‘It’s a fight, it’s a war’: experts want to defeat ransomware attackers
Cybersecurity experts like to joke that hackers who have turned errantsomware attacks into millions of millions of industries are often more professional than the biggest victims.
Ransomware attacks – when cyber attackers block their target computer systems or data until they pay the ransom – are back this week after the protagonists hit one of the largest oil pipelines in the U.S. Toshiba’s European business and the Irish Health Service.
While governments are committed to tackling the problem, experts said criminal gangs are more entrepreneurial and continue to dominate. For companies, they said, there is more pain.
“This is probably the biggest safety issue, as companies have to decide how far they can go in this game of cat and mouse,” said Myrna Soto, head of strategy and trust at Forcepoint. “It’s a fight, it’s a war, actually.”
Last year, the number of ransomware attacks rose more than 60 percent to 305m, according to SonicWall data, because hackers took advantage of the change to work from home, and as a result weaknesses opened up. More than a quarter of victims pay to unlock their systems, according to cybersecurity researchers at CrowdStrike.
Two dozen gangs dominate the market, and businesses have been lively. At least they won $ 18 billion in bailouts In 2020, according to the cybersecurity group Emsisoft, it will pay an average of about $ 150,000. Once non-discriminatory in their attacks, they are now engaged in “big-game hunting” in pursuit of the biggest goals of demanding high pay.
Technologically less intelligent criminals have also joined in, after the creation of ransomware-as-a-service or Raas, because groups rent their viruses on the dark web to “affiliates” and take a profit cut.
“There are very small barriers to entry now,” said Rick Holland, head of information security for the Digital Shadows cybersecurity team.
The alleged perpetrators of the Colonial Pipeline hack, a Russian gang called DarkSide, such a member has directed a programAccording to the FireEye cybersecurity team, this is another group that may also have been involved in the Colonial attack.
“Now there is a division of labor and criminals are cooperating across the nation,” said Joshua Motta, co-founder and CEO of the coalition’s cyber insurance group.
Follow the money
Cyber experts and governments continue to discuss the most effective way to overcome cyber cartels. One of the most serious questions is that governments should completely ban victims from paying ransom.
“This is something that governments need to take seriously,” said Brett Callow, an analyst at Emsisoft. “Ransomware attacks are not profitable and the attacks would be stopped.”
But opponents have warned that the ban will do nothing to prevent hackers because of the low cost and low risk of attacks, and to push gangs to weaker targets, such as hospitals.
The FBI recommends not paying the ransom, but in the case of the Colonials, the White House acknowledged the difficult attitude the companies had.
Last month, a public-private group of large technology groups such as Microsoft and Amazon, along with U.S. officials, recommended that companies be required to review alternatives. paying the ransom, and then notify a governing body if they pay the ransom.
Many victims are not reported as being assaulted or paid for, for fear of reputable harm or legal and regulatory reactions. But Jen Ellis, vice president and board member of the Rapid7 cyber group community and public affairs, said: “It can be done privately, there are ways to destigmatize it. But reporting it gives us a greater ability to investigate payments. [and] follow them “.
This ties in with another requirement that the team and others have demanded: greater oversight by the government of cryptocurrency exchanges, which they believe should “comply with your client” of traditional financial services and comply with the same anti-money laundering laws.
How researchers can find clues
Meanwhile, the U.S. government has stepped up efforts to hunt down and prosecute ransomware gangs, as the Department of Justice last month offered its ransomware unit. Among the goals, according to a note from Acting Deputy Attorney General John Carlin, observed by the Financial Times, is taking steps to “break and dismantle the criminal ecosystem”.
This could mean the elimination of servers and other hosting services that typically facilitate the cyber poster business, said Tom Kellermann, head of VMware’s cybersecurity strategy and a member of the U.S. secret service’s cyber investigation advisory board.
Kellermann suggested that Internet service providers could play a role in eliminating dark web forums associated with certain bands. “Why don’t they sink, they completely remove it from the internet?”
Often on the part of affiliated criminals, they will leave clues to investigators who will allow them to take such action, according to Recordan Future’s Allan Liska’s computer security incident team, “because they are not as good as their cover.” tracks ”as a ransomware operator.
Already, there is evidence that targeting the infrastructure of hackers in the case of the Colombian shutdown has attempted to worsen the catastrophe even further. On Saturday, a group of technology and cyber companies, and agencies like the U.S. FBI, thwarted the attackers ’use of data storage by hackers after shutting down U.S.-based servers before sending them to Russia, two people familiar with the situation. Bloomberg reported the outage for the first time.
There have been few attempts to prosecute the gangs, many of whom are operating with impunity from Russia, and are unlikely to be extradited. Last month, the U.S. Treasury also reported one of Russia’s intelligence services, the FSB “Practice and choose” Evil Corp ransomware team.
In return, criminals typically avoid targeting Russian institutions and may call for shared access to the victim’s systems. “I’m kidding, the safest way to protect yourself from ransomware is to convert all keyboards using a Russian Cyrillic design,” Liska said.
Use of penalties
Dmitri Alperovitch, founder of the CrowdStrike security team, now leads the Silverado Policy Accelerator think-tank. he said on Twitter: “We don’t have a ransomware problem. We have a Russian problem. That’s it.”
The public-private ransomware working group recommended “increasing pressure” on nations that refuse to co-ordinate and cooperate, for example, through sanctions or withholding aid or visas.
So far, the U.S. has decided to impose sanctions on certain groups, such as Evil Corp., for potential bailouts. In October, the U.S. Treasury gave a warning any group that would help facilitate the payment of the ransom – cybersecurity, the negotiator and the insurance company – did not violate the sanctions, and issued a similar warning to financial institutions such as crypto exchanges.
Not everyone has heeded these warnings. According to Chainalysis data, which examines blockchain transactions, could lead to violations of about 15% of the payments rescued in 2020 – or about $ 60 million – because they appear to have been sent to blacklisted groups or those affiliated with them.
With few options for the prosecution, an expert familiar with the government’s view said authorities hoped the perpetrators of the colonial hack would wait to go on the offensive. “There are 10 or 15 young boys or girls who party a lot and want a lot of money. You’re not after them in Russia, you’re after them when they go to Greece on holiday. “