Chronicle: Crimeware group takedowns 'increasingly ineffectual'

New research from Chronicle shows that as crimeware has grown over the last five years, law enforcement efforts have become increasingly ineffective -- and in some cases have produced unintended consequences.

In a five-year study, titled "Crimeware in the Modern Era: A Cost We Cannot Ignore," Alphabet Inc.'s cybersecurity company argues the infosec community is underestimating crimeware as a commodity threat. According to Chronicle, the overall activity of banking Trojans, ransomware, information stealers and cryptominers has increased from 2013 to 2018, as have financial losses for businesses.

"Misconceptions around the severity of risk from financially motivated threat actors have hobbled enterprise defense efforts," Brandon Levene, head of applied intelligence at Chronicle, wrote in the report. "Rates of losses due to crimeware are climbing, and countermeasures are decreasing in efficacy. Crimeware as a financial risk quantifiably outranks more sophisticated threats such as APTs."

Chronicle analyzed data of several major takedowns of 15 different crimeware operations such as GameOver Zeus ransomware, Dridex banking Trojan and Kelihos information stealer and determined that law enforcement efforts to curb cybercrime have seen reduced efficacy. Chronicle found while the takedowns appeared to have an impact on malware sample counts, those impacts were short-lived.

For example, the study found that within one quarter of a decrease in samples, 57% of malware types exhibited growth; within two quarters after takedowns, 71% of samples saw increases.

In addition, some malware types experienced triple-digit growth following takedowns. Two quarters after the Avalanche crimeware takedown in 2016, in which law enforcement arrested five individuals and seized 39 servers, samples of the Avalanche banking Trojan jumped 300%. Meanwhile, samples of the Lurk banking Trojan increased more than 127% two quarters after a massive law enforcement effort in 2016 that included the arrest of 50 individuals in 15 different regions of Russia.

Chronicle found that cybercriminals are "increasingly able to adjust to distribution channel disruptions" caused by law enforcement actions. Levene said the problem is twofold: first, takedowns are too infrequent.

"There's an average of one or two big takedowns a year, and most of these guys are recovering within two to three months, easily," he told SearchSecurity. "The cadence of law enforcement action is limiting the results. You have to keep hitting these guys over and over again. You have to make it unfeasible for them to run these businesses."

The second problem, Levene said, is the lack of "kinetic action" against the crimeware operators. If a takedown operation is purely or even mostly technical in nature and doesn't include the arrests of the true operators in addition to associates, then the threat actors will simply scatter and eventually start new campaigns. In the report, Levene cited "the general ineffectiveness of both the Lurk and Avalanche takedowns" as evidence that law enforcement should target operators instead of infrastructure.

Chronicle's report also delved into one of the largest takedowns ever conducted in 2014's "Operation Tovar," which brought down the GameOver Zeus botnet and affiliated banking Trojan and Cryptolocker ransomware operations. But despite the international cooperation among several law enforcement agencies, including the Justice Department and Europol, no arrests were made under Operation Tovar. The alleged mastermind behind GameOver Zeus, Evgeniy Mikhailovich Bogachev, is still at large.

"That botnet was insane, and the technical feat of taking it down was second to none. It's one of the best technical takedowns ever," Levene said. "Unfortunately, the impact on the individual operators wasn't there. [Without arrests], they can adjust. And that's exactly what happened there."

Stopping the bleeding doesn't actually stop anything -- it just causes more bleeding.

Levene also described side effects of Operation Tovar, including the creation of a "power vacuum" where many new, opportunistic cybercrime groups began creating their own crimeware operations. He said the takedown caused threat actors to develop and utilize new techniques and tools to evade detection and infect more systems.

The lesson of Operation Tovar is simple, Levene said: a takedown effort that focuses on infrastructure and not the operators could cause more problems than it solves. 

"If you're a shortsighted organization, and you just want to stop the bleeding so you can catch up to what's happening, then a technical takedown might be appropriate," he said. "But I think we've moved beyond that at this point. Stopping the bleeding doesn't actually stop anything -- it just causes more bleeding."

Despite the findings, Levene said he believes law enforcement efforts are getting better at tackling cybercrime and that there is increased cooperation today between agencies as well as with the private sector. But he said many countries are still hampered by outdated laws and a lack of infosec knowledge and experience, and until those areas see improvement, law enforcement agencies will likely continue to fall behind crimeware operations.