The Winlock numbers, the Winlock laws

While Eugene’s busy taking bets (wonder how much he’s going to make?), I’ve been having a think about the Winlock case.

Russian law enforcement is estimating that the bad guys could have raked in as much as $1 billion. While it’s difficult to be certain about the exact amounts involved (obviously they spread their money across a lot of different accounts to avoid attracting attention), a little bit of simple math makes me think this figure isn’t as crazy as it might sound.

Our statistical analysis tells us there could be around a million people who’ve been infected. 10 cybercriminals, each getting a cut of a ransom between $10 and $30 – even though they were paying out $3 per infection to the people willing to spread this malware, the numbers add up pretty quickly.

Of course, the guys who’ve been arrested weren’t the only ones involved. The phone service providers and content providers are also heavily implicated: the first because they registered short numbers to content providers, and the second because they were the ones who sent the unlock codes. In return for these ‘services’, they took a chunk of the SMS fee: around 50% and 20% respectively.

This whole case really highlights some of the legislative issues that need to be addressed if cybercrime’s going to be taken seriously. Most of the victims are in former Soviet-bloc countries, where it’s very easy to register a premium pay number – you don’t need to show any ID or even sign a contract. No surprise that criminals are actively exploiting this, and it’s an area the phone service providers really need to address!

There’s also an issue around the content providers – these guys make it possible to get all sorts of stuff like music, games etc. by sending messages to premium numbers. Law enforcement is now scrutinizing their role in this case pretty heavily: it’s suspected that they might have covered up for the malware writers in return for – once again – a cut of the profits. But while the prosecutors may be sure the content providers are guilty, they’ll have to prove it. And this can only be done if someone confesses, turns state’s evidence, or if malware source code is found on the providers’ servers.

We’re hoping that serious penalties are going to be handed down in this case, but we’re not exactly bullish on the outcome. We’ll keep you posted.

In the meantime, I’m off to talk to Eugene about my cut of the bets 🙂

The Winlock numbers, the Winlock laws

Your email address will not be published. Required fields are marked *



APT trends report Q2 2021

This is our latest summary of advanced persistent threat (APT) activity, focusing on significant events that we observed during Q2 2021: attacks against Microsoft Exchange servers, APT29 and APT31 activities, targeting campaigns, etc.

LuminousMoth APT: Sweeping attacks for the chosen few

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

WildPressure targets the macOS platform

We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS.

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Subscribe to our weekly e-mails

The hottest research right in your inbox