Who Are The Malware Creators?

This is a post series on cyber crime. For more posts click here or the cybercrime tag below.

This post on the Kapersky blog page give us some clues.:


On Monday 14 September, the Dutch police arrested two men (18 and 22 years old) from Amersfoort, The Netherlands, on suspicion of involvement in CoinVault ransomware attacks. The malware campaign started in May 2014 and continued this year, targeting users in more than 20 countries. Kaspersky Lab contributed important research to the investigation which assisted the National High Tech Crime Unit (NHTCU) of the Dutch Police in locating and identifying the alleged attackers. Panda Security also contributed to the investigation by pointing towards several samples of the malware.

CoinVault’s cybercriminals tried to infect tens of thousands of computers worldwide with the majority of victims in the Netherlands, Germany, the USA, France and the UK. They succeeded in locking at least 1500 Windows-based machines, demanding bitcoins from users to decrypt files.

The cybercriminals responsible for the ransomware campaign have been trying to modify their creations several times to keep on targeting new victims. Kaspersky Lab’s initial report on CoinVault was issued in November 2014, after the first sample of the malicious program appeared on the radar. The campaign then stopped until April 2015, when a new sample was detected. In the same month, Kaspersky Lab and the National High Tech Crime Unit (NHTCU) of the Dutch police launched noransom.kaspersky.com, a repository of decryption keys. In addition, a decryption application was made available online. This gave CoinVault victims a chance to retrieve their data without paying the criminals.

Kaspersky Lab was then contacted by Panda Security, which had found information about additional malware samples. Investigation of these samples by Kaspersky Lab revealed them to be related to CoinVault. A thorough analysis of all the associated malware samples was then completed and given to the Dutch Police.

“The Dutch police cooperates frequently with private parties. In this investigation Kaspersky Lab played an important role which helped us identifying and locating the Coinvault attackers. It shows that by working together we can catch more criminals” – says Thomas Aling from the Dutch Police.

And this post.:

Security researchers have put a pompous computer criminal in their rightful place after releasing the decryption keys for their ransomware.

Lawrence Abrams of Bleeping Computer writes that the ransomware, which was released last week, encrypts users’ files using AES encryption, appends the .LOCKED extension to all files, and demands that victims pay a fee of 0.5 BTC (approximately US $210) in exchange for the decryption key. All things considered, a pretty standard piece of malware…

…with a truly annoying developer behind it.

In their ransom note, the extortionist prides themselves on their experience creating malware and on their success in hiding from the authorities. You can read the message in full here, but provided below is a selection of some of the developer’s more “self-assured” comments:

Ransomware message

“You’ll never be able to find me. Police will never be able to find me. Go ahead and try them if you like, but don’t expect your data back. They will be concerned about helping the community, not with helping you meet your deadline. If they say they need to keep your desktop for a few days, well lol, you probably won’t be seeing your machine again soon, let alone your data. I’ve been doing this for five years now and haven’t been caught yet.”

“…Just be thankful that it wasn’t worse. I could have asked for more money. I could have been working for ISIS and saving that money to behead children. I could have been a mean SOB and just destroyed your data outright. Am I those things? No. I just need the money to live off of (true story) and don’t care at all about the hacker ‘community’. So there isn’t anyone you will be protecting by sacrificing yourself. I’ll just encrypt more people’s data to make up for the loss.”

That’s more than enough to get anyone’s blood boiling.

Fortunately, the developer has since been served their just desserts.



Ransomware author’s bravado shot down by release of decryption keys

These are Amoral 18 and 20 year olds that see it as easy money. They aren’t the typical computer geek, who love the machines and grows out of it.  These people barely understand how it works and do their thing by cobbling bits and piece of software like the toolkit above and putting the lousy stuff out.

If you are thinking that there are a big bunch of people all working in some Russian or other low foreign underdeveloped place coming up with this stuff for some secret agency, that doesn’t look to be the case. Instead it’s a bunch of script kiddies trying to make quick bucks.  What’s sort of interesting that it doesn’t seem to be millions of infections at least in the beginning, but on the order of hundreds or thousands.  So the money, while nice, isn’t the kind of lifestyle that get’s you noticed.

Who is Making All This Malware — and Why?

On thing is that these people have to be young or essentially unconcerned about consequences.  They are also not very technically sophisticated or creative.  They steal bits and pieces of code from other things, but more than likely have no clue how it really works.  For instance have code that leaves the private key on somebody’s computer.  They learn from their mistakes and come up with a variation, but they don’t originate stuff.  You look at malware and it’s unprofessional without the tightness that an experienced coder would just do as a matter of course. And some of my friends who have been coders for decades would be scary if they were doing this stuff.

But the risk/reward is different for somebody who’s been in the business for a long time. More than likely an experienced coder has family and assets to protect.  And associates and friends who, more than likely disassociate themselves from a malware creator and ostracize them out of their community.  No, malware is a young man’s game.

Now why isn’t it a Russian mob?  Well let’s look at it this way.  These people have been hitting hospitals with great regularity for some time now.  Everybody gets sick and needs a hospital from time to time. Also crime against hospitals gets you noticed, and not in a good way. Attack hospitals and you make the news as the lowest of the low and deserve it.  It also attracts the hard attention of law enforcement even in countries that don’t normally cooperate.  Frankly nobody likes an extortionist.  As far as the mob is concerned they probably think they are better off sticking to identity theft. It’s easier money with lower chance of retribution.

So I think that the typical profile of a malware creator is a loner, with friend mostly on reddit and other forums, in Western Europe, seemingly in countries where English is not a first language, so Germany, Belgium and The Netherlands, with experience playing with computers, but not able to get into University for a number of reasons, and can’t get a legitimate job.  I’m also going to guess that they come from affluent families and have had money in the past without having to work very much.  And the parents come from professional, not business ownership so there is very little chance of getting into the family business.  That’s the dangerous young man doing this stuff.




Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s