Ransomware becomes a national security threat
Ransomware attacks have put critical infra at risk
When it comes to ransomware, the trick to sustaining profitability and growing the reach lies in asking for a ransom amount that’s not so high as to represent a huge burden for the victim company as well as in avoiding high-profile targets that could cause geopolitical ripples or attract heavy scrutiny.
DarkSide made the cardinal mistake of attracting the wrong kind of attention, and in the process rewrote the rules of the game. Earlier this week, the U.S. government said it recovered 2.3 million of the total ransom amount Colonial Pipeline paid to the DarkSide extortionists last month by tracing its bitcoin trails in a first-of-its-kind operation.
While the U.S. government officially discourages victims from paying ransoms because doing so can fuel a booming criminal marketplace, affected companies have often opted to quietly settle with the ransomware attackers, calculating that the payment would be cheaper than rebuilding data and services.
The ease of payments, in turn, have have funded and emboldened ransomware groups, turning the criminal scheme into a profitable monetization model, ultimately fueling a vicious cycle in the threat landscape that has witnessed an alarming increase in frequency and severity of ransomware attacks.
Prominent malware campaigns in recent months have disrupted operations at institutions and companies deeply embedded in civic and commercial life, counting hospitals, transport systems, pipelines, and meat companies. The targeted assault on critical infra has exposed troubling gaps in cyber protections, risking catastrophic consequences.
Adding fuel to the fire is the less regulated architecture of bitcoin payments which allows for greater anonymity among cybercriminals, enabling them to misuse cryptocurrency by staging destructive ransomware attacks and launder money.
But the fallout from the recent wave of attacks have spurred unprecedented measures, with the U.S. government characterizing ransomware an urgent national-security threat. In doing so, the development could finally be a wake-up call to not only develop adequate protections but also to put in place a unified approach to dealing with the soaring number of attacks.
There is no magic silver bullet to stemming ransomware at the root, but hardening the security practices and cutting off threat actors’ access to their financial proceeds is crucial to depriving criminal enterprises of their incentive to continue. Although payments can’t be outright stoppped, it’s essential that cryptocurrency transactions are aggressively analyzed so that it becomes difficult for hackers to cover their tracks and convert ransom payments to fiat currency.
What’s trending in security?
📈 As high-profile cyber assaults become increasingly common and big ransomware strikes cripple organizations that play critical roles in energy, water, and healthcare sectors, the ripple effects of ransomware have also exposed the brittle nature of supply chains, whether be it gasoline, food, or other essentials. As a consequence, not only is the cost of cyber insurance is surging, insurers are now beginning to ask clients more questions and urge them to improve their defences. [Financial Times]
💲 More ransomware news. The Wall Street Journal has a profile on Ryuk, a notorious ransomware gang that has hit 238 hospitals and healthcare entities since 2018 and has made at least $100 million in paid ransom in 2020 alone. [Wall Street Journal]
🚨 The Cybersecurity and Infrastructure Security Agency (CISA) has launched a vulnerability disclosure program allowing ethical hackers to report security flaws to federal agencies. [TechCrunch]
🇺🇸 The U.S. Department of Justice (DoJ) charged a Latvian woman for her alleged role as a programmer in a cybercrime gang that helped develop TrickBot malware. The Department also disrupted and shut down Slilpp, an underground marketplace for stolen logins, making it the third such cybercrime forum to be taken down in recent years. [The Hacker News]
❎ Avaddon ransomware group, one of the most prolific ransomware groups in 2021, has announced that they are shutting the operation down and giving thousands of victims a decryption tool for free. [Bleeping Computer]
🛡️ In what’s an important victory in the endless cat and mouse battle with criminals, law enforcement agencies in Australia and the U.S. ran a covert operation for nearly three years by luring cybercriminals to an encrypted messaging platform called ANoM under their control, virtually giving them the power to surveil drug deals, money laundering and murders that were happening away from the eyes of authorities.
In terms of scale, the operation — dubbed Operation Trojan Shield — is one of the most elaborate and sprawling honeypot traps known to date. But it also raises ethical questions about, including the “potential of incidental surveillance of innocent people.” [The Hacker News / Justice Department / Vice]
🇷🇺 A top Russian-language underground forum has been running a "contest" for the past month, calling on its community to submit "unorthodox" ways to conduct cryptocurrency attacks, including the theft of private keys and wallets, in addition to covering unusual cryptocurrency mining software, smart contracts, and non-fungible tokens (NFTs). [The Hacker News]
👩💻️ Code-hosting platform GitHub revised its policy to take steps to disrupt ongoing attacks that leverage the platform as an exploit or a malware content delivery network. This includes abusing the platform to deliver malicious executables or using it as an attack infrastructure, say, by organizing denial-of-service (DoS) attacks or managing command-and-control (C2) servers. [The Hacker News]
🇩🇪 The U.S. National Security Agency (NSA) used a partnership with Denmark's foreign and military intelligence service to eavesdrop on top politicians and high-ranking officials in Germany, Sweden, Norway, and France by tapping into Danish underwater internet cables between 2012 and 2014. [DR / The Hacker News]
📣 Arab news conglomerate Al Jazeera said it blocked this week a series of cyberattacks that attempted to breach, disrupt, and control some parts of its news publishing platform. [Al Jazeera]
🛒 A cybercriminal group dubbed “GrelosGTM” has been behind a string of malicious activities as early as April 2020 that involved using domains, which impersonated legitimate services like Google Analytics and Google Tag Manager, to infect e-commerce websites. [Group-IB]
☢️ Proofpoint researchers identified renewed distributed denial-of-service (DDoS) extortion activity as of May 12, 2021 targeting an increasing number of industries in the U.S., including the energy, financial, insurance, manufacturing, public utilities, and retail by a threat actor named “Fancy Lazarus.” [Proofpoint]
🗂️ Between 2018 and 2020, a mysterious strain of malware infected and stole sensitive data from approximately 3.25 million Windows-based computers. The 1.2TB database includes 26 million login credentials, 1.1 million unique email addresses, more than 2 billion browser cookies, 6.6 million files, and 90,000 image files. [NordLocker]
🗃 The past fortnight in data breaches, leaks, and ransomware: ADATA, CD Projekt, Electronic Arts (and it was via Slack!), iConstituent, Invenergy, JBS, McDonald’s, Scripps Health, Sol Oriens, Massachusetts' Steamship Authority, and Volkswagen.