Smart contracts featuring ransomware
I was reading Brian Kreb's series about the Conti Ransomware Group, an infamous yet formidably effective ransomware actor:
- Conti Ransomware Group Diaries, Part I: Evasion
- Conti Ransomware Group Diaries, Part II: The Office
- Conti Ransomware Group Diaries, Part III: Weaponry
- Conti Ransomware Group Diaries, Part IV: Cryptocrime
In his last chapter 'Cryptocrime' Brian refers to other research articles that kind of hint at the inconvenient truth that we haven't seen the end-state of ransomware yet. Like by far.
- Ransomware as a Service using Smart Contracts and IPFS (Karapapas, Christos and Pittaras, Iakovos and Fotiou, Nikos and Polyzos, George C.)
- Jeffrey Ladish's two part Medium series "Smart contracts will make ransomware more profitable" (part 1, part 2).
If you think about it, current ransomware practices are relatively simple. Cyber crime seems to follow the path of least resistance, as I've noticed before.
Why bother chasing advanced exploits (requiring highly skilled individuals or top talent that is hard to come by), when you can reap in massive amounts of cash with relatelively low effort (with techniques requiring a mostly low or medium skilled workforce)?
It's visible in various aspects of cybercrime:
- Number one fraud technique is plain old phishing.
- Combine phishing with social engineering, and your success rate goes through the roof.
- Another technique: look at Lapsus$, they are just offering bribes for (remote) access. Why even bother trying to phish when you can just buy your way in? Because it's just so easy.
- Crypto rugpulls seem astonishingly easy to pull off, no hacking required.
Anyway, I forgot why I even started to write this blog post in the first place (it got late yesterday😅), but:
- I like articles like these because they are a welcome reminder to step back from the never-ending Crypto Bubble, where only the positives of cryptocurrency gets hyped. There is also a darker side that we shouldn't ignore. Regulators certainly aren't ignoring it, and I suppose three-letter agencies aren't either. Plus, the latter most probably are influential customers of Chainalysis.😇
- When thinking about blockchain security, the first concept that pops up in my mind is mainly securing smart contracts from harm, and not so much about the nefarious applications of blockchain technology itself. And that's what so fascinating about this space with all its security and risk implications: it's so vast and still so new, that we're currently only scratching the surface of what is possible. Both from an optimistic perspective, as well as from a pessimistic one. Can you imagine the potential of a scalable, fully privacy-preserving Ransomware-as-a-Service platform? Or a dark market? Or <insert your utopian/dystopian future here>?
On the other hand, where I remain skeptical, is the fact that it seems (for now) to be rather difficult to implement such complex concepts correctly AND that it's probably easier (incl. ROI wise) to just stick to traditional techniques for now. But then again: whatever can happen, will happen.