adimas - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Chronicle: Crimeware group takedowns 'increasingly ineffectual'

Law enforcement takedowns of cybercrime operations may not be producing the desired results, according to an extensive, five-year study from Alphabet Inc.'s Chronicle.

New research from Chronicle shows that as crimeware has grown over the last five years, law enforcement efforts have become increasingly ineffective -- and in some cases have produced unintended consequences.

In a five-year study, titled "Crimeware in the Modern Era: A Cost We Cannot Ignore," Alphabet Inc.'s cybersecurity company argues the infosec community is underestimating crimeware as a commodity threat. According to Chronicle, the overall activity of banking Trojans, ransomware, information stealers and cryptominers has increased from 2013 to 2018, as have financial losses for businesses.

"Misconceptions around the severity of risk from financially motivated threat actors have hobbled enterprise defense efforts," Brandon Levene, head of applied intelligence at Chronicle, wrote in the report. "Rates of losses due to crimeware are climbing, and countermeasures are decreasing in efficacy. Crimeware as a financial risk quantifiably outranks more sophisticated threats such as APTs."

Chronicle analyzed data of several major takedowns of 15 different crimeware operations such as GameOver Zeus ransomware, Dridex banking Trojan and Kelihos information stealer and determined that law enforcement efforts to curb cybercrime have seen reduced efficacy. Chronicle found while the takedowns appeared to have an impact on malware sample counts, those impacts were short-lived.

For example, the study found that within one quarter of a decrease in samples, 57% of malware types exhibited growth; within two quarters after takedowns, 71% of samples saw increases.

In addition, some malware types experienced triple-digit growth following takedowns. Two quarters after the Avalanche crimeware takedown in 2016, in which law enforcement arrested five individuals and seized 39 servers, samples of the Avalanche banking Trojan jumped 300%. Meanwhile, samples of the Lurk banking Trojan increased more than 127% two quarters after a massive law enforcement effort in 2016 that included the arrest of 50 individuals in 15 different regions of Russia.

Chronicle found that cybercriminals are "increasingly able to adjust to distribution channel disruptions" caused by law enforcement actions. Levene said the problem is twofold: first, takedowns are too infrequent.

"There's an average of one or two big takedowns a year, and most of these guys are recovering within two to three months, easily," he told SearchSecurity. "The cadence of law enforcement action is limiting the results. You have to keep hitting these guys over and over again. You have to make it unfeasible for them to run these businesses."

The second problem, Levene said, is the lack of "kinetic action" against the crimeware operators. If a takedown operation is purely or even mostly technical in nature and doesn't include the arrests of the true operators in addition to associates, then the threat actors will simply scatter and eventually start new campaigns. In the report, Levene cited "the general ineffectiveness of both the Lurk and Avalanche takedowns" as evidence that law enforcement should target operators instead of infrastructure.

Chronicle's report also delved into one of the largest takedowns ever conducted in 2014's "Operation Tovar," which brought down the GameOver Zeus botnet and affiliated banking Trojan and Cryptolocker ransomware operations. But despite the international cooperation among several law enforcement agencies, including the Justice Department and Europol, no arrests were made under Operation Tovar. The alleged mastermind behind GameOver Zeus, Evgeniy Mikhailovich Bogachev, is still at large.

"That botnet was insane, and the technical feat of taking it down was second to none. It's one of the best technical takedowns ever," Levene said. "Unfortunately, the impact on the individual operators wasn't there. [Without arrests], they can adjust. And that's exactly what happened there."

Stopping the bleeding doesn't actually stop anything -- it just causes more bleeding.
Brandon LeveneHead of applied intelligence, Chronicle

Levene also described side effects of Operation Tovar, including the creation of a "power vacuum" where many new, opportunistic cybercrime groups began creating their own crimeware operations. He said the takedown caused threat actors to develop and utilize new techniques and tools to evade detection and infect more systems.

The lesson of Operation Tovar is simple, Levene said: a takedown effort that focuses on infrastructure and not the operators could cause more problems than it solves. 

"If you're a shortsighted organization, and you just want to stop the bleeding so you can catch up to what's happening, then a technical takedown might be appropriate," he said. "But I think we've moved beyond that at this point. Stopping the bleeding doesn't actually stop anything -- it just causes more bleeding."

Despite the findings, Levene said he believes law enforcement efforts are getting better at tackling cybercrime and that there is increased cooperation today between agencies as well as with the private sector. But he said many countries are still hampered by outdated laws and a lack of infosec knowledge and experience, and until those areas see improvement, law enforcement agencies will likely continue to fall behind crimeware operations.

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Join the conversation

4 comments

Send me notifications when other members comment.

Please create a username to comment.

How should law enforcement agencies tackle cybercrime operations?
Cancel
The gist of the article is that seizing the servers without also seizing the brains behind the code is a waste of time and resources.  Targeting the people who write the code and run the operations is far more critical than snapping up a few servers.  
Cancel
Yes, that's an accurate description of Chronicle's argument. And considering the data that they have to support the argument, I'd say it's a strong one. But I'd note a couple things: first, the number of takedowns in Chronicle's data set is just 15, so it's hard to build a lock-down case from the small sample size. Second, there have been other technical takedowns of lesser known malware and botnet infrastructure, and we don't know how effective those server seizures were in limiting or stopping those campaigns. It's *possible* that the reason the takedown efforts were ineffective in Chronicle's 15 examples is because these ops were the worst of the worst and had extensive reach, resources and people behind them, which allowed the crimeware to bound back within a quarter or two of the takedowns. That kind of bounce back may not occur with smaller crimeware ops. Just something to consider going forward...
Cancel
Until we start addressing some of these things in a different way, it's just going to continue.  We wouldn't normally allow a foreign power to roll up on the state capital of Texas but with the Internet structured as it is currently, it's impossible to prevent them from doing the digital version of the same thing :/

I do think a change of tactics is called for.  One of the biggest bot nets was written by some guys who were trying to drum up business for their DDOS scrubbing service.  
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close