This week I am talking with Eric Freyssinet, head of a national cybercrime investigative unit in France. We discuss ransomware and cyber crime in general from a researcher/law enforcement point of view. There are several initiatives in place to educate end users about these threats and also how to get rid of them without forking large amounts of money. For starters, awareness is key to defeating social engineering tricks which ransomware relies upon.
Another important aspect to combating cybercrime is, of course, the capacity for law enforcement to track down criminals and prosecute them. This is easier said than done but as Eric explains efforts do pay off and criminals are arrested. In fact a major bust happened on Feb. 13th with Spanish Police and Europol coming down hard on eleven people part of a global police ransomware operation which was netting over one million dollars a year.
Q: Can you tell us a bit about yourself (profile, background etc…)?
A: I am a law enforcement officer in France, head of a national cybercrime investigative unit for the Gendarmerie nationale. My original education is technical and I am also a PhD student on the subject of the Fight against botnets.
Q: Could you tell us how stopransomware.fr came to exist (what motivated the idea for this project, when it was created, who is behind it, etc…)
A: We launched stopransomware.fr after one year of actively documenting ransomware on the Botnets.fr Wiki which is the main project of my PhD work and for which I am helped by various enthusiasts of the fight against botnets. The idea is to properly inform the public about this specific trend in the malware business and give them help and advice about how to prevent and cure ransomware infections on their computers.
Q: Ransomware combines malware infection with social engineering tricks to force victims to pay several hundred dollars to unlock their computers. A key to avoid falling into this scam is recognizing what is happening. What are you doing to educate end-users about this threat?
A: It is important for users to understand what steps are used to infect their computers, to not only raise their awareness but give them a number of basic rules to follow to avoid as much as possible this malware threat as much as many other malicious attempts they may encounter nowadays online.
The website explains how infections work, how traffic is created to attract victims to exploit kit platforms, what basic steps they need to take to protect themselves or clean their computer.
Q: What are the challenges you face in this awareness effort?
A: Computer viruses have always been in the environment of computer users and it is more often seen as a basic nuisance than a practical threat to their privacy or wallet. The second difficulty is that there is no magical solution to protecting a computer from malware infections, and it does demand some patience to understand all the aspects of protecting a modern computer system online.
Q: There seems to be a strong commitment to ransomware/botnets research and good intelligence gathering from French researchers which are often mentioned in the media not just in their own country but worldwide. Can you confirm that and explain why?
A: Maybe is there a combination of many factors, including the fact that France is one of those countries that is a target of choice for online illegal activities but also trains good IT security specialists and their interest for these topics is indeed rising in the community for research on malware and related illegal activities: I am convinced that there are willing individuals in many countries around the world and that they should organize locally and beyond to better exchange and develop their competences together. But we need to go much further and obtain concrete results in the fight against those specific threats, including convincing corporate as well as government decision makers that we need to invest in this domain. And it is not a project for France alone, and efforts of many countries around the world is needed.
Q: A big reason why cyber-criminals go about their business without worrying too much is the fact they feel very little risk of being prosecuted for their crimes. What are the main challenges law enforcement agencies face to deal with that reality?
A: There are two main difficulties, which are typical of the fight against online threats: the possibility to gather and share intelligence (in practice collect personal information), and the need for faster and more efficient international cooperation. A secondary difficulty could be that those topics look difficult technically from the outside, but in reality they are not that much difficult in comparison to the very advanced forensic technologies law enforcement have developed in other domains.
Q: Independent security researchers often discover valuable information regarding cyber criminals’ activities. Is there a process or way for them to share it with law enforcement?
A: We are hoping that EC3 at Europol will be one of those places where information will be shared. But there are already conferences and platforms such as the botnets.fr Wiki where technical data can be exchanged. Maybe all of those need more visibility.
Q: Have government agencies recognized cyber-crime as a major problem and given law enforcement the proper means (both financial and technological) to combat this problem?
A: Yes, in most countries it is the case. The problem being that cybercrime is such a big and fast developing problem that it does take some time to get results in all its aspects. For instance the efforts on Online Child Abuse are paying now and many suspects are arrested every year. We need to pursue those efforts in other domains as well.
Q: Do you see the ransomware trend to keep strong throughout 2013 or do you feel that at some point this type of attack will become victim of its own success (better user awareness and law enforcement actions)?
A: We are hoping that awareness will help make those risks less probable in the near future, but everybody needs to stay awake and look out for future trends that will replace ransomware.
Q: Ransomware is just one aspect of the global cyber-crime ecosystem in which exploit kits are king. Can you tell us a little bit about the trends you have observed in this area over the last couple of years?
A: Yes indeed, for instance banking malware which is less visible for the end user is still very prevalent and is going to invest massively into mobile environments in 2013-2014.
Q: Can you talk about botnets.fr and botconf’13?
A: Botnets.fr is part of my research project towards a PhD, that I started in December 2011, with the idea to propose a global approach on botnet classification, not focusing only on malware but on all other dimensions of this problem. Anybody who is willing to actively contribute can join us, in French or in English as well. The community which is discussing botnets everyday and was attracted by this botnets.fr project is now launching an international scientific conference to be held on December 5th and 6th 2013 in Nantes, France. The call for papers should be published in the coming days.
Eric Freyssinet on Twitter: @ericfreyss
IRC community: #botnets.fr on chat.freenode.net.
International botnets fighting alliance: http://ailbibfa.wordpress.com/
About the author:
Jerome Segura is a Senior Security Researcher at Malwarebytes with experience in both client and server side malware with a focus on web exploits research. He has built high interaction honey-clients to capture drive-by download attacks and has performed hundreds of web server remediations for infected WordPress and Joomla! sites.
Follow him on Twitter: @jeromesegura