A few months ago, those who monitor the world’s Bitcoin cryptocurrency exchanges began to notice an unusual trend – the amount of virtual cash being stockpiled by British companies was increasing dramatically.
Bitcoin is the digital currency born from a libertarian ideal that individuals should be able to transfer funds without the intervention of a bank or revealing their identity. As a result, it is the currency of choice for those who carry out ransomware attacks.
£136,000 digital cash pile
A study published last month found the growth in this type of cyber crime is such that two-fifths of British companies are now holding Bitcoin just in case they are hit by an attack such as the WannaCry or NotPetya bugs that recently assailed organisations around the world from the NHS to FedEx. On average, the companies are sitting on cryptocurrency worth £46,000, with larger firms holding £136,000.
In the unhappy event that they ever to have to spend their bulging Bitcoin wallets to unscramble encrypted data, some chief executives may consider spending such an eye-watering sum a bargain.
A Korean web hosting firm revealed in June that it had paid more than $1m (£770,000) to restore data from an attack which infected 3,400 separate websites. Despite advice from law enforcement agencies around the world not to pay ransoms, the evidence is that thousands of organisations are pricing it into the operations and coughing up.
Nerds and nation states
The trend is emblematic of a wider trend which is rapidly moving hacking and cyber warfare away from the ambit of nerds and nation states into an everyday battle of attrition that has the potential to disrupt anything from doctor’s appointments to adultery websites to power networks.
It is a complex combat zone where the participants range from the state-backed hacking hubs of China, Russia and North Korea through to organised crime groups dotted around Eastern Europe, Africa and the Middle East – and increasingly their accomplices based in the UK.
The National Crime Agency told the i that while most elite cyber-criminals continue to reside in “hard-to-reach jurisdictions”, they have more associates based in Britain than previously thought.
The agency said: “Some of these [individuals] may have some cyber skills; most provide supporting services to elite criminals. By targeting this UK nexus, we can disrupt criminality and develop intelligence on upstream links.”
The sophistication and complexity of the infrastructure that supports cyber crime is frequently held up as an example of the scale of the threat.
Some ransomware attacks come with a “customer support” service whereby a victim biting the bullet to pay to retrieve their data is taken step-by-step through the process by a friendly agent via a Skype-type call or a chat box. The rewards are significant – the average amount of virtual plunder from a ransomware attack has risen from £250 per victim in 2014 to £830 in 2016.
Similarly, an analysis of various cyber crime attacks emanating from locations in Russia and China found that they followed a pattern of nine-to-five office hours, right up to the point that there was a diminution in assaults around lunchtime.
One security contractor, who has worked with state agencies in Europe, said: “What we are seeing is criminality that works around a conventional business model. You have got people who are effectively employees, who turn up to work in an office block, who spend the day extorting cash or sending denial of service attacks, have a sandwich break and then go home to put the kids to bed. I wouldn’t be surprised if they had a staff restaurant and gym.”
The picture is further complicated by the rise of what is known as the “as-a-service” model of cyber crime, whereby individuals can effectively pick and choose between ready-made attacks in much the same way that a consumer browses different shapes of pasta in a supermarket.
In return for a fee, paid naturally in a cryptocurrency, criminals with only the most basic technical expertise can commission anything from a denial-of-service attack to take down a competitor’s website to the implantation of an Advanced Persistent Threat (APT) bug which can sit on a system for months or years silently collecting every piece of data which passes through an organisation’s computers.
The result is a Gordian knot of organised crime groups, state-sponsored hackers and so-called hacktivists for law enforcement authorities to unravel. Andrew Beckett, head of cyber defence for corporate risk company Kroll, said: “The rise of malware as a service where all you go and do is buy the ransomware and plug in your victim’s IP address or a range of IP addresses, means that the investigation on the part of law enforcement leads you back to at best a grey area. The only connection between multiple attacks is one guy who sold his programme to multiple people.”
The result is a sinister growth industry which companies are scrambling to anticipate by stockpiling Bitcoin and which experts warn the world is not yet ready to repel.
Mr Beckett added: “The world has been caught napping in that we don’t have the resources – either the tooling or the skilled people – to combat it at the scale at which it has arrived. It will change. But for now we are from the defensive point of view on the losing end of an arms race.”