11 GozNym Members Indicted for Cybercrime Operations
This is a writing sample from Scripted writer Michael Singletary
11 GozNym Members Indicted for Cybercrime Operations
United States law enforcement agencies—along with enforcement and investigation counterparts in five other nations—are bringing charges against 10 members of the GozNym cybercrime syndicate.
The indictment unsealed on Thursday, May 16, 2019 accused the GozNym members of an attempted $100 million from businesses and organizations across the world in 2016. The group's activities cover money laundering, bank fraud, and wire fraud.
Indicted members of the group are from Russia, Bulgaria, Georgia, Moldova, and the Ukraine. 5 of the member are from Russia and remain fugitives. An additional member named Krasimir Nikolov--going by the pseudonym pablopicasso—was captured in Bulgaria and extradited to American soil in December of 2016.
The indictment paints a picture of the eleven GozNym members and their operations that lead to major theft from business bank accounts across the United States and Europe.
Tens of thousands of systems were infected with the GozNym trojan and ransomware hybrid. GozNym is based on the Nymaim and Gozi ISFB malware, and functions as a platform to download trojans onto a system after infection rather than carrying a large, easily-detected payload.
Once the payload is in place, multiple malicious operations can take place. Following recent malware trends, the ransomware aspect can lock down systems using secure encryption that requires a key to unlock.
The team's control over infected systems had extensive reach. Alexander Konovolov (35) from Tbilisi, Georgia managed the infection and control of approximately 41,000 under his internet personae of NoNe and none_1.
Ransomware criminals sell promises to release these keys in exchange for payment. There is no guarantee that payment will result in unlocked files, and the specific GozNym-based operations have been in public view as early as IBM's observations in April of 2016.
Potent Blend of Earlier Exploits
The ransomware is partially based on Nymaim, a malware system that infected the United States, Germany, and Poland as early as September of 2013. It also downloaded the necessary files to launch attacks under lightweight means, then locked down systems to deliver a ransom note.
Nymaim used the Blackhole exploit—also known as Darkleech—along with Black Hat SEO methods used to change the search results of specific terms to lead users to the wrong sites. Their infected mock sites would receive traffic from unsuspecting users who may not notice subtle network and web address differences when looking at an otherwise professional website.
The Blackhole system would launch attacks against web browser plug-in vulnerabilities and search for other vulnerabilities that may not have been patched by the user. In 2013, over 2.5 million infections were caused by Blackhole.
In early 2019, the Gozi and Nymaim-merged GozNym was able to sneak past antivirus suites and launch other attacks aside from ransomware. These attacks include keyloggers that record keystrokes, mouse input, and other forms of input, as well as screenshot management to view the user's sensitive information.
GozNym was also able to change the format and display options of banking websites using web injection, which can hide alerts and other indicators from the user that would be tipped off by quirks in their usual screen.
The GozNym payload is mostly distributed by malicious, fake hyperlinks injected into websites after other infections, and can be delivered via malicious email attachments.
Ransomware, a Growing Risk Based on Growing Security
Ransomware poses a unique challenge in the history of anti-virus and cybercrime. While the techniques and toolkits used to break into systems can be defended against or patched with time, the file lockdown isn't so easy to deal with.
The lockdown caused by ransomware is a legitimate technique, not a virus or malware infection that can be scrubbed away. Everything from financial data to trade and government secrets use encryption standards such as RSA-256 to lock down sensitive materials until someone with a key can access the data.
It would take millions of years to crack RSA-256 with the current fastest systems, and a stronger encryption method called RSA-2048 would take 6.4 quadrillion years to crack. It's a strong lock that usually requires thieves to look elsewhere for their targets.
Encryption keys have an inherent mismanagement risk; if users lose the key, there's no one who can break in to assist. The data is lost to encryption unless the near future delivers faster systems or an undiscovered mistake in the encryption method.
This poses an unplanned problem to desperate ransomware victims. Even if they pay for the keys and somehow reach a thief willing to give over the key, novices and experts alike could lose the keys or fail to verify the keys.
Since the keys are data, they can be corrupted during creation like anything else. This is similar to shaving off the wrong bits of a metal key, bumping a CD or DVD during recording, or a hard drive crashing in the middle of saving information.
Organizations and Individuals Urged to Backup Data
At the moment, the most realistic defense against ransomware is a secure set of backups. Ideally, computer users would have a safe set of data that is removed from systems on a regular basis.
Multiple backups are even better. If the latest backup happens after a ransomware event, it could become encrypted or otherwise infected. With multiple days of backups, technicians can have multiple safe versions with only hours or days of lost progress rather than an entire lost project.
This creates inventory management needs. Tech professionals need to schedule backups on a regular basis, verify those backups to make sure that corrupt or otherwise useless backups aren't compromising the plan, and secure the backups.
If information is sensitive and a target of espionage, backups need to be placed in a secure location. Threatening an organization with ransomware theft could create an opening for physical data thieves to break in and retrieve copies.
In these emerging espionage scenarios, organizations must rethink the importance of their data, security practices in place, and methods used to control secrets. For data that doesn't need maximum security, a plethora of backup drives and even cloud storage can easily thwart ransomware when backups are handled properly.
For more information on emerging cyber security trends and advice on protecting tech assets, contact a cyber security professional.
Written by:
