Security Experts:

F-Secure's Mikko Hypponen Talks Cyber Crime and Cyber Unicorns

At some point in the recent past -- he is not sure exactly when -- F-Secure's Chief Research Officer Mikko Hypponen coined the term 'cyber crime unicorn'. His purpose was to highlight the growing professionalism of cyber criminals; and the term caught on. Now he has asked the question seriously: could a ransomware product actually be a criminal tech unicorn; that is, a start-up business valued at more than $1 billion?

In a new article his short answer is No; but that's only because it would be impossible for the founders to cash-out through the traditional IPO route. By most other yardsticks, cyber crime relates favorably to legal business. Consider one of today's prime businesses, Uber. According to a Thursday report in Bloomberg, Uber is on course to recording a $2 Billion loss this year following a similar loss last year -- and yet its latest valuation is $69 billion. Cyber criminals do not make losses.

There is little financial risk in cyber crime -- and especially with ransomware. Following a relatively low cost and short investment period it starts making profit very rapidly. And the profits can be extensive. One of the facilitators is the rise of bitcoin -- it allows the criminals to move and launder money relatively easily and safely; but it also allows researchers to get some idea of the amounts involved.

"Ransomware gives each victim a unique bitcoin wallet into which the ransom should be paid," Hypponen told SecurityWeek. "By getting ourselves infected in laboratory conditions we can follow what happens. The ransom is usually moved from each unique wallet into a central wallet controlled by the criminals -- and from there it is laundered." The laundering is often through buying pre-paid cards and then selling them on eBay and Craigslist; or directly through gambling casinos. But in the meantime, security firms such as F-Secure can monitor the amounts that pass through the central wallets -- and it is millions of dollars.

If this were a legitimate business making this amount of money this fast, it could indeed become a unicorn. But until there are underworld stock exchanges with access to as much money as Wall Street and London, crime cannot take that final hurdle towards becoming a billion dollar business. While cyber criminals follow basic good business principles, there is not -- at least, not yet -- an underworld Big Business.

But if cyber crime cannot be modelled on business investments and unicorns, is it already modelled on the gangster gangs of old Chicago? "If you mean protection rackets then yes," said Hypponen. "But it's more crimes such as DDoS that relate directly. Taking an ecommerce site off-line is very similar to closing a high street shop through violence if the protection money isn't paid."

This analogy goes even deeper, because in 'old Chicago' there were turf wars between rival gangs. To a degree, this already happens with cyber crime -- different gangs will steal ideas and even code from other gangs. "There's even an example of one gang 'taking out' a rival by stealing and publishing its decryption keys," said Hypponen.

But for now, Hypponen's response to his own question is no, we won't see cyber crime unicorns in the immediate future. But we do need to take note of the business-like organization and discipline within some of the gangs. He believes there are close to a hundred of these ransomware gangs, although a few might be one gang operating more than one ransomware. For now there would seem to be ample return on effort for all of them.

Off-line backups remain our best defense against ransomware -- that and an up-to-date anti-malware product. It is worth noting -- as Hypponen commented -- that 'backing-up' to online services such as Drobox, Drive and One Drive, will not solve the problem -- these are on-line and not off-line backups.

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.