Interview: Christiaan Beek – ransomware is ‘like running a business’

Honestly, I felt that 2023 was a bad year, but 2024 is even worse, right? I’m just wondering … where is this going? Right? Is there any end coming to this – what’s going on here? So, yeah, for sure. I absolutely share that.

Cyber Daily: What do you think are some of the drivers of this apparent acceleration in activity?

Christiaan Beek: I think it’s really, of course, the money – it’s all the money, and people still keep paying, whatever we do.

It depends, of course, per region, but also, with all respect, we do what we can as an industry – and, as I would say, law enforcement around the world – but it still seems to be a very attractive model that attracts several persons, like from small scale operations to very large scale that have this whole ecosystem around them. And one of the things I always keep mentioning is if we pay people … If just 30 per cent of victims pay, these groups make like US$20 [million], US$40 million a year, right?

VIEW ALL

That means also you could afford to buy yourself exploits. And that’s my concern, and I think that’s being shared with my peers here at Rapid7 around vulnerabilities, is we give people the money to buy sophisticated stuff, and then we do whatever we can to help people secure themselves.

But if it’s a zero-day, what can you do?

Cyber Daily: A lot of threat actors seem to be moving away from targeting the whales and are now going after the minnows, and in a big way. Just in the last few weeks in Australia, I’ve looked at a local community aid organisation, a couple of regional health and welfare organisations, and small businesses that almost certainly don’t have the expertise to deal with this.

You would imagine they never even see themselves as possibly being on the radar of somebody like a ransomware gang, but there they are.

Christiaan Beek: Yeah, we saw that shift last year as well.

When we did some analysis, we went into the underground forums, where people are offering access to companies. So it’s like: “Hey, visit this company!” This mentions an amount of revenue, their sector, the country, and then the amount of money and which access you get.

So there’s a whole model around pricing that. But yeah, with all respect, if there are more than 75 groups active in the world as we speak, they need to make money, right? It’s that driven. So at that point, it’s no longer about the big whales, as you said. It’s “Hey, grab what you can.”

And, yeah, we, unfortunately, saw that trend really happening. It doesn’t matter anymore – anyone is a target.

Cyber Daily: Where do you think a lot of these operators are operating from? I mean, generally, we assume a lot of them are in eastern Europe, possibly even Russia-based. Is that the case?

Christiaan Beek: I think most of them are, but I think that’s mostly around the developers and the leaders behind some sort of larger groups.

But I think the affiliates – the ones that are actually doing the work – are global. I know that from previous operations where we supported law enforcement with takedowns on these people, they are global. And honestly, those are the ones that shift from operation to operation.

So let’s say one group is less successful – their ransomware is being detected over and over again by people, by companies like Rapid7, and then it’s “Yeah, well, guys, with all respect, I can’t make a lot of money because your sample’s detected over and over.” So they hop from operation to operation. And those people, they’re definitely global.

Cyber Daily: Given things like last year’s LockBit takedown, it’s easy to imagine that affiliates must move around all that time and that a takedown like that must have a huge impact on the ransomware landscape. Would you say that’s true?

Christiaan Beek: Absolutely.

Cyber Daily: We recently published an article – not directly ransomware-related, but it’s in the ballpark – about ghost GPT. It’s the latest criminal generative AI, and the marketing material for it is so slick – it looks like a service you want to buy. These cyber criminals are really good at marketing themselves, aren’t they?

Christiaan Beek: It’s all about marketing.

If I want to start a ransomware group these days, at least I need to have a Telegram channel, and probably other social accounts. I need a help desk, 24 by seven, maybe even supported by ChatGPT, if I want to. There’s a whole partner system – it’s like running a business.

Cyber Daily: When we – and other journalists – write about this, we refer to these people as gangs, but maybe that’s doing them a disservice because they’re a lot slicker than what the term gang would suggest. They’re far more organised.

Christiaan Beek: Historically, if you look at the Russian cyber crime groups, they were actually organised like the organised crime groups, like the mafia, right? So they have a leader, and then they have something like a sergeant-in-arms who will take care of new people who are joining, actually checking their identity, then checking everything else to see if they can trust this person.

And then they have local people taking care of them in different ways.

I know some of the ransomware groups you have to do an interview. So they really set you up for an interview. You have to prove yourself. They give you some challenges to find out if you can talk the talk and be trusted. So yeah, I would say that the larger operations are very well organised.

Cyber Daily: Is Rapid7 seeing the influence of any state-based actors emerging in ransomware groups? Or is it largely criminal?

Christiaan Beek: It’s hard to say, to be honest. I don’t think we can fully exclude it, but I haven’t seen the hard evidence for it, but I would say mostly criminal-operated.

We had some signals from some APT groups abusing ransomware as a decoy, though. So it’s not completely defined operations – I remember some historical North Korean operations, and I think some China-based groups that were using ransomware as a decoy.

And it makes sense, right? If the whole IT department runs left, well, that gives you all the freedom to go through all the network and do your stuff.

Cyber Daily: I was actually thinking of North Korea because I know that a lot of their cyber operations are about making money to support a regime that has very, very shallow pockets. But I hadn’t even thought of using ransomware as a decoy. That’s kind of devious.

Christiaan Beek: In my previous job, I found when this whole bank heist thing was going on; we found a code sample in a bank in Taiwan, and it was just weird. I saw some code doing some stuff with a printer, and then I found a second payload, and … ‘Hey, this is ransomware.’ And what they did, actually was they detonated the ransomware. And so the whole IT department went to the left side of the company, running after this incident.

But the threat actor found out that if you could transfer a certain amount of money to an account, there was a printer printing the alert: Hey, somebody’s trying to transfer 10 million! And that same malware was able to disable that printer so they could actually wire the money. The printer didn’t work, and the network was disrupted.

I called it, at the time, pseudo ransomware, but we have seen more examples in the last year as well with those kinds of operations.

Cyber Daily: What kind of trends do you think we’ll see emerge in 2025?

Christiaan Beek: Well, we have all these kinds of AI predictions, right?

I think, honestly, I want to be kind of against these kinds of trends, hyping things and such. But I can imagine [threat actors] use some of that for improving their code. I think some of them are already advertising about it, about how they use AI now to stay undetected and stuff like that.

I don’t think that’s where the big shift is right going at the moment; I think some of the smaller groups will disappear, but I’m afraid we will definitely see even more groups emerge.

So that’s probably going to be very challenging.

Rapid7 released its annual ransomware report last month – you can read it here.