Who and how catches hackers and carders

[Jollier]

In this thread, the famous carder talks to Sergey Nikitin, Deputy Head of the Computer Forensics and Malicious Code Research Laboratory at Group-IB, one of the world's leading fighters against cybercrime.

You will also learn about Anonymous hackers and other hacker groups, how real hackers hacked Twitter and stole more than $120,000 in bitcoin through celebrity accounts, whether Russian hackers are really the most dangerous in the world, how the most dangerous hackers crack passwords and encrypt information on the hard drive of a company or individual, demanding a ransom (the so-called Ransomware), how the most wanted hackers in the world hide, how hackers hacked the computers of the Pentagon and various TV channels, about hackers in chat roulette, how hackers hacked a fraudster's webcam, how phones and cameras are hacked, how hackers hacked a Minecraft schoolboy, we will also tell you about the life of a black hacker and the best films about hackers (Hackers 1995 and Hackers 2018).

Contents:

• Today's topic: Who and how catches hackers and carders.
• Meeting Sergey Nikitin, Deputy Head of Group-IB's Computer Forensics Lab. Ilya Sachkov refused to come?
• What are the most common mistakes cybercriminals make?
• What will happen for a one-time theft of $20,000 using a Trojan?
• What amount of theft could provoke the interest of Western intelligence agencies?
• Which countries are best avoided by hackers and other cybercriminals?
• Is it true that if you don’t work in Russia, there will be no punishment?
• About fraudulent schemes on bulletin boards.
• What type of cybercrimes are most often investigated in the CIS?
• Is it possible to get back your own money stolen by fraudsters?
• Which Russian bank is the most secure and most loyal in terms of helping clients in case of money loss?
• About malware for Windows.
• How and where do users most often infect their smartphones and computers with malware?
• The main methods of stealing money from legal entities.
• "APT" (Advanced Persistent Threat) – about targeted cyber attacks.
• About the hacker group "Cobalt" and how it worked.
• On the work of pro-government hacker groups.
• "Cryptolockers" (encryption viruses) are the main scourge of 2025. How did it all start and how do they work?
• What to do if your computer is encrypted by a cryptolocker. What is the chance of getting your data back?
• Did Group-IB, in cooperation with law enforcement agencies, identify those involved in data encryption?

Today's topic: Who and how catches hackers and carders.
Nikitin:
The main methods of infection are mail. Here, I can tell you right away, if your Android version is lower than the ninth - put it on the bulletin board and buy a new one. Windows 7 is also no longer supported. In general, there are no options, you will have to switch to ten. The first is to infect the ATM network. Option number two - banks have their own client bank for banks.

Acquaintance with Sergey Nikitin, Deputy Head of the Group-IB Computer Forensics Laboratory. Ilya Sachkov refused to come?
Pavlovich:
Our readers will say, very interesting.
Friends, hello! Today we are talking with Sergey Nikitin, Deputy. Head of the Group-IB Computer Forensics Laboratory.
His boss Sochkov was afraid of our interview and decided to send his deputy, so to speak. I have been involved in cybercrime for half my life, and these are the people who are on the other side of the barricades, on the other side, specifically the fighters against cybercrime, so you have all been waiting, there are many questions.

What are cybercriminals caught doing most often? The most common mistakes.
Pavlovich:
So, let's start, perhaps, with this, since you brought me up, what are cybercriminals caught doing most often, in your practice?

Nikitin:
Well, probably, mainly on some stupid things. That is, the human factor, it is actually the most persistent in all respects, that cybercriminals very often exploit it in order to penetrate somewhere. And social engineering, that is, since the time of Mitnick, it still works as well. If we look at the largest hacks, these are still ordinary phishing letters, where they simply lure people to open something there and so on.

Pavlovich:
Exactly the same... Like what happened with Twitter now, right? When Twitter was hacked.

Nikitin:
Yes, Twitter is a great example of engineering gone wrong. That is, there is a 17-year-old guy, he was able to hack a huge corporation only through social engineering, there are no malware, nothing, and for more than a day they could not cope with it. And the opposite example. In the same way, cybercriminals themselves get caught in a bunch of different little things. Suddenly the VPN fell off. And there is a person in Podolsk. This is just one of the real cases. That is, there is a double VPN, but it fell off and it was not provided for, so that the connection would be cut off and there the IPU really showed up. It happens, there was a case. The guys who infected Androids, there is simply the owner of this botnet from the amount of money, he did not know what to do, and he began to top up the phones of his relatives and friends.

Pavlovich:
That is ... Topping up, well, topping up a phone - there is nothing forbidden.

Nikitin:
No, once they figured him out, it became clear that these stolen funds, yes, he started to directly upload them to the phones of his family and friends without even laundering them, they caught him. Very often, even if a person is hiding there on the run, let's say, already wanted, he does not completely break off communication, again, with family and friends. This is such a great weakness, that is, naturally, it is quite difficult to completely break all social contacts.

Pavlovich:
With a girl there, with a wife there.

Nikitin:
Yes, with a girl, basically girls ruin everyone. Again, many things are not very obvious, for example, people think that if they just inserted a disposable SIM card into the same phone, then everything is fine, no one will track them down.
That's why, yes, some kind of human factor always fails and I can give an example, a common question - how quickly can someone be caught and it may sound a little harsh, but to catch a person there, some group or a person who committed one super theft, well, like in the movies, I don't know, there's some big jackpot or Ocean's Twelve and he disappears, probably almost impossible, but the trick is that most don't stop, that is, if there are many episodes, that is, this kind of prolonged action, then each episode adds a certain piece of the mosaic to the overall picture, how to get to these people. And a lot in our example, we have a lot of professional releases, yes, how they helped detain a specific hacker group, a lot of whom this group managed to detain only, say, after fifty or fifty victims. Yes, only then will a sufficient number of threads be collected that will lead to people.

What will happen for a one-time theft of $20,000 using a Trojan?
Pavlovich:
Critical mass is like that. In general, you asked this question, yes, I have it written down here. I made a new Trojan, a crypto-null, ordered the fills, what will happen to me for this and how quickly there, if, for example, I stole twenty thousand dollars there once. We answer your question that 20 thousand dollars were stolen in one go, it is quite possible that nothing will happen to you.

Nikitin:
Yes, if, roughly speaking, the method of cashing out funds itself is somehow proven, here this is the main reason, and again, techies often fall on something, on the fact that they are super-gods in computers, everything is encrypted there, everything is encrypted and so on, but then they are faced with the fact that they want to somehow get the money, touch it and so on. And, as a rule, they do not have their own ready-made cashing schemes or anything else.

Pavlovich:
Laundering.

Nikitin:
Yes, money laundering. And, roughly speaking, they are very good at technology, but not so good at finance. And they either order the services of intermediaries, well, in the same Darknet there are a lot of services for cashing out, with some kind of mixer and so on. And this is already a weak link, yes, that is, additional intermediaries, this is always some kind of weak link, you need to somehow meet later, get this money.
And this fusion of cybercrime with classical crime usually happens here, that is, there are classical fraudsters, for example, who have all this worked out, they already have super schemes - dummy LLCs and so on and so forth, they provide these services for a percentage. And that's where there is usually mainly such, well, earthly crime, and techies, they are a little on the side. And techies very often get caught in this, in this moment, that's it.
And then again, stealing 20 thousand dollars, it may not be very difficult, but where to put them later, how to spend them, how to withdraw them so that they can be used reliably - this is a question, yes, and will they get caught exactly on this.

Pavlovich:
Well, it also depends on what you stole, if you stole from a bank account, it's one story, if you, for example, stole crypto, logs, raised someone's wallets, crypto wallets and withdrew crypto, then ran it through a mixer in essence and ...

Nikitin:
Yes, with crypto everything is simpler, but if you can calmly cash out later, and our state begins to slowly fight this, yes, just recently they passed a law where, firstly, they said for the first time what crypto is, yes, and they said that you can own it, but you can't pay and so on, this is like the first bell that crypto will soon be regulated too.

Theft of what amount can provoke the interest of Western intelligence agencies?
Pavlovich:
And they often ask, for example, after what amounts do American ministries of law begin to be interested, because many travel to the USA, to Europe, and they stole something, let's say yesterday, today, tomorrow, and they are afraid, and I really get written to probably three times a week, I'm stealing something on eBay for such and such an amount, will I get anything? How do I know? I answer them from my height of experience that, well, it depends on luck, that is, someone there will steal a million and nothing will happen, and someone there will card three parcels from eBay, let's say, and that's it. How can you comment on the interests of Western intelligence agencies, especially American ones, regarding the amount that will most likely lead to your further arrest?

Nikitin:
There are probably three aspects here. First, it is very important who they stole from, yes, that is, it could be a very small amount, but from some important company. And there will be lawyers, well, American lawyers, everything is serious there, they will write a statement, as required, and handle this case in general, including with local special services, such as the FBI or Secret Service, depending on what type of fraud.
And there could be some small amount by the standards of this corporation, and the person who stole, but they will already be actively working on him. Therefore, it is not only the amount that is important here, but also who it is stolen from. The second aspect is, roughly speaking, to what extent they can identify, let's say, a multitude of small crashes with one person, somehow.

Pavlovich:
Prove that it was all done by the same person.

Nikitin:
Yes. Again, if there are many statements, they will start investigating, the NSA may get involved, and they will understand that, aha, this is still one trail, the same tactics, techniques, procedures, and great, that's it, the damage is added up, they are already working on it. Well, and the third aspect, really, what else could it be that no one, let's say, reports, well, because some small damages, again, lawyers' services, they cost money.
That's it. And, roughly speaking, what I mean is that they would initiate this case, not just file a statement. And for some time this can go unpunished, so it is impossible to answer this question unequivocally. There is always a risk, even with a small theft through PayPal, anything, especially if it is somehow done dirty, due to inexperience, leaving traces behind, there may already be problems.

Which countries are hackers and other cybercriminals better off not working in?
Pavlovich:
In general, guys, any amount, as we basically said, can lead to your capture, it is especially better not to steal at all, and if you steal, it is better to avoid the USA, because I have noticed a problem with many, well, with the majority of Russian cybercriminals, carders, hackers, if we open the news, including me, they began with the USA.

Nikitin:
I would say the USA, Britain, well, and working in Russia is also a pretty scary topic.

Is it true that if you do not work in Russia, then there will be no punishment?
Pavlovich:
Well, since you yourself touched on work in Russia, that is, there is still an illusion that if I do not work in Russia, in the CIS, do not hammer my citizens, then nothing will happen to me. Let's expose it once and for all.

Nikitin:
No, not really, I actually remember, so as not to lie, in 2014, we had research, including computers, guys who worked only in England, that's the main thing - bureaucracy, that is, what you need to understand - cyberspace, it is truly international, and in fact it perfectly uses contradictions between countries, and political ones, that is, like the events in Ukraine, some carders immediately went there, because they knew that there would be no extradition from there, and they can work from there calmly. And now they pay off the local special service, well, like for protection, and many have settled in well there. And those who worked in Russia, a couple. But what am I getting at? To the fact that the main problem is that there is a whole apparatus, how it will come to Russia.
That is, in Russia there is no applicant yet, few people will do this. But if some company is a victim, foreign, or even a big case where Western intelligence services are interested, they will pester Interpol, Europol, they will contact our intelligence services, and at some point this will accumulate a lot of critical papers. All this does not happen quickly, when we also start
to process the materials, but if those guys tried hard, I mean Western intelligence services, and they have much more technical capabilities, then in fact people in Russia can be found and accepted quite quickly. Therefore, this is not a panacea, not a panacea, but, of course, when you have a victim, that is, an applicant in the same country as you, this whole process happens much faster,
yes, that is, really, well, very quickly.

About fraud schemes on bulletin boards.
Pavlovich:
Now all this fraud on Avito is developed and for some reason everyone is hammering at Wildberries, I don’t know the specific schemes, but they write to me too, they offered me to participate in a scheme of fraud or theft on Wildberries, I say, well, that’s it, we say goodbye, we can practically say goodbye now.

Nikitin:
Yes, indeed, in fact, all these scammers, all the bulletin boards, yes, and Wildberries is still actively exploited there with fictitious deliveries. And the idea is very simple, that is, a person wants to buy something, they tell him, great, or sell, let's say, great, here's a website and there's already delivery and a courier and everything is paid for and they'll even give you money when the parcel arrives and even Avito is an official delivery, but the trick is that all these villains, they make a fake domain there and the main trick is for a person to simply enter the card details, that is, they tell him to get the payment, it says there how much he's already been paid, to get the payment on your card, you see all the data including CVV, well, and like an SMS code, let's say confirm receipt, SMS code and so on and that's it, that is, the fraud itself is not very complicated, social engineering, yes, that is, there, yes, everything is ready, there, I'll pick it up, here you have, supposedly, Avito or there, Wildberries with delivery, or there, I forgot now, another delivery service,
Boxberry, in general, they are actively being forged, there, fake domains, but the trick is to simply get the card data.

What type of cybercrimes in the CIS do you most often have to investigate?
Pavlovich :
We started talking about Russia, about this CIS segment, but what are the most common crimes, what type, that is, hacker attacks, fraud on bulletin boards, or something else that you have to investigate specifically in the CIS segment?

Nikitin:
In fact, you can imagine any crime as a kind of pyramid, that is, roughly speaking, naturally, at the grassroots level these are some kind of fraud with individuals. This is actually a huge number of simple phone calls, we know that the Federal Penitentiary Service there, in general, does not monitor the presence of a phone in cells very well, and there are real underground call centers in the zones, and, probably, the first thing that everyone now encounters is calls on behalf of banks. Fortunately, with the help of SIP, you can easily forge a number, based on, that is, this is displayed to the caller, and SMS numbers can also be forged in the same way.

Pavlovich:
They don't bother now, I get calls from some Moscow numbers.

Nikitin:
Well, and in general, the main thing is, yes, it's just a regular scam on a phone that's a thousand years old, just a little bit of new technology. And they called me, they even emulate the sound of a call center around - this is a cool topic, this is like a low level and in principle, phishing sites are also suitable here, simple ones, well, like message boards and so on. There is a lot of fraud in small amounts, mainly victims of physics, but it's kind of widespread. If we go up a level.

Pavlovich:
And I'll interrupt, excuse me, do they often file statements with the police?

Nikitin:
Very rarely. And, by the way, this is a real problem. That is, if your relatives or friends have encountered such fraud, always convince them to file a statement. But if you want justice. Let me explain, in fact, a huge number of such crimes in Russia are not investigated simply because there are no victims. And if all the victims simply spent their hour there and brought this statement, which seems to be non-binding, this all relates to the fact, Nobody will investigate, that's how it is.
The trick is that there is again a critical mass, yes, that is, as very often we work with the K Department, which is the BSTM of the Ministry of Internal Affairs, and in principle, now in almost all departments special departments for cybercrime are starting to be created, that is, for example, the OEP and PC, yes, that is, economic, but they have departments there that are associated with IT and so on, that is, we have not only the BSTM now working on this topic.
So, very often we find the villains already, we give them the materials, we say, well, and so on, and they are like, well, we need victims and applicants. Well, like, let's urgently look for victims and applicants.

Pavlovich:
So, can't they, like in Belarus? I was in prison, they initiate, that is, there are no statements, well, and you still sit. In the Criminal Code of the Republic of Belarus, I don't know, I haven't compared it with the Russian Federation, but they are very similar. There is a formulation, being there, at the time of the crime was on the territory of the Republic of Belarus, for example.

Nikitin:
No, but there the thing is that we have a crime of public statement, when the state can initiate a case, and there is a private one, yes, and so, as far as I remember, many frauds fall under it, if it is not against the state, that is, it is not theft of budget funds and so on, then victims are needed.

Pavlovich:
Well, under Article 159, if an individual was deceived on Avito, then without his statement no one will initiate anything, right?

Nikitin:
There, maybe even damages won't work, that's true, that is, there are moments, yes, statements are needed, and therefore, in general, and since there are none, it is often difficult to do anything later, this is a real problem. This is the first level, such a basic one, there are the most of them in terms of quantity, but not very many in terms of amounts. The next level is what is connected with malware.
First of all, it's a huge number of Android Trojans, it's a real scourge. Now in Russia, there are probably 5 or 6 groups actively working on Android Trojans. Well, basically, this is also some kind of traffic flooding, that is, they send it to people in messengers, and just show it on websites, and in SMS, and on message boards, and they buy a huge amount of contextual advertising, that is, Yandex.Direct and Google AdWords, and for some time you could enter something like the name of the bank, yes, there Android or there Play Market, and the very top ad, which is advertising, it leads to a phishing site, to a fraudulent one, and not to a real one.

Pavlovich:
Why Google, I've also seen these ads more than once, why don't the same Google, there Yandex, fight this?

Nikitin:
Well, contextual advertising brings in money.

Pavlovich:
So you think that they just intentionally miss it, or lack of staff, or something else. I know they use cloaking, you know, they slip one ad to the moderator, for example, but in reality there will be another?

Nikitin:
In fact, it's a complex of all these things, that it's just intentional, yes, they make money on it, but they don't control it very strictly. That is, indeed, and all the clacking, as you say, and very often there are all sorts of machinations with keywords, yes, that is, in the text of the ad they can change the letters a little, substitute some letters A from the Albanian alphabet and so on. Well, that is, there are all sorts of moments that it is not cut automatically, that is, by bots. Here, I mean the bots of these contextual advertisers.

Pavlovich:
Well, that is, it does not come to manual moderation, all sorts of technical tricks made it so that it automatically passed moderation, especially if the advertising account is warmed up.

Nikitin:
Yes, a great example. Yes, and in general this was a whole problem and to this day it still happens in principle and works very simply. A person follows a link, downloads an APK, installs it on his Android, they tell him, you know, this application is generally bad, it can intercept your SMS, make calls, arrange a revolution in Syria, anything. So who says? This is Android directly speaking. The person still says, yes, of course, this is a banking application, this is normal, well, that's all, then his money is stolen.
There are several options, the simplest is on Android it is the ability to send SMS to a short number. Almost any bank now, you can simply send an SMS to the number, just with the card number and the amount, up to 30 thousand a day you can convert all this into money. And another thing is that this virus hides incoming SMS messages, that is, the person does not even know that his balance is changing.

Pavlovich:
Especially if he does not have the service connected, that is, the notification.

Nikitin:
Even if it is connected, that is, the virus itself, it hides SMS messages from the bank. And plus there is a slightly second option, which at some point suddenly shows you a Play Market window, as if it were real, and it says, you know, you need to activate your card details. Enter your card details there, everything and the code, everything, and it intercepts one-time codes itself and does not even show that transactions are being made.
This way you can paint more money, that is, just by SMS there is a small transfer, and knowing the card details and the one-time code for confirmation, you can transfer any amount there.

Is it possible to get back your own money stolen by scammers?
Pavlovich:
I somehow recently forgot that I made a transaction myself, well, I saw it on my own, well, I just really forgot there to some bookmaker there, the merchant is written there, Royal Pay, how do I know what Royal Pay is there, if they wrote the bookmaker, there is such-and-such, let's say, I would quickly figure it out. I call them in support and ask, I say, what the hell, they say, so we, even if not you, we can’t do anything with this transfer, because you confirmed it by SMS, and if in this scheme of yours you say something, if the transfer is confirmed by SMS, that is, you can wash it down with water, that is, there is no way to get this money back?

Nikitin:
Unfortunately, this particular example, I’ll tell you a little about how you can get your money back, but this example, you really can’t get your money back, why? According to the law, roughly speaking, we have remote banking services, there is a whole cool agreement, and banks protect themselves very coolly, that, they say, we gave you a login and passwords for a certain EDS, this is if we are a legal entity, yes, or some analogue of a handwritten signature, and if something happens to them, it’s your problem.

Pavlovich:
Well, that is, the analogue of this handwritten signature is the base code. As I understand it, there are two points, the first is the SMS that comes from you, the second is the PIN code, if you are there at the ATM. All this confirms that in the eyes of the bank it was you who made the transaction.

Nikitin:
Yes, and how would you sign your transaction with this. If it is a legal entity, they have separate tokens with an electronic signature. And indeed, if in general it is signed with a one-time code, it is like with a situational signature, this transaction immediately flies away and that's it, nothing can be done. But here is an excellent example, if, let's say, your card is stolen or you lost it, and someone with it, let's say, pays contactlessly and so on, this money is returned without any problems at all, because you say without my presence, no one signed, did not sign, did not enter a PIN code, as if everything, all these operations are easily contested.

Pavlovich:
Well, you can request a video camera in the store, that it was not you who stood at the checkout.

