Will a cyberwar détente result in businesses facing more cybercrime?

As they are wont to do around this time of year, companies have been releasing their predictions for the year ahead. One of security giant McAfee’s more surprising prophecies was that ransomware would see a decrease towards the end of the year, driven by greater effort from law enforcement and more effective tools and techniques from security vendors.

However, Allan Liska, Solutions Architect at rival security firm Recorded Future argues the opposite. He predicts that a continuing reduction in cyberwar hostilities between the US and China (and assuming Donald Trump doesn’t ramp them back up once in the White House) will force Chinese hackers to supplement lost government income with new revenue streams, much of which will be driven by ransomware.

Liska did a Q&A with IDG Connect about ransomware in the year ahead, and what happens when governments stop giving work to cybercriminals.

McAfee predicts Ransomware will drop in 2017, you think the opposite. Why?

McAfee predicts that ransomware attacks will decrease in 2017, but based on the research I’ve done - this simply just isn’t true. I believe the nature of ransomware will change, but as long as it’s profitable for attackers to use ransomware they will continue to do so. Advanced attacker groups need to make money, and ransomware done right has proven to be very profitable. In fact, ransomware cybercriminals reportedly took in about $1 billion last year, based on money coming into ransomware-related Bitcoin wallets.

Connected cars, IoT devices/smart homes, and voice-enabled devices such as Alexa & Google Home are all big headline grabbers this year, but do you think these will become more attractive targets for Ransomware?

Generally, I don’t think IoT and other connected devices will be targeted by ransomware. While I am sure these devices could be susceptible to ransomware and you may see “science fair” security projects demonstrating how to get ransomware installed on a connected car or an Alexa, there is no money to be made in these types of attacks. Think about it, what happens if someone installs ransomware on your Alexa? You simply reset to the factory defaults and re-download your settings from Amazon. The same is true for other IoT devices; there is simply no incentive for a victim to pay the ransom, when resetting the device is easier. All that being said, there will definitely continue to be more malware that goes after these devices, just not ransomware.

One of the reasons ransomware has become so prevalent is the relative ease with which it can be executed and the high success rate. What advice would you give for businesses looking to protect against it?

Quarter over quarter, ransomware attacks have grown and will continue to grow in 2017. As long as businesses continue to pay the ransom and fund ransomware families’ growth, we’ll continue to see more creative and effective attacks. My main advice for businesses looking to minimize the risks and loss from ransomware are to: keep web browsers and plug-ins such as Adobe Flash and Microsoft Silverlight updated, disable Microsoft Office macros by default, automatically quarantine any email that has an attachment, scan incoming emails for suspicious attachments and to implement threat intelligence to gain visibility and monitor for emerging ransomware threats.

Have you seen cyber-criminals starting to make use of Machine Learning yet? If so, how, and if not, when do you think we’ll start to see it being utilized?

Not yet. However, I have seen some excellent examples of security researchers using it to launch interesting cyber-attacks. An area where we may see some primitive forms of machine learning in real-world cyber-attacks is in the area of botnets. As these botnets becomes more sophisticated and complex, it may require machine learning to exploit all of the vulnerable devices. For example, I could see an attacker using machine learning to search for default passwords for new routers or other IoT devices discovered during the scanning phase.

In your predictions, you say reduced levels of state-sponsored hacking will result in more attacks as hackers look to supplement lost revenue. Should we only expect more ransomware attacks, or are they likely to use other methods too?

Absolutely, I suspect these groups will engage in multiple types of attack activity at least until state-sponsored activity returns to earlier levels.

How common is the trend of cyber-criminals acting as outsourced hackers for governments (whether US, Russian, North Korean etc.)?

I don’t have any specific insight into how different governments operate, but as I understand it, it is very common. There are simply too many targets and too much complexity involved in those targets for even the largest governments to operate completely independently. That doesn’t necessarily mean that these groups are conducting operations (note: that doesn’t mean that they are not), they could be building tools, discovering or selling vulnerabilities or be involved in a number of supporting activities.

How does this fit in with Recorded Future’s previous study of how cyber-crime syndicates are structured? Is hacking for a government merely a part of a syndicate’s income stream or is this more likely to be something individuals do themselves away from a wider gang?

In an industry this large there is room for all different types of groups. Some of these groups are professional hackers who sell themselves to the highest bidder, as well as working on their own projects, other groups may do occasional work for the government, while others, still, are essentially government contractors. Some of these groups may be working for the government and not even know it (for example, researchers who sell exploits on the black market). Governments also indirectly support hacking operations in country by leveraging data and vulnerabilities obtained by cybercriminals and sold on the open market.

How do governments go about recruiting hackers?

Again, I don’t have specific information about different governments, but as I understand it, that answer varies widely from government to government. Governments that rely heavily on patronage for many activities will use patronage to recruit local hackers. Others that have a more robust bureaucracy will use the standard procurement process to hire “security firms” to engage in activity. Some governments I am sure also use intermediaries to hire hacking groups or specific hackers. The Russian government, for example, has been known for using intimidation tactics while recruiting talented black-hat hackers who have been apprehended by local law police or wanted by foreign law enforcement.   

I’ve been told government-employed hackers often have cart blanche to do as they please as long as their activities don’t impact local organizations or those of allies, even if the government is aware of the activities and their legality (or lack thereof). How true do you think this is?

Again, I don’t have any specifics, but imagine it would depend on the government. Some governments I’m sure exert more control over these groups than others. Part of that is out of concern for legal reasons, but there may be practical reasons for that as well. Let’s say a government paid a hacker group $1 million to develop a specialized tool to use against that government’s targets. The last thing that government wants is for that tool to be used on other targets and wind up on VirusTotal and signatured by every security vendor. So, it is in the best interest of the government to keep these groups at least somewhat in check. But, the government may not have ability to stop them from acting independently so it may do the next best thing and demand that group limit the scope of its activities. At least in Russia, Belarus and even Ukraine, for the most part, local police do not support criminal acts, even if it's directed against foreign victims. They might not actively hunt them down, but if they learn about ongoing international investigation or arrest warrant, they will open the criminal case. Sometimes, however, only because of potential monetary incentive and in anticipation of a large bribe.


« The CMO Files: Victoria Grey, Nexsan


C-suite career advice: Rob Tarkoff, Lithium Technologies »
Dan Swinhoe

Dan is a journalist at CSO Online. Previously he was Senior Staff Writer at IDG Connect.

  • twt
  • twt
  • twt
  • Mail

Recommended for You

International Women's Day: We've come a long way, but there's still an awfully long way to go

Charlotte Trueman takes a diverse look at today’s tech landscape.

Trump's trade war and the FANG bubble: Good news for Latin America?

Lewis Page gets down to business across global tech

20 Red-Hot, Pre-IPO companies to watch in 2019 B2B tech - Part 1

Martin Veitch's inside track on today’s tech trends


Do you think your smartphone is making you a workaholic?