Over the past several years, the emergence of the Big-Ticket, destructive ransomware attack has pushed the U.S. government to circumvent the attacks, mainly by Russian-based threat actors. At the same time, ransomware has become an important factor in increasing corporate cybersecurity budgets as companies often struggle with the threat of crippling.
Despite policy measures and an increase in private sector funding to slow the attack drumbeat, the ransomware threat was a top topic at this year’s RSA conference. Experts at the event stressed that Russian state-sanctioned criminal actors are not the only ransomware threat actors to be feared, nor are they diminishing despite intense efforts to wipe out ransomware attacks. Similar steps taken to stop ransomware activities could form an alliance to create hybrid cyber-attacks among financially motivated threat actors that mix social engineering with ransomware.
Iran is the inventor of ransomware
Speaking at the RSA, Dmitry Alperovich, executive chairman of the Silverrado Policy Accelerator and co-founder of CrowdStrike and former CTO, said Iran was the inventor of ransomware with its samsung ransomware. He noted that it was an Iranian group that attacked the cities of Atlanta and the state of Colorado with the malware, and that it was Iran that launched the first large-scale game hunting.
“Not just trying to target and lock a system within a network, but really making an intrusion and then trying to get as much ransom as possible by rolling ransomware across the network that we now see from all the other groups like Reveal, Lockbeat and Others, “he said. “One of the things that Iranians are doing is, and we see it in criminal areas, leaking information to harass organizations,” Alperovich said.
Ransomware attacks are still on the rise
Sandra Joyce, executive vice president and head of Mandate Intelligence and Advanced Practices, said it was misleading to think that ransomware attacks were declining, a common misconception in light of Ukraine’s attack on Russia. “If you look at Q1 year after year and Q2 year after year, what you’re going to see is a very strong increase,” he said.
“I can tell you that in Mandiant, we’ve seen a spike in the last week and a half.” Joyce pointed out to victims of particularly embarrassing sites, “Where you don’t pay, and openly where you actually pay, threatening actors will go and dump your data.”
Sometimes ransomware is not a cause of group attacks. “A lot of what we measure for ransomware goes into data theft and extortion, and there’s absolutely no need to throw out any malware,” Joyce said. “And we’ve been predicting for a long time that malware has nothing to do with these attacks. It can only be extortion and data theft and is also being measured as ransomware. So, the thing to worry about is that most It’s a strategy to avoid sanctions. “
Reveal returns from the dead
But the news from Ransomware is not all bad, says Alperovich. “We had some good news on the ransomware front. A month ago in January [Russia’s invasion of Ukraine]The Russians have taken action against 14 people who were part of the group, REvil, which was responsible for last year’s high-profile attack. “
More recent developments have diminished that bright spot. “The problem is solved, isn’t it?” Alperovich says. “Well, not so fast. A little thing called war happened, and it did, of course, disrupt communication between the US government’s cyber team and the Russian cyber team. Understandably so.”
“What you are seeing now is a statement from lawyers for these people who have returned to Russia. ‘ [prosecutors] Only charges should be dropped and they should be released. It is unknown at this time what he will do after leaving the post. “
As a result, what Alperovich said was an incredibly resilient ecosystem that spreads responsibility among many special actors within the group, and the group is under intense threat. “One of the things we’re seeing now is that REvil is starting to come back. Some of their sites and Tor networks are back, and we have to look at that very carefully.”
Costa Rica’s ransomware attack is a warning story
Costa Rica’s recent ransomware attack, which has cost the country millions of dollars in productivity, has prompted county ransomware attackers to call for the overthrow of the country’s government, highlighting Ransomware’s enduring destructive power. Matt Olsen, assistant attorney general for national security at the U.S. Department of Homeland Security, indicated that the Costa Rican attack may not have been a target, but it was probably an uncontrolled ransomware incident.
Olsen said the Costa Rican attack could result in potential “spillover” damage from the activities of the Russian ransomware group. “When you look at what happened with NotPetya, where the Russian invasion was really focused on Ukraine, it was a fake ransomware attack. But it immediately spread beyond the borders of Ukraine. That’s the nature of this kind of attack. I think it’s a warning story where you see that there is reason to believe that Russia will expand its reach to countries and places using groups that will help it achieve its goals. “
Ronsomware and BEC actors may reunite next year or so
The two top financially motivated cyber attacks, ransomware and business email deals (BECs), have grown in parallel over the past five to six years, although “they are on the complete opposite side of the cybercrime spectrum,” said Crane Hassold, director of unusual security threat intelligence. .
Ransomware is a highly concentrated specialty with a centralized ecosystem. Only three ransomware groups can be blamed for nearly two-thirds of all ransomware activity between 2020 and 2021, Hassold said. “Right now, Conti or Lockbeat has been blamed for more than 50% of ransomware activity.”
BEC, on the other hand, is committed by thousands of actors with little central direction, mostly in places like West Africa or Nigeria. Despite this difference, Hassold thinks that ransomware actors will be attracted to BEC in the next 12 to 18 months, mainly because government authorities are making it difficult for ransomware gangs to pay through cryptocurrency. “The friction-free environment that previously enabled cryptocurrency transactions will begin to erode, and this will make it more difficult to conduct those transactions for more malicious and illegal purposes,” he said. “Because of this, the overall return on investment, the overall effort required to make these transactions will begin to generate declining returns for risk actors.”
Ransomware actors are “going to pivot elsewhere to make money, and in my opinion, what we’re going to see in the next 12 to 18 months is this essential combination of ransomware actors and BEC space to create this sophisticated hybrid social engineering attack.” [on] The scale and sophistication of ransomware. “
Copyright © 2022 IDG Communications, Inc.