Nikitin:
True. And even if it's white plastic, that is, somewhere in another country, and you confirm that you were here, yes, then this money can also be returned. That's it. And that's why everything is bad with online transactions, but with card transactions, yes, it has become much better. I don't remember what year, we just passed a law on the national payment system and, among other things, thanks to it, now there are opportunities to return money. I can tell you right away that if someone has suffered from such fraud, a certain level of persistence is needed.
How will it work? You will come to the bank, write a statement, describe what happened there, they will tell you - no. You will need to go write a statement to the police, get a KUSP coupon that a case has been opened there, and with this KUSP coupon come to the bank again and write a statement again. Usually two statements are enough to get the money back.

Pavlovich:
In any case, it doesn't matter how they stole from you?

Nikitin:
No, well, that is, if they stole it there specifically by hacking a smartphone, the chance of getting the money back is very small. But you can still try. And I repeat, persistence is needed, that is, banks simply have a certain first line that always kicks people out. You need to write twice, and there is a chance, there is a chance that the money will be returned.

Which of the Russian banks is the most protected and the most loyal in terms of helping clients in the event of money loss?
Pavlovich:
By the way, which of the Russian banks, let's take banks, is the most protected, I have my own opinion, I want to hear yours, self-protected, once, and the most loyal in terms of accepting applications, these return of clients' money specifically in the investigation, participates in the fate of a person if his money was stolen?

Nikitin:
In fact, it is difficult to say, I just work with a bunch of banks and banks are often our clients. And it depends very much on the case, yes, that is, it also depends on who the money was stolen from, sometimes they just want to show loyalty, the bank itself, and it returns all the money to some VIP client, for example, and so on, and therefore there are very different options. And it happened that, for example, money was stolen from one bank and scattered among others, right from the bank itself, and it starts calling its colleagues, asking them to stop, and very different answers come. Therefore, it is difficult to say. I can say the following, the larger the bank, the slower it implements antifraud, because it is a huge machine, and the more difficult it is to get something out of it. But on the other hand, large banks have much more money for cybersecurity itself and for the solutions themselves. Therefore, it is very difficult to name some top in terms of security.

Pavlovich:
Well, I like T-bank in this regard, because sometimes I, I show the card on air, show something, and then you sit at home, in short, you watch everything, oh my God, even I start. And in this regard, I liked Tinkoff the most, because they somehow, well, somehow all at once, any suspicious transaction, they stop it, call, T-bank, and, probably, I just have 5 banks, in second place, probably, Alfa.
And these Sber and so on, somehow in general, it may be real that large banks are already old, and the same T-bank, it is somehow younger.

Nikitin:
And it is more digital, there are no offices and so on, they solve everything there through chat, so why not. But it is difficult to judge from the point of view of security, how exactly they will return the money, yes, that is, it depends a lot on what kind of client you are, that is, all banks have a certain rating, yours, in their eyes, I am not only talking about the credit rating and as I say, that is, there are all sorts of moments, what kind of client you are.

Pavlovich:
I can also add APK, I just have this chat in Telegram for 11 thousand people, these Arab bastards are constantly, well, accordingly, cybercriminals with an Arab inclination, they constantly send this APK spam to three people. And they have even become so dodgy that I have a chat admin, he does not let you in until you invite three friends, until you accept the rules, and still they bots invite bots, and constantly these APK files. That is, this is an executable application, this is Android.

About malware for Windows.
Nikitin:
Yes, Android packages, in fact, well, these are the programs for Android. Here, and this, we have risen to level 2, that is, this is already with the use of malware, and here also malware that is aimed specifically at physicists under Windows comes in. And what do they do? They make it so that you type or go to a bookmark on your bank site, as if everything is fine, that is, this is not some kind of search engine, search results, but so And since the computer is already infected, it redirects you to a phishing site, and there are malware that now even allow you to do it so that the real address will be displayed from the address bar.

Pavlovich:
But here the hosts file is rewritten.

Nikitin:
No, this is the most primitive option, then this very SSL will not burn, the SSL will not burn, but it directly patches the browser in memory, and the real address is shown, and even that we have no protection, but we are on a phishing resource.
At first it was like this, that you enter login and password, it will go to the real site and there it asks for SMS to enter, you enter, and then they need to perform some operation, yes, and usually they waited until you pay for something, and sent a fake operation, a code for a fake operation, but now everyone started reading what kind of code comes, and the front slept, and I came across a cool topic, when a person enters login and password, a one-time code goes to his bank, and he immediately receives an SMS there, let's say for 500 thousand rubles, and on the bank's website there is a huge new form, this is on a fake resource, where it says if you received an SMS about an operation that you did not perform, enter the code here and we will cancel it, well, and well, people enter and money is kind of stolen, and very often on these resources there is a phone number, it is fake, not real, if you call it, then a beautiful girl with a beautiful voice will tell you that everything is fine, everything is as it should be, you are great, you enter everything on the right site There is no need to worry, there are such Trojans in general and they work, this is like the next layer, yes, that is, according to the pyramid, these are viruses that are aimed at physicists. The amounts of theft are small, on average, I only 50 thousand rubles for one operation, because physicists
do not have a lot of money and the amount of fraud is quite large, but not that big, well, less than at the level of social engineering.

How and where do users most often infect their smartphones and computers with malware?
Pavlovich:
Let's figure out at this level how people most often get infected and where, they infect their Android smartphones and their computers in general with these malware.

Nikitin:
In general, let's say that exploits for Android are rare, just to open resources, you got infected. Basically, people install these APK applications themselves, I have come across a variety of formations, how they are persuaded to install, for example, I liked one such for you a romantic gift and APK. The person really wants this romantic gift and he does not see any warnings at all. And in general, Google has pumped up Android quite well in terms of security. And there is already a built-in antivirus, which forcibly sends APK for scanning, if you have 8 or higher, in general, Android.
That's it. And therefore, infections are somewhat decreasing now. But under Android, people mostly install malware themselves. I can say right away that if your Android version is less than 9, with security updates less than July 2020 and it is no longer updated, put it on the bulletin board and buy a new one.
This is just a harsh reality, which is related to the fact that, in general, manufacturers do not support devices for long, and you will be vulnerable from a cybersecurity point of view, you can't do anything about it, yes, that is, you will simply have to change the device so that it is updated.

Pavlovich:
Or buy an iPhone, yes, because as far as I understand, you can't install all the apps on an iPhone from a third party, they're via Claymark.

Nikitin:
We'll talk about the iPhone a little later, yes, and yes, we'll talk about different viruses in general, for Macs, for iPhones, that's no problem, just about Android, here you can immediately give a recommendation on what, where to look and what to do. Now Android simply has separate versions and separate security patches, that is, the version itself is no longer so important, if it's 9, 10, 11, it's not important. That is, up to 9, in short, we throw everything out or sell it.

Pavlovich:
Or you can drive it to the zone, friends, because mobile phones are always needed there.

Nikitin:
Yes, they'll definitely come in handy. In general, it's better to change it yourself. This is precisely the question of the fact that exploits for Android do exist, but less often, that you just open a site and are already infected, you don't need to press anything. And under the computer the situation is the opposite, most infections are individuals. It was just you visit some resource, you have not updated Windows or you do not update your browser, there is an exploit on this site, and it loads everything itself, the ocean does not overflow its banks, no smoke comes out of the computer, simply exploiting the vulnerability in the application on which it is installed, you get a Trojan, and very often when exploiting the vulnerability it increases its privilege so much that even if you have an antivirus, it, in general, will not help in this case. That's it, you are infected, and you do not know about it. Naturally, a Trojan, if it is not an encryptor, yes, a ransomware, it will just sit, its task is to redirect you there to this resource.
They also have the ability to install any additional modules, you can install a DDoS bot to DDoS, you can install some kind of miner, you can just install a proxy so that traffic passes through you, and then the masked show comes to you. In general, there are a huge number of options. Therefore, mainly physicists were infected through exploitation of vulnerabilities. A lot of people are still using XP or 7, which have also basically stopped supporting them, or some never update anything because something might break, and there were quite a lot of infections, now there are a little less of them because people are gradually switching to 10, and at least the top ten already has built-in Aver, yes, but Windows Defender, of course, does not provide some kind of super protection, but it is better than nothing at all. Therefore, and of course, there was a huge number of infections simply through social networks and mail, that is, you receive something, for example, from a friend or from a letter, and there is a doc file in the attachment, you open this doc file, and the office is not patched, some office from 2007, and in the same way you are immediately infected. PDFs are often sent. And additionally, that is, actually, in fact, to be clear, malware, they are also written according to the principle of the elusive Joe, that is, if the system is very rare and no one needs it, it is simply economically impractical to write for it, viruses.
And since most of them have Windows and Android and products, this is Java first of all, this is Adobe Flash and Reader, and these are the browsers themselves, that is, Chrome, Firefox and Word, and, of course, Office. And, of course, they are the ones they look for holes in the most and through them they try to exploit the greatest number of vulnerabilities. Therefore, it is very important to update them in a timely manner, that is, so that zero days are used to hack someone en masse among individuals, this rarely happens, zero days are vulnerabilities that have not yet been published, yes, that is, they exist, they are starting to be used, but the vendor does not know about them yet, has not yet had time to patch them. And no matter how you cannot simply protect yourself, so here are the main infections, that is, mail, social networks, well, and you just open a site, these can be very large resources, they are regularly hacked, exploit packs are placed on them and good exploit packs have a penetration rate of, say, 20 percent, and let's say our resource traffic there is I don't know 10 thousand per hour, these are not even the largest and here you have 2 thousand bots, an average increase every hour. Therefore, be careful with the investments that come and most importantly, follow the updates. If we are talking about there are no options at all now, except for Windows 10. Yes, this is, of course, a pain for legal entities mainly, but if you are an individual. face, go ahead, don't think about it, especially since there is a free upgrade now, from 7 and so on, but it still works, although they generally scared me that it wouldn't work.
Everything works, you update, Windows 7 is no longer supported either, in general, there are no options, you will have to switch to 10.

Pavlovich:
In short, Windows 10, let's sum it up, and Android, if that, the ninth version above and the latest security settings patches.

The main methods of stealing money from legal entities.
Nikitin:
Right. Our next stage of the pyramid is already legal entities, they have a remote banking system, client-banks, there are already large sums, the average amount of theft is about three million rubles, the main methods of infection are mail, that is, a resource comes to the accountant, a letter, let's say, immediately pay the bill or here is a pre-trial claim, you immediately open it.

Pavlovich:
Well, fear, they use emotion and fear, yes, so that a person quickly, without turning on his brain, goes to look, what happened, suddenly I screwed up and they fire me tomorrow.

Nikitin:
Yes, and this, by the way, is a great example of all social engineering, and phone calls and so on, they will constantly put pressure on you, that is, that it is urgent, that your money is being stolen right now, you need to run urgently, and so on. I met telephone scammers who called pensioners, and pensioners are not able to set up a client bank or anything else, and they led them directly over the phone so that they ran to an ATM, and you can also transfer money through an ATM, they simply dictated to them what to enter, and there you can directly enter the card number, to whom to transfer the amount and so on, and people, like zombies, just entered and transferred money. And they are all exploited, urgently we see that another thousand was stolen from you, like run-run, we will save you, that's why, yes, this is actively exploited. And the second is hacking very large corporate resources, I can't name them, but, in general, where all sorts of
clerks, accountants and such personnel go who have the opportunity to work with the client-bank, well, and...

Pavlovich:
Well, the tax office, by the way.

Nikitin:
Yes, and they are also often hacked so that the target audience goes there, and then they steal money through the client-bank. At some point, all banks switched to tokens, well, electronic and digital signatures on flash drives, they cannot steal the signature itself from there.
But no problem, the villains install a program for remote control and go directly from this computer in a parallel session, transfer money.

Pavlovich:
They intercept the code for this session, which came.

Nikitin:
Yes. And plus, for example, it can be, let's say, an unloading from 1C, and it is transferred via a file, and the program automatically changes the details at the time of transfer, that is, and the unloading from 1C to the client-bank itself, it is transferred via a file. And in this file before everything, that is, the virus itself changes the details. The person thinks that he is paying for one thing, but something completely different is leaving.

Pavlovich:
Well, that is, I will explain to those who did not understand, a quick thought. That is, an accountant, for example, the owner of the company knows that today he has to transfer 10 million to the tax office or for some equipment. And he knows about it, the accountant knows, the accounting department made up this invoice, entered the tax details there, or the store, there, DNS-shop, and they all pay, but at that moment the details have already been replaced with the details of the intruder.

Nikitin:
And the money goes in a completely different direction. But here the size of the theft is millions, sometimes tens of millions of rubles, because legal entities have a lot of money, and here, let's say, more, well, such a targeted approach, that is, more complex Trojans, they already bother with mailing, they already bother with buying exploits, there are already custom Trojans, here are private Trojans that are not on public sale, that is, some group just uses them and does not give them to anyone. So, and probably somewhere around 2009 in Russia there was a wave of fraud with the client-bank, namely with legal entities. Now it has died down a little, because banks have very strongly implemented anti-fraud solutions, they have set them up well, and these anomalies, they simply work well.
But I still remember, I have been working since April 2010, yes, it was recently 10 years. 1And I remember very well how in 2012 a pharmacy bought 20 excavators, and this did not cause any surprise in the bank, that is, it was written directly in the payment document, the value of the payment, there are 20 excavators, so, for a sum of several tens of millions of rubles, and the transaction went through.
Now, most likely, this would not have passed, yes, that is, they began to fight it a little, that is, the volume and quantity of fraud has fallen a little, but it still takes place.

"APT" (Advanced Persistent Threat) - about targeted cyberattacks.
Nikitin:
And finally, the top of the pyramid is APT, that is, Advanced Persistent Threat, that is, these are complex, multi-level attacks and threats, long-term, as a rule, and here, oddly enough, the main target is the banks themselves, that is, why steal money from some old ladies, from some businessmen, if you can steal money from a bank, and the bank can have hundreds of millions of rubles in a correspondent account. And all this can be, in general, stolen. And somewhere around 2015, a lot of hacker groups appeared, which had names, on which we wrote reports and so on, which actively worked specifically on banks. That is, they stole money directly from the bank itself, and here in fact there are only three ways.
First, it is possible to infect the ATM network, and then a person simply approaches the ATM with a garbage bag, not even a garbage bag, for corpses, a huge bag with thick plastic. The ATM screen goes out, and it simply spits out everything that is in the cassettes through the dispenser.

