encouraging, as it provides best practices and recommendations for the security of digital products and services. Discussions can also be held to identify and protect the user systems shared by the clients of a same provider in order to prevent cybercriminals from bouncing from one target to the next (oversight, administration and support systems) through these data managers and hosts. These structures’ clients can be encouraged to integrate these aspects in their service requests in order to hasten these evolutions. 

Fighting cybercrime together 

More than ever, fighting cybercrime has become a transversal challenge and requires cooperation from the entire ecosystem. This affects the main digital actors, who today have an unrivalled capacity to investigate and protect on a large scale; digital designers, who should provide safe systems and services; users, who need to watch out for their own security; and sovereign actors at national and international level, who can hunt and arrest cybercriminals. 

The efficiency of this common fight depends on information sharing, which has a double role: on the one hand, alerting in real-time on the mechanisms used by cybercriminals to improve their detection, interrupting their attacks and tracking their funding in case of a ransom; and on the other, in the medium-term, consolidating information on the groups and their functioning in order to identify and detain them. 

By mobilizing governmental, corporate, national and international actors, we can curb the number of cyberattacks, reduce their impact and reach an acceptable level of risk for our economies and daily security.

 

We thank the following people for the time they have granted us to help us complete this research. 

  • Alain Bernard, Head of Cybersecurity, L'Oréal
  • Yohann Cohen, Director of Operations, Systemis
  • Michael Fiey, Chief Information Security Officer, ArcelorMittal Europe
  • Benoît Lemaire, Head of Cybersecurity, SGS France
  • Olivier Nautet, Head of IT Risk Management and Cybersecurity, Group CISO, BNP Paribas
  • Emile Pérez, Head of security and business intelligence, EDF Group
  • Jean-Yves Poichotte, Head of cybersecurity, Sanofi
  • Thierry Rouquet, Director Business Development IoT, Cisco

  • Philipp Amann, Head of Unit Expertise & Stakeholder Management - EC3, Europol
  • Olivier Berni, Head of CERT, Société générale
  • Johanna Brousse, Vice-prosecutor, Head of the cybercrime section, Ministry of Justice
  • Catherine Chambon, Deputy Director of the fight against cybercrime, Central Directorate of the Judicial Police (DCPJ)
  • François Deruty, Deputy Director of Operations and Head of CERT-FR, French National Agency for Information Systems Security (Anssi)
  • Eric Freyssinet, Colonel, Head of the National Cyber Threat Unit, Gendarmerie Nationale
  • Adrien Frier, Deputy Director of the fight against terrorism and organized crime, Ministry of Europe and Foreign Affairs
  • Guillaume Greber, Software Sales Director, IBM France
  • Jean-Charles Griviaud, Chief Security Officer, Cisco
  • Alban de Mailly Nesle, Group Chief Risk and Investment Officer, AXA
  • Sébastien Moras, Cabinet Director, Europol
  • Bernard Ourghanlian, Chief Technology Officer et Chief Security Officer, Microsoft France
  • Jean-Philippe Pagès, Industry & Services Director, Bessé
  • Sergio Pierro, Cyber & PI Senior Underwriter, AXA XL
  • Fabien Rech, Vice President EMEA Major Accounts, McAfee
  • Orlando Scott-Cowley, Regional Leader, Security & Compliance Business Acceleration for Europe, Middle East and Africa, AWS
  • Lisa Segovia, diplomat - Secretary of Foreign Affairs, Ministry of Europe and Foreign Affairs
  • Edvardas Šileris, Head of European Cybercrime Centre (EC3), Europol
  • Stéphane Vauterin, Cyber, Financial & Professional Lines Manager France, AXA XL

 

Copyright : Saksham Choudhary / Pexels

 

Receive Institut Montaigne’s monthly newsletter in English
Subscribe