Foiling Cybercrime Around the World - An Interview with a Cybercrime Investigator

The threat of ransomware has grown dramatically in recent years. The recent emergence of ransomware as a service (RaaS) has made it possible for those with little technical know-how to purchase pre-made ransomware kits on the Dark Web, which they can easily push out to countless targets. According to our own global telemetry, ransomware incidents spiked nearly 500% last year and show no signs of slowing, with numerous ransomware attacks to critical infrastructure and supply chains having already occurred in 2021. The Internet Crime Complaint Center (IC3) reports that the collective costs of ransomware attacks reached $29.1 million in 2020, up more than 200% from the year prior.

To help organizations and individuals understand how to better protect themselves and become more resilient against cyber threats like ransomware, we spoke with Catalin Cosoi, Senior Director, Investigations and Forensics at Bitdefender. As a ransomware expert and cybersecurity investigator, Catalin is one of the many cybersecurity heroes working behind the scenes at Bitdefender to not only make our solutions and services better, but also stop cybercrime in its tracks. Catalin and his team work closely with law enforcement agencies around the world – including Interpol, Europol and the FBI – to investigate cybercrimes, help victims recover from cyber-attacks, and put cybercriminal gangs behind bars.

What is a cybercrime investigator and what do you do?

Catalin: As a cybercrime investigator, I analyze the computer systems of people or organizations that have been the victim of cyber-attacks, gathering evidence and helping them recover data, repair their systems and prevent such an attack from happening again. Several years ago, our Investigations and Forensics team at Bitdefender began building close relationships with law enforcement agencies, to assist them in their pursuit of cybercriminals. We recognized that the cyber forensic evidence we recover from our clients could aid law enforcement in their efforts to takedown cybercriminal gangs and put their members behind bars.

Today, we often work in tandem with law enforcement. Because we at Bitdefender protect hundreds of millions of customer endpoints around the world and process billions of malicious samples daily, we have a huge pool of data to draw from. We’re able to recognize trends and connect dots that a single law enforcement agency working a specific case may not be aware of. For example, we can often recognize the modus operandi that is indicative of a particular cybercriminal gang, or we might be able to trace a cyber-attack back to a particular IP address, which we then share with law enforcement so they can investigate it further or identify the owner. And, because cybercrime isn’t contained within the borders of any one country, we often end up working with numerous law enforcement agencies in multiple countries over the course of an investigation until the case is closed.

At the same time, we’re helping our clients recover any stolen or encrypted files or data, clean up their systems and better secure their systems from future threats. The intelligence we learn from each investigation gets applied to all our clients, so we’re able to better protect them all against the latest threats, no matter where in the world they’re originating.  

How do you help combat ransomware, and what can people do if they’ve become the victim of a ransomware attack?

Catalin: Ransomware has become incredibly prevalent. Over the past five years, we’ve seen attacks of great magnitude impact important organizations in critical industries. At Bitdefender, we actively monitor the main families of ransomware. Whether it’s ransomware as a service (RaaS) or custom-made ransomware, we monitor and watch for ways we can combat the attack. Cybercriminals are human, so they do make mistakes. Sometimes – albeit rarely – we find mistakes in the implementation of the encryption itself. More often, we find pieces of information that give us clues to where the decryption keys may be stored. Then, we reach out to law enforcement agencies in countries that have open cases related to that particular family of ransomware. We provide them the information as to where the decryption keys may be stored in that infrastructure. They investigate, and if they’re able to find the decryption keys, they bring them to us. Together, we’re then able to issue decryption tools that we make available for free to everyone.

We believe it’s very important to provide ransomware decryption tools to the public for free. The benefits far outweigh the risks. For that reason, we make all our decryption tools available for free not only on our website, but also on nomoreransom.org, an industry consortium where cybersecurity leaders and law enforcement groups provide free resources and tools so people can get the help they need. If you’ve been the victim of a ransomware attack, I highly recommend you start by searching nomoreransom.org. You can often type in the name of the malware that has infected your systems and find a free decryption tool to help you recover your data.

What can organizations or individuals do to become more cyber resilient in today’s age of ransomware threats?

Catalin: For our clients, cyber resiliency means being able to prevent or survive any type of cyber-attack, whether its ransomware, a data breach, a hacker accessing your network, or anything else. These days, it’s not a matter of if you will be attacked, but a matter of when. So, everyone must be prepared. They must be resilient. In the case of ransomware, that means you should have backups in place so you can bring back your infrastructure after an attack. Make backups of anything important to you, and keep those backups stored on an unconnected, external hard drive. For many people, this means their family photos and important personal documents. Make a new backup copy every month.

Second, use proven security solutions – like those provided by Bitdefender – to protect your devices and network systems. Third, pay attention to what you’re doing. As an individual, be aware of what links you’re clicking on and whether they are trustworthy. When it comes to organizations, most breaches are caused by an employee making a mistake. Cybersecurity awareness and training programs are critical for keeping employees alert to risks and helping ensure they don’t make a mistake that could lead to a major incident. October is cybersecurity awareness month, so I always recommend people revisit these three best practices each October: ensure your backups are occurring properly, reevaluate your security solutions, and refresh your cybersecurity training to ensure you’re on top of your game.

Final question… What do you like best about your job?

Catalin: The thing I like most about my job as a cybersecurity investigator is that I get to help people when they’re in a time of need. When people have seemingly lost a lifetime worth of precious family photos or important documents from their computer due to ransomware, they are desperate to get them back. I’m glad that I can often help them recover those important files without paying the ransom to criminals. We get hundreds of compliments and thanks from people who are so grateful for our help in these situations, and that means a lot to me. But perhaps the greatest compliments are those we get from law enforcement when we’ve helped them finalize a case. When law enforcement agencies across several countries have been working hard on a case for many months and they finally solve it or bring down a cybercrime gang and say to us “we wouldn’t have been able to do it without your help” – that means everything to me.

Learn more about how Bitdefender stays on top of ransomware trends.

This is the third in our series on the Cybersecurity Heroes at Bitdefender. Read the rest of the series here and here.