Pavlovich:
Well, how much money is in the ATM? I know, if the ATM is filled with foreign currency, there, for example, in dollars, there is about 200 thousand dollars in the ATM, if in dollars.

Nikitin:
Yes, in rubles there were somewhere, I think, 6 million standard load in one ATM, and since the entire ATM network is hacked and, for example, there are FAIs of bank offices, where many ATMs are in large branches, they ... I have a FAI in Alfa 6. So, in fact, the person who takes the money, he does not understand anything at all about what is happening, he just goes to one ATM, to another and the money falls out. But in fact, the operator already controls the ATM management service, he uploaded malware to this ATM, which allows this to be done, and such scammers, such thefts took place, and the amount of damage there is hundreds of millions of rubles, because this can happen all over the country, in many branches and so on.
Option number two, banks have their own client-bank for banks. It is called ARMKBR, or automated workstation of the client of the Bank of Russia.

Pavlovich:
This is what connects to the National Bank,

Nikitin:
Yes, to the Bank of Russia, and this is, in fact, the thing with which banks report to the Central Bank on the execution of transactions. For example, when an interbank transfer is made, it is carried out in this way. And what is done? On this ARMCBR, the details of all transactions that are currently in progress, which we need, are simply replaced. That is, roughly speaking, there is some stack of transactions hanging there, which will happen now, someone pays somewhere, and instead of this, the details of the one we need are simply substituted, and all these transactions go to, in general, fraudulent details, and this money is withdrawn directly from the bank's correspondent account. That is, they are withdrawn not from people's accounts, but from the bank's correspondent account, and there, maybe on some weekday, especially somewhere on Friday, it is easy to be up to a billion, and large banks can have exorbitant amounts there.
And we have seen examples when a bank had practically everything stolen from a correspondent account that was there, and this automatically revokes its license, because the bank does not have enough liquidity, that is, capitalization, capital coverage simply does not work for them by law anymore and their licenses were revoked.

Pavlovich:
But when 10-20 million rubles, a billion, are stolen from a bank under such a scheme, it will quickly become known and this money will not be able to be simply cashed.

Nikitin:
In fact, the bank understands what happened at the end of the financial day, and during this time the money comes into the accounts and starts to be scattered like trees.

Pavlovich:
To scatter where, to individuals, from ATMs?

Nikitin:
First to legal entities, and then, as usually happens, there is OOO Obnal, OOO Obnal issues diamond cards, well, in short, platinum cards for some fictitious persons, there is just a high withdrawal limit.

Pavlovich:
Well, corporate.

Nikitin:
Yes, corporate. And it recruits these people, they just go and withdraw the entire limit they can from ATMs. Everything that comes there, they just have a high limit on platinum cards at a time. Well, and for some time they really liked Yekaterinburg for this, well, beyond the Urals in general, so that all this would happen, in the Urals. Well, somewhere until about 2018.
Why? Simply because there are fewer cameras, their movements are less tracked, and I remember once there was a funny case, it was some city, a small Ural city, where the villains just arrived in a Gazelle with these people, and they gutted all the banks, all the banks' ATMs, well, I mean gutted in the sense of just withdrawing money from there, they didn't care about the commissions and so on, and in short, the cash disappeared from the city. The cash completely disappeared, and they left there with bags of money in this Gazelle.

Pavlovich:
How many such cases were there in the CIS, where money was stolen through this Central Bank of the Russian Federation, there, an exchange office with a bank?

Nikitin:
More than 30, probably, or 40.

Pavlovich:
This is for the time that you have been working?

Nikitin:
Yes, there was a group called Anunnak, it was very active, Anunnak or Karbanak, that is, in Kaspersky they call them Karbanak, we released a report a little earlier, it was called Anunnak, by the way, you can read it, it is public, available on the website, here, the utilities themselves are described there, with what, how they stole it, and even the fraud scheme. That is, they sent an accountant a letter with a RAR archive, and inside this RAR archive there was a file with an extension, a document, it has an extension there name, .Doc.Scr, here, SCR is, in general, a screen server file, it seems, but in fact it is the same as exe, but few people know about it.
In general, the accountant opened it, and all sorts of infections occurred there, and there were many such banks.

Pavlovich:
I recently, I know, he sent me the same thing, again, this speaks of the exploitation of the human factor of social engineering. Someone recently wrote to me on VK, check it out, I made you a cool new preview for the channel we're on now, yeah, there's a splash screen and everything, and he sends me a file with an extension, it just reminded me of SCR, I say, well, I see, but he didn't even take into account that I have a Mac, you know?

Nikitin:
Well, yes, it's awkward, awkward, and in general, what's the trick? In that they hack, for example, a person in a bank who has nothing to do with money at all, it could be a manager, for example, I came across, for example, one of these letters, on behalf of a legal entity they write that they want to open a deposit for a million euros, and here, and here are our details, and the manager, naturally, is like "Oh, well, a great client, we need to make an application" and so on, they infect him, and it's like nothing can be done from this computer at all.
But that's the trick, that these are complex and long-term threats.

Pavlovich:
Well, access to his corporate e-mail, at least.

Nikitin:
Yes, in fact, already to the computer, that is, he has access to the computer, what to do? They break something on this computer and wait until sysadmin, let's say, PRDP connects to solve this issue, and at that moment you can steal the password from the admin, especially if it's seven, that is, there is a program called Mimikatz, it allows you to directly and explicitly steal logins and passwords on old Windows, and that's it, they are already, let's say, support admin, then they go to the admin's domain, now the entire domain, in principle, is in their power, they start looking for where they can steal money from, because different banks have different security systems, on these systems, through ATMs, through ARMKBR, through SWIFT, here by the way the third option is SWIFT, if international payments, a SWIFT terminal can also conduct money.
They find where it is easier for them and steal from there, and the trick is that several months can pass from the first infection to the withdrawal of money, and all this time the villains will be inside the bank's network, they will move from computer to computer, increasing their privileges more and more, at some point they can completely abandon the Trojans, because they will already have, say, a stolen VPN to the bank, they will have logins and passwords, they will move like real admins. And it will look like they are real admins.

Pavlovich:
Well, they will simply erase the traces, erase why they need a Trojan through which they penetrated.

About the hacker group "Cobalt" and how it worked.
Nikitin:
Yes. And, in general, all this moves, and then the money is stolen. And this is already the top of the pyramid, yes, that is, it is a really complex group, they have a division of responsibilities there. Then our next group was Cobalt, yes, because there is such a framework, it is called Cobalt Strike, it is actually a dipping test framework. It has a legal creator, it is sold and so on. Hackers took its cracked version and simply, it is very convenient, and simply actively exploited it in order to move around the bank's network, and this is where this group got its name.
For example, they actively did a slightly different trick. Firstly, they attacked not only in Russia, but also a bunch of banks in Europe and in Thailand, in Southeast Asia, and so...

