How often do we get a chance to learn what goes on in the minds of cybercriminals? Two members of McAfee’s Advanced Threat Research team recently did, as they attended a court case against two cybercriminal brothers.
The brothers, Dennis and Melvin, faced a judge in Rotterdam, in the Netherlands. This case was one of the first in the world in which ransomware developers appeared in court and were convicted for creating and spreading ransomware.
They were responsible for creating the ransomware families CoinVault and BitCryptor. CoinVault, the better known of the two, made its appearance in late 2014. The technically skilled programmers had examined the source code of CryptoLocker, the notorious ransomware family that first struck in 2013. The brothers were not very impressed and agreed that they could do a better job. What might have started out as a fun technical challenge turned into a criminal business.
The CoinVault and BitCryptor campaigns were not as widespread as CTB-Locker, CryptoWall, or Locky ransomware campaigns. Nor did they profit as much from it, but this case is nevertheless uncommon. It is rare that the developers of ransomware are caught, let alone confess their crimes. This case gives us an opportunity to understand what drove them down a path to cybercrime.
Why would someone write malicious code and infect thousands of people? The judge asked the brothers the same question. Their response was “Because it was a technical challenge.” “But didn’t you realize you were dealing with people?” the judge responded. Both brothers answered that they did not; they were dealing with computers and never met their victims face to face.
The judge and prosecutor did not accept their explanation. CoinVault had a built-in helpdesk function to directly communicate with their victims, thus registering their pleas. The brothers standard reaction was merciless: “Just pay the money; otherwise we won’t decrypt.” According to the prosecutor, they had plenty of opportunities to see the consequences of their actions but choose to ignore them for money.
At the trial they said they were sorry and tearfully regretted what they had done. But were these mere crocodile tears because they got caught? During CoinVault’s lifespan, several versions of the ransomware were released. Every new version was a reaction to blogs written by security researchers and takedowns performed by law enforcement. Instead of realizing that they were making a mistake and stopping, the brothers saw it as a challenge, a digital game of cat and mouse, and constantly improved their malicious code.
Their continuing to improve the ransomware shows a lack of empathy with their victims. Was there no one in their social surroundings who could straighten their moral compasses and talk sense into them?
A ransomware criminal must decide the amount of ransom to charge. Generally the more targeted a ransomware attack is, the higher the ransom demand will be. CoinVault’s infections were not targeted at one organization; they charged only US$250. The two brothers explained that they chose that price to be low enough for an average person to pay while still making a good profit. The prosecutor remarked ironically that they were “very noble [to keep] their ransom demand affordable.”
The two brothers did not directly infect their victims with ransomware; they took a multistep approach. Their distribution method was via newsgroup channels. They hooked a small piece of malicious code to known software or license-key generators before posting the software packages on the newsgroups. Once victims installed the package or ran the key generator, they would become part of a botnet through the software the brothers named Comhost, which can record keystrokes, search for credentials, and steal Bitcoin wallets. Comhost can also upload and execute binaries received from the control server they named Sonar. (We believe Sonar is modified a version of the popular Solar botnet software.)
The Sonar botnet panel.
Once they had accumulated enough bots, they simply pushed CoinVault to all their victims and locked thousands of computers at once. This method made it hard for victims to figure out how they were attacked, because weeks could pass between the initial infection and the encryption. By spreading their ransomware via newsgroups with pirated software, they discouraged victims from going to the police out of fear of prosecution and copyright-violation fines.
The CoinVault lock screen.
In April 2015, The National High Tech Crime Unit of the Dutch Police seized the control servers for CoinVault. After the police investigated, the two brothers, aged 18 and 22 at the time, were arrested in Amersfoort, Netherlands, on September 14, 2015. Systems were infected not only in the Netherlands, but also in the United States, Germany, France, and the United Kingdom. Their mistakes? Using flawless Dutch in the ransom notes and one time they did not use a Tor connection to log in into their control server, instead using their home connection.
Flawless Dutch in the ransomware code.
Although they used an obfuscator tool (Confuser) for their code, in some of the samples the full name of one of the authors was present, because they did not clean up the debugging path.
From grabbing keys to No More Ransom
During the investigation the Dutch police obtained all the decryption keys for CoinVault and partnered with the private sector to build a decryption tool for CoinVault ransomware, successfully mitigating a large portion of the damage caused by CoinVault. This effort idea gave birth to No More Ransom, an online portal supported by the public and private sector with the largest repository on the planet of free ransomware decryption tools. No More Ransom now has decryptors for 85 ransomware versions. This global initiative has prevented millions of dollars from falling into the hands of cybercriminals. McAfee is proud to be one of the founding members of No More Ransom.
The next steps
Extorting people with ransomware is wrong, and perpetrators must be held accountable. It is sad to see two talented young people choose a pathway to cybercrime and waste their skills—skills sorely needed in the cybersecurity sector. We hope they will have learned a lesson as they endure the consequences of their actions. The sentencing will take place in about two weeks. Perhaps after they serve their time, they will find someone willing to give them a second chance.
