US response to ransomware could mark a watershed in fight against cybercriminals
By Amit Roy Choudhury
Disappearance of hacker group REvil and the availability of decryption key without money changing hands may point to an escalation in the fight against ransomware.
With remote access becoming the norm, the value of an organisation’s network has gone up exponentially. The number one imperative today is to ensure that networks are up and running all the time as downtime can result in loss of money, customers, and reputation.
Cybercriminals have increased both the number and sophistication of ransomware infiltration attempts. According to data from Fortinet, ransomware attacks have grown in magnitude by 35 times in 2020.
A study by cybersecurity company Cybereason, shows that 80 per cent of organisations that paid a ransom experienced a second attack. Out of these companies, nearly half believe the follow-up attack was done by the same cybercriminals, while 34 per cent thought the second attack was perpetrated by a different set of threat actors.
Most ransomware attacks do not garner the publicity they deserve because the victims prefer to quietly pay up to get their data and networks released. It is only the high-profile cases that garner publicity.
Two such cases may have forced the US to change its strategy in dealing with cyberattacks.
In May this year, a hacking group that the US says operates from Russian soil attacked the US Colonial Pipeline system, the country’s largest, that serves the south-eastern part of the US. The attack resulted in the pipeline company halting its services, causing hardships for thousands of customers. The pipeline operator confirmed that it paid a US$4.4 million ransom to the criminal gang responsible for the intrusion in order to get operations back on track.
More recently on July 2, another Russian hacker group known as REvil (short for Ransomware Evil and also known as Sodinokibi in the Russian language) pulled off what could have been the world’s biggest ransomware attack that affected more than one million computers.
Its malware infiltrated the servers of a managed service provider (MSP) based in the US and from there into the computers of thousands of companies served by the MSP. After encrypting the data, REvil demanded US$70 million to release a global decryption key.
This is where things have become interesting.
On July 13, the REvil group disappeared from the Dark Web. Their main site as well as several related sites, including those they use to collect Bitcoins as ransom payments, went offline. The group went completely dark with no more demands or instructions on how to pay.
Then on July 22, Kaseya, whose servers were infiltrated by the hacker group, announced that it had obtained the decryption key from a “third party” and was working with customers to restore their computers and networks. On July 26, Kaseya added in a blog post: “The decryption tool has proven 100 per cent effective at decrypting files that were fully encrypted in the attack.” The company declined to identify the third party from whom they obtained the key.
We may never really know exactly what happened but, certainly, the REvil group did not get paid for the key.
Circumstantial evidence does point towards a few clues. Just days before the attack on Kaseya and well after REvil attacked one of America’s largest meat producers, JBS, US President Joe Biden told his Russian counterpart, President Vladimir Putin, that there would be consequences if Russia did not shut down ransomware hackers operating from its soil.
Did the Russians pull the plug on the REvil group under US pressure or did the US take unilateral punitive action?
It has been long speculated that the US Military’s Cyber Command has the expertise and tools to strike back at groups like REvil. Typically, cyberattack investigations in the US have been handled by the Federal Bureau of Investigations (FBI). Progress in most cases has been painfully slow and after millions of dollars spent over several months’ worth of investigations, very few convictions have happened. In those cases where the perpetrators have been identified, at most international travel bans have been imposed. In this scenario, the quick turnaround and resolution of the REvil hack is a new phenomenon.
US Department of Justice
Significantly, the US Department of Justice recently announced that it would elevate investigations of ransomware attacks to a similar priority level as terrorism investigations.
A Reuters report says this means that information about ransomware investigations in the field would be centrally coordinated with a recently created task force in Washington.
The news agency quoted John Carlin, principal associate deputy attorney general at the Justice Department as saying: “It's a specialised process to ensure we track all ransomware cases regardless of where it may be referred in this country, so you can make the connections between actors and work your way up to disrupt the whole chain.”
The Department of Justice guidance specifically refers to the Colonial Pipeline attack as an example of the “growing threat that ransomware and digital extortion pose to the nation”.
The guidance as seen by Reuters adds: “To ensure we can make necessary connections across national and global cases and investigations, and to allow us to develop a comprehensive picture of the national and economic security threats we face, we must enhance and centralise our internal tracking.”
Recent attacks on critical infrastructure and supply chains have shown just how problematic and serious the issue is. On top of that, hackers are mirroring the decentralised way in which the software industry operates, making it harder to identify the culprits.
Take the case of the REvil group. According to Charles Carmakal, SVP and CTO of Mandiant, a part of cybersecurity company FireEye, REvil operates as a ransomware-as-a-service (RaaS) and has been marketed in Russian-language underground forums since May 2019.
In the RaaS business model, a central group develops ransomware, communicates with victims, and runs back-end infrastructure, while partners, or affiliates, carry out intrusions and deploy the ransomware.
Carmakal notes that the RaaS is operated by the actor “UNKN” (aka “Unknown”) who neither accepts English-speaking partners nor allows partners to target Commonwealth of Independent States (CIS) countries, including Ukraine.
While the known affiliates are Russian speaking, probably, some of the operators may not physically reside in Russia, Carmakal adds. Following the Colonial Pipeline incident, UNKN made an effort to restrict targeting of REvil affiliates, insisting on vetting targets before ransomware deployment.
In order to apprehend and more importantly instil a sense of fear of consequences in cybercriminals, there needs to be a coordinated effort from different branches of the government. It cannot just be the job of law enforcement officials.
The US decision to centrally coordinate investigations with elements of international cooperation and diplomacy, combining with criminal investigation, marks an important turning point in the fight against cybercriminals. With the US National Security Council getting involved, it seems quite a coincidence that the REvil group has disappeared while the decryption key mysteriously appeared via a “third party” without any apparent payment of ransom.
One hopes this quick resolution of the threat sets the template for future action against cyberattacks, not just by the US but other countries as well, with like-minded countries working together.
Amit Roy Choudhury, a media consultant, and senior journalist writes about technology for GovInsider.