Posts | Archive

Hostage Taking Botnets

What happens when a botnet operator decides to hold infected machines hostage and announces demands? What organization is in charge of cyber-related hostage situations? What are the trade-offs of giving in to the demands?


Hostage-Related Cybercrime

We frequently see cybercriminals taking a page from traditional crime and adapting to their specific environment. In fact, we've seen hostage-related scenarios adapted to cybercrime in many cases. For example:

Ransomware: Ransomware will encrypt a user's documents/data and demand a payment to decrypt the data. This technique is most successful when the ransomware software is spread across large numbers of individuals, each requiring a reasonably small payment.

Data Theft Extortion: Similar to ransomware, corporations may be extorted into large payments in order to prevent the release of sensitive data stolen by an attacker. This attack differs from ransomware since it is not denying access to the entity's data, but instead threatening the release or sale of the data which will undoubtedly cause great financial harm to the entity.

DoS Extortion: Instead of targeting data, an attacker may instead threaten the availability of a service. For example, an attacker may demand payment from a utility company threatening to take down electrical service for their customers (in fact, Jason Larsen of IOActive mentioned that 100% of the SCADA extortion attempts that he has experienced have paid out the extortion demand).

Hostage Taking Botnets

While all of these existing cyber scenarios share similarities with traditional hostage-taking and ransom situations, none of them precisely mirror the motivations and characteristics of the involved parties in a traditional hostage situation. Traditional hostage situations often involve the capture of a large group of innocent people under the threat of harm in order to coerce the acceptance of demands.

Now where in the security world do we have large groups of random captured entities? Why, botnets, of course! Why would a botnet want to hold its own infected machines hostage? As an example, let's take the Conficker botnet, which was estimated by multiple groups to be between 4-5 million infected hosts. Conficker received a significant amount of attention, resulting in the Conficker Working Group and cooperation with TLD operators in attempt to blackhole Conficker C&C through it's DGA. Now imagine if the Conficker authors had released the following threat through their malware distribution network:

"If the Conficker Working Group blackholes any of the domains generated by our DGA, we will selectively destroy all of the infected machines resident in Fortune 500 networks."

While this is just one arbitrary example threat, one can imagine the impact it could have on the activities of the Conficker Working Group. These types of demands by botnet operators may catch our existing approaches of dealing with cyberthreats by surprise. Unlike traditional hostage scenarios where jurisdiction is well-defined and LEO or FBI may be in charge of response to such demands, who takes lead in the botnet hostage events where the potential victims are scattered all over the world?

As a comparison, let's breakdown the attributes of a traditional and botnet hostage situation:

                  **Traditional Hostage Scenario**                                                       **Botnet Hostage Scenario**

Hostage Taker Person or party Botnet operator Hostages Innocent people, often random and unrelated to HT's goals Infected computers of random people Demands Money, political demands, freeing prisoners, etc Unimpeded continuation of botnet operations (spam, PII theft, DoS), money, etc Threats Harming or killing the hostages Destroying the infected machines/data Triggers Not complying with demands, attempting to free hostages (eg. SWAT attempting breach) Attempting to block/blackhole/subvert C&C, blacklisting hostage hosts on RBLs, releasing AV signatures to block infection, etc Command LEO, FBI, government LEO/FBI/government? CERTs? ISPs? Vendors? Security working groups?

Questions to Think About

It's easy to see some parallels between a traditional and botnet hostage situation, but the key differences raise a lot of interesting questions.

What's are the trade-offs?

Is it worth allowing a botnet to continue to their activities in order to prevent the destruction of several million end hosts? We traditionally don't see destructive malware as living hosts are much more valuable to the botnet operators than dead hosts but the threat of destruction can be a valuable bargaining chip. Similar to traditional hostage situations, the actual termination of the hostages may be of small quantitative value (sorry humans/computer hostages, you're usually not very objectively valuable ;-) compared to the impact of resulting fallout (liability, bad publicity, data loss, downtime, enraged users, etc).

Who's in charge?

In a situation with infected hostage hosts spread geographically all over the world and resident in home user, enterprise, and governmental networks, who is in command of the situation and response? Who makes decisions whether to negotiate or not? Who has authority to prevent AV vendors from releasing signatures that might trigger the destruction of hosts? As we've seen with Conficker, collaboration across a wide range of vendors and organizations is possible, but is hardly as organized as the well-defined and established chain-of-command you'd see in a law enforcement agency.

Do we negotiate with botnet operators?

As the US government refuses to negotiate with terrorists, is this the best approach to take with botnet operators? Otherwise, do we risk inviting other botnets to present similar demands?

Is this actually going to happen?

I hope not, but it's something interesting to think about. :-)

Copyright © 2018 - Jon Oberheide