Cyber security experts like to joke that the hackers who have turned ransomware attacks into a multibillion dollar industry are often more professional than even their biggest victims.
Ransomware attacks – when cyber attackers lock down their target’s computer systems or data until a ransom is paid – returned to the spotlight this week after attacks hit one of the world’s largest United States pipelines, Toshiba’s European business and the Irish Health Service.
As governments pledged to tackle the problem, experts said criminal gangs have become more enterprising and continue to gain the upper hand. For businesses, they said, there is more pain to come.
“This is probably the biggest conundrum when it comes to security, as companies have to decide how much they participate in this cat-and-mouse game,” said Myrna Soto, Chief Strategy and Trust Officer at Forcepoint. . “It’s a battle, it’s war, to be honest.”
Last year, the number of ransomware attacks increased by more than 60% to 305 million, according to SonicWall data, as hackers took advantage of the shift to working from home and the vulnerabilities that opened up as a result. Just over a quarter of victims pay to unlock their systems, according to cybersecurity researchers at CrowdStrike.
About two dozen gangs dominate the market and business has been strong. They won at least $ 18 billion in ransoms in 2020, according to cybersecurity group Emsisoft, with an average payout of around $ 150,000. Once blind in their attacks, many now engage in “big game hunting” – pursuing more important goals to demand huge payments.
Less tech-savvy criminals have joined us as well, following the emergence of ransomware-as-a-service, or Raas, where groups rent their viruses on the dark web to “affiliates” and take a share of the virus. their income.
“The barriers to entry are now very low,” said Rick Holland, chief information officer for cybersecurity group Digital Shadows.
The alleged perpetrators of Colonial Pipeline, a Russian-based gang called DarkSide, ran such an affiliate program, according to cybersecurity group FireEye, which means that another group may have participated in the colonial attack as well.
“There is now a division of labor and criminals are cooperating transnationally,” said Joshua Motta, co-founder and CEO of the cyberinsurance group Coalition.
Follow the money
Cyber experts and governments continue to debate the most effective way to defeat cyber cartels. One of the thorniest questions is whether governments should ban victims from paying ransoms altogether.
“This is something governments need to seriously consider,” said Brett Callow, analyst at Emsisoft. “Make ransomware attacks unprofitable and the attacks would stop.”
But opponents warn that a ban would do little to deter hackers, given the low cost and low risk of launching attacks, and could push gangs towards more vulnerable targets, such as hospitals.
The FBI advises against paying ransoms, but in Colonial’s case, the White House recognized the difficult position the companies found themselves in.
Last month, a public-private task force made up of major tech groups, including Microsoft and Amazon, as well as U.S. officials, recommended making it mandatory for companies to consider alternatives before pay a ransom, then report to a government agency if they pay a ransom.
Many victims are reluctant to disclose whether they have been attacked or paid for fear of reputational damage or legal and regulatory backlash. But Jen Ellis, vice president of community and public affairs for Rapid7 cyber group and board member, said, “It can be done in private, there are ways to do it so that you destigmatize it. But reporting it gives us a greater ability to investigate payments [and] to follow them. “
This ties in with another demand the task force and others have called for: greater government oversight of cryptocurrency exchanges, which they say should adhere to the same ‘know your customer’ and fight laws. money laundering than traditional financial services.
How investigators can find clues
Meanwhile, the U.S. government has stepped up efforts to track down and prosecute ransomware gangs themselves, with the Justice Department launching its own dedicated ransomware unit last month. Among its goals, according to a note from Acting Assistant Attorney General John Carlin, seen by the Financial Times, is to take action to “disrupt and dismantle the criminal ecosystem.”
According to Tom Kellermann, head of cybersecurity strategy for VMware and a member of the Cyber Investigations Advisory Board for the U.S. Secret Service, this can usually involve wiping out servers and other hosting services that make it easier for cyber- cartels.
Kellermann suggested that Internet service providers may have a role to play in eliminating dark web forums associated with particular gangs. “Why don’t they destroy it, remove it completely from the Internet?”
Often, it is negligence on the part of criminal affiliates that will leave clues for investigators to take such action, according to Recorded Future’s Allan Liska Computer Security Incident Response Team, because they “don’t. are not as good as covering their tracks ”as the ultimate ransomware operators.
Already, there are indications that targeting hacker infrastructure helped prevent an even more catastrophic disaster in the event of the colonial closure. On Saturday, a group of tech and cyber companies, along with US agencies such as the FBI, thwarted the attackers by shutting down the US-based servers the hackers used to store data before sending it to Russia, according to two. people familiar with the situation. The disruption was first reported by Bloomberg.
Few attempts have been made to prosecute the gangs, many of which operate with impunity from Russia, which is unlikely to extradite them. Last month, the US Treasury even accused one of Russia’s intelligence services, the FSB, of “Cultivate and co-opt” the Evil Corp ransomware group.
In return, criminals generally avoid targeting organizations in Russia and may be called upon to share their access to a victim’s systems. “Just kidding that the safest way to protect yourself from ransomware is to convert all of your keyboards using the Russian Cyrillic layout,” Liska said.
Use of sanctions
Dmitri Alperovitch, co-founder of the CrowdStrike security group which now heads the Silverado Policy Accelerator think-tank, said on twitter: “We don’t have a ransomware problem. We have a problem with Russia. That’s it.”
The public-private ransomware task force has recommended more international coordination and “pressure” on nations that refuse to collaborate – for example, through sanctions or by denying aid or visas.
So far, the United States has chosen to impose sanctions on certain groups, like Evil Corp, as a deterrent to potential ransom payers. In October, the US Treasury issued a warning to any group that could help facilitate the payment of a ransom – cybersecurity, negotiator, and insurance companies – not to violate the sanctions, and gave a similar warning to financial bodies such as crypto exchanges.
Not everyone heeded these warnings. According to Chainalysis data, which analyzes blockchain transactions, around 15% of the ransom payments he tracked in 2020 – or nearly $ 60 million in total – may have violated the sanctions, as they appeared to be sent to listed groups. black or those affiliated with such groups.
With few prosecution options, an expert familiar with the government’s approach said he expected authorities to wait to aggressively tackle the perpetrators of colonial hacking. “These are 10 or 15 young boys or girls who party a lot and want a lot of money. You don’t chase them in Russia, you chase them when they go on vacation to Greece.