What does the ransomware incidents at GWK Travelex and Gedia Automotive tell us about the evolution of ransomware trends, and the players behind the attacks?  Viewed from their individual incident cases it may appear that the only characteristics the businesses share was that they were both vulnerable and both hit by the same group.  But what if we’re wrong about that?  What if these two dissembler businesses share a third characteristic?  What if both of these businesses were attacked because they are infringing on the black markets of organized crime barons, who like the Las Vegas Casino organized crime barons before them, are now using their “muscle” against legitimate business operations who compete against them?  The lucrative black markets of money laundering and grey and black market automotive parts. What if the motivation for using ransomware attacks expanded beyond the return of a potential ransom paid?  Has the use of ransomware evolved into an asymmetric threat?  Is ransomware being used in a destructive capacity to disrupt the supply chain and business competitors of organized crime entities?

On 31 December 2019, the well known money service bureau, GWK Travelex, was critically struck by a ransomware attack. This had the effect of leaving Lloyds, Barclays, MSBC and the Royal Bank of Scotland and others, unable to process currency exchange services.

At first glance, the attack may have seemed like every other typical ransomware attack.  The 4.6 million UK Pounds (USD $6 million) may have seemed well within the 1% margin expected of acceptable losses for a 700 Euro million annual revenue company, resulting in the leadership of GWK Travelex potentially paying the ransom to restore it’s operation.  GWK Travelex even stated that they took down their systems as a precautionary measure once the ransomware was detected on their network, giving the appearance they had the incident under control.

We all expected GWK to be back up and operating fully within short order. But 44 days after the initial attack, GWK is only partially back online.  Only as of the Valentine’s week, was service to the cashier systems at the hundreds of retail shop locations finally brought back online. Cashiers could finally stop manually writing out the receipts and keeping paper ledgers of transactions, as they had been forced to do so during the previous month.  But many other critical internal business systems remain offline or are unusable. And while direct and indirect costs of damages remain unclear, it’s easy to speculate that they will range somewhere between $20 to $80 million.

Ransomware attackers are known to mull over their own actuary tables for their victims, so they can accurately predict where the optimal ransom amount a company will pay in order to restore access to their systems and data.

Internationally, millions of people rely on GWK Travelex for services ranging from currency exchange to foreign workers and expats wiring pay checks back home.  And behind the scenes of the big bank names, GWK Travelex is the predominate outsourced vendor for these services.  The consequences of GWK Travelex’s operations being damaged extend well beyond the corporate and retail locations of GWK Travelex, as it impacts all of these major financial institutions too.  Long lines resulted at their retail locations in popular travel points across the Netherlands.  Schiphol Airport, The Hague Central Station, Amsterdam Central Station, and more.  The reaction of many was to seek out alternative competing businesses who could perform the same services that GWK Travelex now, at least temporarily, could not.

A few weeks after GWK Travelex was hit, another company, Gedia Automotive, was hit by the same ransomware group.  Although the exact figure of ransom was not officially disclosed, it was strongly rumored that it was similar to GWK Travelex’s.  As a 600-million-year company, Gedia has leveraged Internet ordering and Just-in-time (JIT) Supply chain to optimize its business operations, and increase its profitable revenue stream.  Like GWK Travelex, its internal digital operations were completely shut down, paralyzing the company.

The assumption is made by many, almost out of common sense, is the only commonality these two businesses had, were that they were both vulnerable to attack vectors of the ransomware group, and both became victims.  But is that assumption correct?

What if, there was another commonality?  A commonality that they are both – a Money Service Bureau and an Automotive Parts manufacturer are actually competing against a single business?  What if that single competing business operating in both domains, decided to defend  or increase their market share.

Scotland Yard’s head of specialist crime has already indicated that Drug Barons have moved from laundering cash through banks using smaller money service businesses. DCS Michael Gallagher told the Guardian that the network of 34,000 money service businesses were suspected of being the main way for those involved in serious and organized crime to move money around.  MSBs can include bureau de change, money transfer brokers and payday loan services.  And it is now recognized by UK police and media that MSBs are the method of choice for money laundering and getting currency back into the supply chain by organized crime.