Pavlovich:
With the same tool.

Nikitin:
Yes, they are also tools, they had the infection vectors themselves, but their own, yes, it gives a load from this cobalt. And what did they do there?
They got access to processing. What is it? This is card processing, and you can do something with the operator. I can take a specific person and just give him a credit limit, let's say, of a million euros, well, an overdraft. It can be either a credit card or just a debit card, but with a huge overdraft, I just change this limit in processing and that's it.
And here was an example of an attack in Eastern Europe on one bank, there were Eastern European gypsies, they came to the bank, completely legally received debut cards, this does not oblige anyone to anything.

Pavlovich:
Well, their overdraft limit was increased later, right?

Nikitin:
Yes, hackers suddenly raised an incredible limit in euros for them through processing, I think it was 200 thousand euros, how much can you put on this card, there is some random one in theory, and then they just came and withdrew money from this card completely legally, and then they disappeared, they moved all over Europe, and what was remarkable here was that the bank was in one country and the money was withdrawn in other European countries, but this bank has a branch network of others, and this is an example of what can be attacked.

About the work of pro-government hacker groups.
Nikitin:
And there, too, roughly speaking, hackers were inside the bank for quite a long time, that is, for months. Well, and here you can finally include non-financial fraud in this group, well, not fraud at all, but precisely at this top of the pyramid is everything that is connected with preaching hacker groups. That is, those who attack not for money, not to steal something, but for information.
They hack all sorts of research institutes, all sorts of industrial facilities, military facilities.

Pavlovich:
This is already espionage.

Nikitin:
Yes, this is already espionage. And I have an example of such an attack, where hackers were, that is, enemy intelligence was there for more than six years. That is, hackers were in this organization for six years, and even then, perhaps, we did not roll back far enough, because at some point they simply wrote off the computers and there might not be any traces of the first entry there.
A defense enterprise, this also happens, but, naturally, in percentage terms, this is very, very little. So, this is approximately such a pyramid of fraud, and, finally, this is kind of historical, yes, more, how it all happened.

"Cryptolockers" (encryption viruses) are the main scourge of 2025. How did it all start and how do they work?
Nikitin:
Right now, if we talk about 2020, since January 2020, the main scourge and the main attack on everyone is ransomware viruses.
That is, the villains again with the help of the same tools - phishing letters with attachments, exploitation of vulnerabilities and so on, infect your computer and after that simply encrypt everything and ask, extort money.

Pavlovich:
Well, these are such lockers, they just block and really, that is a scourge, I have heard about this already, not the first year I hear about it, but I myself recently encountered, well, as myself, one of my friends wrote, she is an accountant in several companies, and she succeeds, she grabbed this crap somewhere and encrypted all this 1C there, well, it really takes a very long time to restore, and he asked for 500 dollars, I write to him, listen, well, I am such and such, how can you, you know who, how can you be paid, but they will pay 200.
Well, really simple. And that's it. She says, well, I am ready to give 200 dollars, like, just to do this manually. But he says, no, like, no way, she says, I'll, well, I'll restore it, in short. Well, in principle. And that's it. And we've already sent him, and then the next day, I think, he wrote to me, like, come on, okay, for 200.
I say, well, that's it, the train has left. But 200 is, well, 500 dollars, that's what he asked us for, yes, I've read all sorts of cases on the Internet, they block some hospitals where people are really connected to all sorts of artificial devices, ventilators and the like, and they ask them for thousands, millions, sometimes in bitcoin, of course, a ransom of millions of dollars, and they pay, the thing is that many.
And it turns out, you say that now this is the main scourge of cybercrime.

Nikitin:
Briefly, another historical recursion. It all started with blocker viruses that simply did not allow you to enter Windows, it was in 2010, they asked to send a general SMS to a paid number, and you receive an unlock code. But nothing was encrypted, it was pennies, nothing was encrypted, just for users, for home users, who generally panicked, and these were Locker viruses, there were a lot of them.
And it was such an interesting moment that these numbers were paid, they were legally issued by operators, that is, it was a long time ago.

Pavlovich:
But it is possible to figure out if it was legally issued.

Nikitin:
They were caught there normally later, that is, Department K worked normally, and it was a very interesting precedent, because it worked only in the CIS countries, because only we had such operators who agreed to issue such numbers, even despite the fact that such fraud was going on.
I know that the operator Orange in Europe, something like that happened to them, and there it was literally one precedent, because they were immediately told that it would happen again, and we are giving you a communications license.

Pavlovich:
You know, maybe why? Because, I don’t remember the exact numbers, but if you go, like, tomorrow get a paid number at Megafon, figuratively speaking, you will give away, in my opinion, about 60% of your earnings, you will be an operator. Maybe it’s all just about the money of corruption.

Nikitin:
And, in general, they fought against it, you know, they caught people. The next iteration were viruses and primitive encryptors, when the encryption algorithms themselves were written by hackers themselves, by programmers in fact. They were often written disgustingly and there was symmetric encryption, and to put it simply, if you reverse engineered and examined this virus, you could find the key and decrypt the files.
And at some point, antivirus vendors even released decryptors for a specific type of virus and, in principle.

Pavlovich:
They fought against it. Well, in the case I described, we understood there by a number of signs what kind of encryptor it was, but why did I even talk to him about money, there, yes, having tried to reduce the amount, because there was no decryption for it, specifically for this version.

Nikitin:
No, I'm saying this now. It was somewhere, probably, in '15-'16, now hackers don't bother with this at all, what do they do, well, even virus writers, to be precise, have excellent ones ready-made in the OpenSSL library, you can take the RSA algorithm from there, this is asymmetric encryption, that is, the public key, it is stored directly in the virus.

Pavlovich:
What is the key length in RSA?

Nikitin:
2048. So, that means the public key, it is stored inside the virus, and everything is encrypted on it.
Well, there it is usually a little different, there it is encrypted on some AES, and the AES key is encrypted on RSA, but these are already details. Our viewers will say, very interesting, but nothing.
That's not the point. The point is that, roughly speaking, the key on which everything is encrypted is open, no one has it, it's sewn up in the style of a virus, and the private key is only on the villain's server, and that's why it's impossible to decrypt without the private key, that is, such modern encryption viruses use asymmetric encryption, that is, not symmetric, but asymmetric, this is when we have an open key, a private one and the private one is stored by the villains, and there are examples when decryptors are let through to them, but when is that? This is when, for example, INB came, seized this server, took all the keys and made a decryption tool out of it. And such examples from Microsoft and so on, when they have joint operations there, when they seize these servers, this is a rarity, this is a rarity. And that's why they are super effective, yes, that is, I mean these extortionists. Once encrypted, it is impossible to decrypt, brute-forcing is simply useless. Well, the key length is huge.
And here there are, probably, well, two subtypes, this is Ransomware, well, Ransomware is a class of ransomware viruses, where encryption ransomware is suitable, and the simplest ones, really, you encrypted your home computer, opened something there and that's it. It really asks for some dollars, not much.

Pavlovich:
In your practice, how much is the most, the minimum and maximum asked for?

Nikitin:
Well, the maximum, this is a public case, Garmin - 100 bitcoins.

Pavlovich:
100 bitcoins, that's a million dollars, let's count.

Nikitin:
Yes, so we will now get to the attack on Garmin, but there are more complex groups, they mainly attacked, attacked legal entities and attacked in a very primitive way, a bunch of legal entities have an open RDP port, well, for remote control of the Windows desktop, they just made themselves an admin to make it convenient. Desktop repair, remote work pole.
Yes, and no brute force protection, and they simply brute-forced accounts, got directly into the company via RDP, and encrypted everything there, A huge number of 1C are remotely controlled, they hang somewhere on the Internet, this is a virtual server with 1C, RDP access there, they brute-forced and encrypted it.

Pavlovich:
Yes, this is done through Shotdan, like this Internet of Things coffee makers are hacked, that is, I had one hacker sitting at home, he scanned right in front of me in an hour with a certain open port, yes, a bunch of these cash registers of all kinds, there are video cameras, cash registers, home computers, that have this port open, therefore all unused ports, this is sysadmin and many are simply negligent, they simply forget to disable all unused ports, naturally.

Nikitin:
Well, they brute force and everything, and encrypt, but now more sophisticated groups have appeared that also send e-mails, send with attachments, or just follow a link, but that's it, the point of infection, and before they get into the network, they don't encrypt right away, they study what kind of organization it is, and most importantly... Most importantly, they look for a backup server and encrypt backups first of all, and then they encrypt everything else, and people can't recover from backups, and very often the backups are just on a Windows share, that is, they don't use any special software or any external media, and a Windows share, if it has write access, we also encrypt it without any problems.

Pavlovich:
You can even just erase them, and that's it, you don't have to encrypt them.

Nikitin:
If you erase, you need to wipe so that it is impossible, you need to rewrite so that it is impossible to restore, because if you just delete, you can restore everything without any problems. That's it. And it is easier for them to encrypt. That is, encryption is also like rewriting, rewriting with something encrypted. And in fact, right now we have encountered, there are many different groups working there, from different countries, you can even see it by the writing style, someone will write in Russian with terrible mistakes, we met Iranians there. That's it. But they study the organization before encrypting everything.
At some point, well, click and everything is encrypted. And first of all, they encrypt backups. The office cannot recover from backups and they are forced to pay.

Pavlovich:
Is there any hope? Oh, they encrypted, and now we will look at the backups, they climb into the backups, and then it's a bummer, and that's it, and you understand that you have no way out.

Nikitin:
Yes. And here's another funny thing, a virus that encrypts everything is probably always well written. Not always. Not always. Or rather, the guys who write the encryptor, they debug everything related to encryption well, but everything related to decryption is bad. And we had several examples when people paid ransoms, agreed on everything, connected with hackers. Bargained. Yes, everything is fine there. They say, here are the keys and so on.
And they can't decrypt, because the program itself had a bug, and it encrypted incorrectly, and even knowing the key, the data simply got corrupted, and that's it. And this happened several times.

Pavlovich:
But I wonder if they returned the money?

Nikitin:
In different ways. Sometimes they did return it, yes. Sometimes they did return it. That's it. And therefore, roughly speaking, when they ask for extortion, I can simply say the probability, yes, that is, about half after paying the ransom simply stop communicating, well, they don’t care. And only half contact, and somewhere around another third fail to decrypt them, decrypted by them.

What to do if your computer is encrypted by a cryptolocker. What is the chance of getting your data back?
Pavlovich:
Then the optimal algorithm of action, if the data is on your computer, well, I have, I have a lot of everything, I have backups, yes, on an external device, but let's say if my computer was decrypted, and there were no backups, I would probably be ready to pay a couple of thousand dollars, well, just so as not to get lost, not to restore, so this is me, an individual. if a legal entity, then, of course, they will pay 50 or 100 thousand dollars.
The most correct path then, if the computer of an individual, or a legal entity. persons with valuable information have been blocked.

Nikitin:
First of all, check what type of virus it is, you need to understand what kind of encryptor it is, what type of encryption is used there, that is, asymmetric or symmetric. There are a huge number of resources now, when you even write just a ransom note, in general, all virus encryptors leave some kind of warning, like "we encrypted you, contact us like this."

Pavlovich:
There is often a file name, some DLL, something like that.

Nikitin:
Yes, it is just text or appears right on the screen, and so on. In English, this is a ransom note, that is, a ransom demand. And, roughly speaking, even if you start looking for this demand, you will immediately see a bunch of, firstly, other victims, and you will understand what kind of virus it is. Now, if it can be decrypted, great, download the utility, decrypt. If not, if it is asymmetric encryption, then either restore from backups - this is the best option, or decide whether to pay or not.
Well, I'm saying the probability that they'll decrypt it is 50/50, that after you pay the ransom, they'll contact you or they won't. And of those 50 that contact you, another third won't be able to decrypt it.

Pavlovich:
So it turns out that we have a total of 50 and a third, in short, we have a total of, even if we pay the money, less than 20%, 15-20% chance that we'll recover this data and successfully decrypt it even if we pay.

Pavlovich:
And then what? Not pay at all?

Nikitin:
Here everyone decides for themselves, yes, and organizations also decide for themselves, that is, it all depends on how critical the data really is. Again, information can be priceless, some cannot be recovered in any way. It's hard to say, that is, when our clients ask us to respond to an incident, we always tell them that it's up to you to pay or not to pay. We are simply saying, we have experience among victims who have contacted us, this is the probability.
And then, based on these risks, we can make a decision whether to pay or not. And basically, they contact us, first of all, of course, to decrypt, but, as I say, this is rarely possible, and we are mainly engaged in finding out how they got into the network, yes, with the help of what, how they moved and did not leave bookmarks.

Pavlovich:
Find a scapegoat, whose hands to break.

Pavlovich:
Well, this is a Russian topic, in fact, abroad we, perhaps, work internationally, they are more relaxed about it. In Russia, yes, they often try to hold the admin or something like that guilty, but the point is that there are also the following, that the villains, they leave bookmarks somewhere in the scheduler or somewhere else, and you pay the ransom, decrypt everything, and two weeks later they come back and encrypt again. Again, the same thing. And basically, when we react, we find out how they got in, what to do to avoid getting in, yes, and we check if there are any bookmarks left.
Because, I repeat, it is almost never possible to decrypt.

Has Group-IB, in cooperation with law enforcement agencies, identified those who are engaged in data encryption?
Pavlovich:
You say that these admins, these servers, the criminals themselves, intelligence agencies around the world, figuratively at the level of the NSA, yes, they identify. So, have you ever collaborated with your company Group-IB with law enforcement agencies of the Russian Federation or the CIS, have you ever figured out who is involved in these encryptions?

To be continued...