The post What Drives a Ransomware Criminal? CoinVault Developers Convicted in Dutch Court appeared first on McAfee Blogs.
Proposals are one of the most expensive things you will spend your time on in a small business (or a large business, for that matter). You not only spend tons of time discovering and understanding what the client needs, but you also spend countless hours (often late at night) putting the proposal together, polishing it, tweaking the numbers and creating a whiz-bang presentation to accompany the proposal.
All of that for free, and often for nothing.
I’m very much against charging by the hour, but in this case calculating your effective hourly rate is a good exercise:
Let’s say that you recently landed a project and you’re going to make $10,000 from it. You’re going to spend 50 hours delivering the project so you’re earning $200 per hour (this is your billable rate). Easy calculation. But when you figure in the time that you spent on putting the proposal together – lets say another 20 hours – you’re only generating around $142 per hour, or a 25% drop in your effective hourly rate. Add in the other non-billable time you spent with the client and you’re easily pushing your effective hourly rate – for that project – down below 50% of your billable rate.
Pushing your effective hourly rate down is of course not the only bad thing that happens.
It breaks my heart
You put your heart and soul into understanding what the client really needs, give them the benefit of your experience to make sure they don’t fall into traps and put a lot of thought and effort into how you can help them solve their business problem. You’re invested – both in time and in emotional energy.
So when they turn you down, there’s a double whammy. You’ve just done a lot of work for nothing and you’ve just had your emotional investment kicked in the face (or that’s how it feels, at least at first). That hurts – especially when you’re new to the game. Over time you learn that opportunities come and go and you get less emotionally invested, but each time a proposal doesn’t hit the mark you take an emotional hit.
But what if there’s a better way? What if you could actually get paid for your proposals? And have your client like it that way?
There is a way to do this, and it starts with understanding the value of the proposal.
Proposals are valuable
By the time a client asks you to put together a proposal, you’ve already been dancing for a while. You’ve had some initial meetings, a couple of discovery sessions and they like what they see.
Now they ask you to do a proposal, and you’re going to have to spend more time with them. You need to make sure you understand exactly what they need, how much you can get done within their budget, what takes priority and where the skeletons are. You’re going to apply your expertise to dig into details, find out what else needs fixing and so on…the point is you’re going to spend more time with them.
Then you head off to your cave, put together the proposal and present it to them. And they say thanks, great work, we’ll get back to you. So far so good.
How much value did your potential client get from this proposal development process? The answer is: a lot.
They’ve just had an expert analyse their problem, dig into the details and tell them what they need to do to solve the problem. They now understand their problem a lot better and know what needs to be done to fix it (even if they don’t have the expertise to do it themselves). And of course you may not be the only one submitting a proposal, so the client has received a lot of valuable advice – from multiple experts.
And you gave it to them for free.
Doctors charge for “proposals”
Think about it this way: when you go to a doctor with a complaint, they will diagnose you, maybe run some tests, make some recommendations and perhaps prescribe some medicine. Then they’re going to ask you to come in for an extended treatment or checkup to see if things have improved. And you’re happy to pay for this initial consultation.
When you develop a proposal for a client, you’re effectively doing what a doctor does in an initial consultation. You’re listening to the “patient”, running some tests to find out if there’s a deeper cause for the problem, and applying your expertise to recommend a way to get rid of the problem.
You’ve provided a lot of value, but you’re willing to give it away for free because that’s the way your industry usually works. Doctors don’t work like this; they charge for the “proposal” phase of their work with you.
The first key in moving from free to paid proposals is to understand that your proposal is tremendously valuable to your client.
But you need to present it to them as something valuable; and you need to deliver that value. The way to do that is to provide a roadmap.
The differences between a proposal and a roadmap
A proposal is usually a document that defines a scope of work, the number of hours required to do it and a price. If you’ve been at this for a while you will know that you need to base the proposal on the client’s ROI (Return On Investment) – what they get in return for their investment in your services.
A roadmap is also a document, but in this case the document clearly spells out what the client will need to do (or get done first), second and so on. A roadmap sometimes includes a timeline to help the client understand how long the whole process could take. Again, justifying the business case is critical to help the client make the right decision.
A roadmap is the output of one or more roadmap sessions. A roadmap session is like a discovery session, but includes co-development of the roadmap.
If you’re familiar with project planning, you will already have noticed that a roadmap is a high-level project plan.
But there are more differences between a proposal and a roadmap:
A difference in process
When you follow the proposal route of getting work, your engagement with the client looks something like this:
- initial meeting to see if there’s a fit (make sure you can you help them);
- a series of meetings to discover what they really need;
- crafting the proposal;
- (if you’re experienced) working with the client on the draft proposal to make sure you’re hitting the mark;
- presenting the final proposal to them; and
- hoping for the best.
When you use the roadmap route, the engagement looks a little different:
- initial meeting to see if there’s a fit (can you help them);
- present the roadmap option (standard for each client); and
- hope for the best.
