“It’s a battle, it’s a war”: experts try to defeat ransomware attackers

[ad_1]

Cybersecurity experts like to joke that hackers who have turned ransomware attacks into a multimillion-dollar industry tend to be more professional than even their biggest victims.

Ransomware attacks, when cyber attackers block computer systems or target data until a ransom is paid, have returned to prominence this week after the attacks hit one of the largest gas pipelines in the United States. Toshiba’s European business and the Irish health service.

While governments have pledged to address the problem, experts said criminal gangs have become more enterprising and continue to be in control. For companies, they said, there is more pain to come.

“This is probably the big security puzzle because companies have to decide to what extent they are involved in this game of mice and cats,” said Myrna Soto, chief strategy officer and trusted officer at Forcepoint. “It’s a battle, it’s a war, to be honest.”

Last year, the number of ransomware attacks reportedly increased by more than 60% to 305 million SonicWall data, as hackers took advantage of the change to work from home and the vulnerabilities that opened up as a result. Just over a quarter of victims pay to unlock their systems, according to CrowdStrike cybersecurity researchers.

About two dozen gangs dominate the market and business has been fast. They won at least $ 18 billion in ransom in 2020, according to cybersecurity group Emsisoft, with an average payment of about $ 150,000. Once indiscriminate in their attacks, many now engage in “major game hunting,” pursuing larger targets to demand large payouts.

Criminals with fewer technological insights have also joined, following the advent of ransomware-as-a-service, or Raas, where groups rent their viruses on the dark network to “affiliates” and reduce their revenue.

“There are very low barriers to entry now,” said Rick Holland, head of information security for cybersecurity group Digital Shadows.

The alleged perpetrators of the hacking Colonial Pipeline, a band based in Russia called DarkSide, he ran such an affiliate program, according to the cyber security group FireEye, meaning another group may also have been involved in the colonial attack.

“There is now a division of labor and criminals cooperate transnationally,” said Joshua Motta, co-founder and CEO of the cybersecurity group Coalition.

Bar chart of public and private sector estimates only ** ($ m) showing overall ransomware costs *

Follow the money

Cyber ​​experts and governments continue to debate the most effective way to beat cyber cartels. One of the thorniest questions is whether governments should ban victims from paying anything ransomed in full.

“This is an issue that governments need to seriously consider,” said Brett Callow, an analyst at Emsisoft. “Make ransomware attacks unprofitable and attacks would stop.”

But opponents warn that the ban would do little to deter hackers, given the low cost and low risk of launching attacks, and could push gangs toward more vulnerable targets, such as hospitals.

The FBI advises against paying for reviews, but in the case of Colonial, the White House acknowledged the difficult position companies were in.

Last month, a public-private working group of large technology groups, including Microsoft and Amazon, along with U.S. officials, recommended that it be mandatory for companies to review alternatives beforehand. paying a ransom, and then inform a government agency if they pay a ransom.

Many victims are reluctant to disclose whether they have been attacked or paid for, for fear of reputational damage or legal and regulatory reactions. But Jen Ellis, vice president of public and community affairs for the Rapid7 cyber group and board member, said: “It can be done privately, there are ways to do it to destigmatize it. But inform us provides a greater ability to investigate payments [and] track them “.

This is related to another demand that the working group and others have called for: greater government oversight of cryptocurrency exchanges, which they believe should adhere to the same “customer knowledge” laws and against money laundering than traditional financial services.

How researchers can find clues

Meanwhile, the U.S. government has stepped up efforts to prosecute and prosecute the same ransomware gangs, and the Justice Department launched its own dedicated ransomware unit last month. Among his goals, according to a note from Acting Deputy Director General John Carlin, seen by the Financial Times, is taking steps to “break and dismantle the criminal ecosystem.”

Typically, this could involve removing servers and other hosting services that facilitate the company from cyber cartels, according to Tom Kellermann, head of cyber security strategy at VMware and member of the U.S. Secret Service’s cyber investigation advisory committee .

Kellermann suggested that Internet service providers could play a role in removing dark web forums associated with specific bands. “Why don’t they sink it, just do it off the Internet?”

Often, the laziness of criminal affiliates leaves clues for investigators to take this action, according to Allan Liska’s computer security incident response team at Recorded Future, because “they’re not as good as covering the their tracks “as end ransomware operators.

There are already indications that targeting the hacker infrastructure helped prevent an even more catastrophic disaster in the event of the colonial shutdown. On Saturday, a group of technology and cyber companies, as well as U.S. agencies such as the FBI, thwarted attackers by shutting down U.S.-based servers that hackers used to store data before sending it to Russia. according to two. people familiar with the situation. Bloomberg first reported the outage.

There have been few attempts to prosecute the gangs, many of which operate with impunity from Russia, which is unlikely to extradite them. Last month, the US Treasury even accused one of Russia’s intelligence services, the FSB. “Cultivate and co-opt” the ransomware group Evil Corp.

In return, criminals often avoid targeting Russian organizations and may be asked to share their access to victims ’systems. “I’m kidding that the safest way to protect yourself from ransomware is to convert all your keyboards to using Russian Cyrillic design,” Liska said.

Bar graph showing the main data breaches, by number of records, millions (2020)

Use of sanctions

Dmitri Alperovitch, co-founder of the CrowdStrike security group that now heads the Silverado Policy Accelerator think tank, he said on Twitter: “We have no ransomware issues. We have a problem with Russia. This is.”

The public-private ransomware working group recommended greater international coordination and “exerting pressure” on nations that refuse to cooperate, for example, through sanctions or withholding aid or visas.

So far, the United States has chosen to impose sanctions on certain groups, such as Evil Corp., as a deterrent to potential bailouts. In October, the United States Treasury issued a warning to any group that can help facilitate the payment of a ransom (cybersecurity, negotiators and insurance companies) for not violating sanctions and gave a similar warning to financial institutions, such as cryptocurrencies.

Not everyone has heeded those warnings. In accordance with Chainalysis data, which analyzes blockchain transactions, approximately 15% of the rescue payments it tracked in 2020 (or about $ 60 million in total) may have violated the sanctions, as they appeared to be sent to groups from the blacklist or affiliated with these groups.

With few prosecution options, an expert familiar with the government’s approach said he hoped authorities would expect to go aggressively after the perpetrators of colonial piracy. “There are 10 or 15 young boys or girls who have a lot of parties and want a lot of money. They are not persecuted in Russia, they are persecuted when they go on holiday to Greece.



[ad_2]

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *