Ransomware Report: Is China Attribution Merely Hype?

Anti-Malware , Encryption , Technology

Ransomware Report: Is China Attribution Merely Hype? 'Naming and Shaming' Demands Hard Evidence, Experts Warn Ransomware Report: Is China Attribution Merely Hype?

Are Chinese hackers behind a recent spate of targeted ransomware attacks?

See Also: Former NSA Technical Director on Threat Intelligence

So claims an "exclusive" new report from Reuters, which says researchers at multiple security firms - including Attack Research, Dell SecureWorks, InGuardians and G-C Partners - have seen several attacks that might be the work of an advanced persistent threat group called Codoso that appears to be based in China. That group has historically engaged in online espionage, although the researchers "cannot be positive" that any China-based group is really behind these attacks, Attack Research CEO Val Smith tells Reuters.

"Attribution is really only of any use if you can - and are prepared to - prosecute something you consider criminal." 

Nevertheless, that's enough for the news service headline to trumpet: "Chinese hackers behind U.S. ransomware attacks - security firms."

But where's the evidence that Chinese attackers are involved? In fact, cautions Dublin-based information security consultant Brian Honan, who advises the EU's law intelligence agency Europol, the Reuters report includes nothing but speculation. That suggests any claims that Chinese cybercrime groups are behind the several infections mentioned in the story - including one of an unnamed transportation company, and another of an unnamed technology firm - are premature, at best.

"Without any hard evidence to support any claims or speculation as to who is behind these attacks, we should take all these claims with a large amount of caution," he tells me.

Honan is not alone in his assessment. "This could almost be a non-story - no one knows who did it, but it sorta looks like it might have come from China - the rest is (informed?) speculation," says Alan Woodward, a computer science professor at the University of Surrey who also advises Europol on cybersecurity matters. "I'd want to see considerably more evidence - or just some hard evidence - before pointing the finger. It's all very circumstantial at the moment."

The Attribution Trap

Attempting to attribute attacks to a specific group - aligned with a specific government or otherwise - risks obsessing over attackers' identities while downplaying the fact that many attackers succeed, in large part, because their targets' information security practices aren't very good (see Malware's Stinging Little Secret). When that's the case, it doesn't really matter if a national intelligence service, pro-government APT gang, Russian cybercrime outfit or the teenage PC whiz who lives down the street hacked a system; it's still been owned (see Anthem Attribution to China: Useful?).

"Attribution is really only of any use if you can - and are prepared to - prosecute something you consider criminal," Woodward tells me. "This attribution is more for political consumption, I suspect."

In addition, it's not clear that naming China will have any defensive upsides. "Naming and shaming can have an effect, but it's also quite easy for those who point fingers to have the finger pointed back," he says. "It becomes very confusing and thence has little effect."

Chinese Foreign Ministry spokesman Lu Kang dismissed the report as "rumors and speculation," telling Reuters that China would treat the allegations seriously only if they saw hard evidence.

Ransomware: Economic Upsides

But what is clear, Honan says, is that cybercrime groups have been getting more interested in ransomware (see FBI Warning: Ransomware Is Surging). In part, that's because it's easy for any cybercrime gang with access to a botnet to obtain and distribute ransomware such as CryptoWall, CTB-Locker or TeslaCrypt.

"Ransomware has been around for a long time. What we are now seeing is criminals realizing that for relatively little effort they can get quite profitable returns," Honan says. "Hence we are seeing a move from targeting consumers to targeting companies who may be more willing to pay to recover their data and be prepared to pay a larger sum. Criminals can simply use the vulnerabilities they previously exploited to spread botnets, to now use those same vulnerabilities to plant ransomware on systems."

And it's a sure bet that even if some Chinese cybercrime gangs are behind some ransomware attacks, they're far from the only ransomware-wielding cybercrime players at work.