A difference in what they get
Your client can do only one thing with a proposal: say yes or no (or haggle a bit). A roadmap is something they can use; on their own, with you or with someone else:
- A proposal effectively says “here stuff I will do for you”. A smart proposal says “here’s how I will solve your problem and here’s the ROI”.
- A roadmap says “here’s where you need to get to, here’s the road you need to follow and here are the stops along the way. You can use this roadmap on your own, with me or with someone else.”
A difference in the size of the commitment
Saying yes to a proposal is a big step, because it usually requires the client to make a big financial investment. The risk for the client is high and their objections will reflect that.
Saying yes to a roadmap exercise is a much smaller commitment. My roadmap sessions typically run for half a day (usually with a couple of hours before and after) and therefore cost a lot less. Much easier for the client to say yes to this much smaller investment.
A difference in how they perceive your expertise
When you present a roadmap option you are clearly placing yourself in charge of the situation. You know exactly how you’re going to go about building the roadmap, you have a defined process and the confidence to present this as the right option for the client. (This is why the client is hiring you in the first place: you are the expert, you know how this should be done and you know exactly how to go about doing it.)
When you present a proposal, you are to some extent asking the client to approve not just the expenditure, but also to make a judgment on whether this is the right thing to do. You’ve given up some control of your expertise.
A difference in the amount of time involved
The proposal route is a big investment (in time) for you and for your client. It is not uncommon to spend tens or even hundreds of hours on discovery meetings, user requirements analysis and proposal polishing for a large contract. A roadmap approach, on the other hand, is a lot smaller investment for you and for your client. You’ve spent maybe two or three hours with the client and then it’s up to them to decide.
(There are more differences, for example the idea that a roadmap is a collaborative exercise versus a proposal which is something you give to the client, but I think you get the point.)
Roadmaps don’t contain pricing
None of my roadmaps contain pricing. The whole idea is that the client can use the roadmap now, later, on their own, with me or with someone else – so I don’t want them to confuse the roadmap with a proposal. Where appropriate, I will send a proposal for some or all of the work in the roadmap; the proposal can be very short because the heavy lifting has already been done in the roadmap.
So how do you move from (free) proposals to (paid) roadmaps?
To get a client to pay for a roadmap, you have to deliver value. That value comes from three places:
- the roadmap itself: the output of the roadmap session(s) – a tool the client can use;
- the process you will use to create the roadmap: this is where your expertise has to shine; you must know exactly how you’re going to go about creating the roadmap; what happens before, during and after the roadmap session(s); what the output will look like, and how you’re going to get the client to co-develop the roadmap;
- your confidence: you have to be confident that this is the right thing to do, the right way to do it and that it delivers substantial value to your client.
This is not an easy road by any means, but there is a way to build up to it:
- Start by taking proposals you’ve done in the past and turning them into roadmaps. Can you make them look like high-level project plans? Can the work be clearly grouped into relatively small chunks where each chunk builds on the previous one? Is there value from each chunk of work?
- Define your process for creating a roadmap. Before you head into a roadmap session, there’s likely some pre-work that you need to do, for example running an analysis on their website (if that’s part of the problem) or doing an analysis of their business using something like the Tornado Method. Then define what the output would typically look like, and what you need to do during a roadmap session to get there. Then define what happens after the session. Turn it all into a collection of checklists.
- Trial and refine your process. Find a friend or a willing client to be your first roadmap client. Follow your process and make sure you make notes of what’s working and what needs to be improved. Refine your process and repeat the exercise. Each time you do it you will gain more confidence.
Remember that a roadmap is a short, low-cost exercise and therefore relatively easy to sell to potential clients. You have to stress that the exercise delivers a roadmap that they can then use themselves, with you or with someone else; and you will follow up with a proposal if and when they’re ready for it.
A roadmap gives your client clarity on their problem and what they need to do to solve it. They may not have the expertise to do it themselves (that’s where you will eventually earn your keep), but just the process of building the roadmap provides them with peace of mind and builds trust that you can solve the problem for them.
Finally, a roadmap educates your client. They will understand that there is a well-defined process for solving the problem, the sequence in which the work needs to be done and what they get out of each part. An educated client is a collaborative, engaged and enthusiastic; your expertise just helps them solve a problem.
What you can do now
It took me about two years to move from free proposals to paid roadmaps. You can get there a lot faster because you can tap into articles like this and a growing awareness amongst professionals that even proposals are highly valuable.
I will be releasing a step-by-step guide on how to move from free proposals to paid roadmaps in the near future. To get notified when this is released, sign up for my newsletter here – you will get access to more articles like this, I promise I won’t spam you and you can unsubscribe at any time.
And if you have questions or comments, please drop me a note!
Special counsel Robert Mueller and his team have received an indictment for 12 Russian intelligence for hacking Democrats leading up to the 2016 presidential election. The spies are accused of digitally infiltrating the Democratic National Committee and Hillary Clinton's campaign, along with stealing information of 500,000 US voters, and releasing emails with the express purpose of influencing the election.