This in part due to the reality that banks have been subjected increasing regulations around Know Your Customer (KYC) and increased transaction scrutiny.  Serious organized criminals have transformed their business methods to beat the clampdown and at least hundreds of millions of pounds is flowing through MSBs in the UK alone, which is far less strictly regulated, particularly independently operated MSBs.  And unlike GWK Travelex, many of these independent MSBs are setup with the secondary benefit of laundering money, no questions asked, no records kept.  Further, many of these MSB’s offer currency exchange at rates far more attractive than what GWK Travelex offers with lower or no processing cost.  A quick look at money exchanging discussion boards aimed at tourists reflect this in the case of Amsterdam.  But GWK Travelex has two aspects that still attract customers – retail location and brand reputation as a legitimate legal money service bureau. So how do other exchanges increase their competitive  share against Travelex and increase their brand reputation and trust despite having less optimal locations and limited dollars for traditional marketing? Attack the dominant player’s – GWK Travelex – internal operations and disrupt their ability to conduct business, which in turn serves to drive traffic and volume to other exchanges.

It’s the same strategy used by Las Vegas Casino owning crime-lords from decades ago.  As more and more legitimate businesses operating casinos came to Las Vegas, the crime-lords would send its “muscle” to those legitimately operated casinos to rough up the operators and/or casinos themselves.  They were defending their black market which their less than legitimate Casinos served as cover for.

In the case of GWK Travelex, it’s very possible we’re seeing a very old strategy, but executed through the internet using the latest ransomware technology. By driving business away from GWK Travelex, the ability for Organized Crime to launder even larger amounts of money, goes up as overall transaction volume is greatly increased.

And what proves effective against one market domain of organized crime, potentially was just tested against another domain – the grey and black market demand for stolen (labeled as “refurbished”) car parts.  With ransomware attacks against Gedia Automotive supply, the impacts are not much different than as if a virtual Brexit border controls were instantly enacted around Gedia itself, delaying and stopping the processing of JIT delivery to the customers who’ve come to expect reliable timely service.  Perhaps even, this was done to offload a surplus supply that organized crime could not find demand for, so it created the demand.

It’s a possible reality that the ransomware group that has conducted these attacks, is sufficiently compartmentalized away from the organized Crime leaders and operations themselves.  It’s likely the ransomware actors were sold a list of vulnerable systems already pre-selected and prioritized for them.  They may have even been groomed to some extent by organized crime elements themselves, either partially or completely unaware of the grander scheme they were to become stooges for.

This works out to provide an extremely low bar investment for organized crime elements themselves, with high potential of return. And even in the eventuality that the ransomware gang is caught by law enforcement authorities, there is near zero risk of exposure to organized crime themselves.  The ransomware actors were unaware they were actually being directed. They just “bought a list of vulnerable servers” and were on their own to collect the ransom.  Organized Crime would stand to gain perhaps tens of millions more without even taking into account the actual ransom value, if paid. And this provides an extra benefit of a smaller crime covering and distracting from the real much larger crime that is actually occurring.  If the attacks are carried out directly by organized crime, the ransomware serves as an insurance policy or long-short strategy against the target company.  If the ransom is not paid, the disruption helps the competing organized crime operations. If it is paid, the entity receives the digital currency value of the ransom.

It is worth entertaining this threat scenario as it would indicate a new paradigm shift of ransomware threats, a shift towards an asymmetric threat. One where the motivations are not actually the ransomware bounty paid by the victim, but rather the much larger motivation of being able to gain the victim’s partial or complete market demand, which organized crime has ample supply and a need to match that with Just in Time scalable demand.  In this eventuality, every legitimate and legal business which operates in a domain for which a competitive black market supply exists, the threat level of those legitimate businesses may have just radically increased and ransomware might be used as a legitimate way to disrupt business operations under the guise of the ransomware tactic.