Ransomware attacks, including those of the massively disruptive and dangerous variety, have proved difficult to combat comprehensively. Hospitals, government agencies, schools, and even critical infrastructure companies continue to face debilitating attacks and large ransom demands from hackers. But as governments around the world and law enforcement in the United States have grown serious about cracking down on ransomware and have started to make some progress, researchers are trying to stay a step ahead of attackers and anticipate where ransomware gangs may turn next if their main hustle becomes impractical.
At the RSA security conference in San Francisco on Monday, longtime digital scams researcher Crane Hassold will present findings that warn it would be logical for ransomware actors to eventually convert their operations to business email compromise (BEC) attacks as ransomware becomes less profitable or carries a higher risk for attackers. In the US, the Federal Bureau of Investigation has repeatedly found that total money stolen in BEC scams far exceeds that pilfered in ransomware attacks—though ransomware attacks can be more visible and cause more disruption and associated losses.
In business email compromise, attackers infiltrate a legitimate corporate email account and use the access to send phony invoices or initiate contract payments that trick businesses into wiring money to criminals when they think they’re just paying their bills.
“So much attention is being paid to ransomware, and governments all over the world are taking action to disrupt it, so eventually the return on investment is going to be impacted,” says Hassold, who is director of threat intelligence at Abnormal Security and a former digital behavior analyst for the FBI. “And ransomware actors are not going to say, ‘Oh, hey, you got me’ and go away. So it’s possible that you would have this new threat where you have the more sophisticated actors behind ransomware campaigns moving over to the BEC space where all the money is being made.”
BEC attacks, many of which originate in West Africa and specifically Nigeria, are historically less technical and rely more on social engineering, the art of creating a compelling narrative that tricks victims into taking actions against their own interests. But Hassold points out that a lot of the malware used in ransomware attacks is built to be flexible, with a modular quality so different types of scammers can assemble the combination of software tools they need for their specific hustle. And the technical ability to establish “initial access,” or a digital foothold, to then deploy other malware would be extremely useful for BEC, where gaining access to strategic email accounts is the first step in most campaigns. Ransomware actors would bring a much higher level of technical sophistication to this aspect of the scams.
Hassold also points out that while the most notorious and aggressive ransomware gangs are typically small teams, BEC actors are usually organized into much looser and more decentralized collectives, making it more difficult for law enforcement to target a central organization or kingpin. Similar to Russia’s unwillingness to cooperate on ransomware investigations, it has taken time for global law enforcement to develop working relationships with the Nigerian government to counter BEC. But even as Nigeria has put more emphasis on BEC enforcement, countering the sheer scale of the scam operations is still a challenge.