Tales from the Crypt(er): The Market and Dynamics That Inform Attribution

Bavi Sadayappan

Cyber criminals need their malware to go undetected, crypters are the answer.

Despite the continual evolution of security technologies, cyber criminals continue to rely on well understood tools and malware to support their operations, whether it is Cobalt Strike Beacon, Redline Stealer, or Mimikatz. Crypters are one of the most common tools in the arsenal of cyber criminals seeking to evade detections when deploying otherwise well known and easily detected malware. For more than two decades there has been a thriving segment of the underground economy dedicated to meeting this need. Crypting tools and services, advertised for sometimes only tens of dollars, are used by some of the most high impact malware distributors and intrusion operators, and understanding this ecosystem has always been critical to understanding and tracking cybercrime.

In this talk, I’ll delve into our research into this threat landscape including the business models, costs, and popular crypter offerings while sharing our insights into who uses them and for what. Understanding these dynamics and tracking crypters from a technical perspective can enable security researchers to make better analytical assessments. To illustrate this, I’ll walk through examples of scenarios where tracking the crypters played a key role in our ability to understand and attribute threat activity.