Active Defense & Deception , Business Continuity Management / Disaster Recovery , Critical Infrastructure Security
'We're Hitting Ransomware Groups,' US and Allies ConfirmUS Military Has Been 'Imposing Costs' on Ransomware Groups, Says Top General
Military forces and intelligence agencies exist to protect a nation's security.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
So it's no surprise that as some ransomware-wielding criminals have been hitting healthcare, pipelines and other sectors that provide critical services, governments have been recasting the risk posed by ransomware not just as a business threat but as an urgent national security concern.
"The first thing we have to do is to understand the adversary and their insights better than we've ever understood them before."
The change in language bespeaks a rethinking of what some governments are now willing to do to combat cybercrime. When this shift began isn't clear, but by July, the White House had reportedly tasked the U.S. military with actively disrupting infrastructure being used by the REvil - aka Sodinokibi - ransomware group.
Describing the U.S. government's new strategy in October, Tom Kellermann, head of cybersecurity strategy for VMWare and also a cybercrime investigations adviser to the U.S. Secret Service, told Reuters: "The gloves have come off."
As of Saturday, we now have official U.S. government confirmation: Gen. Paul M. Nakasone, the head of Cyber Command, says the military has been tasked with not just disrupting ransomware groups, but also tracking them, in conjunction with law enforcement agencies.
"The first thing we have to do is to understand the adversary and their insights better than we've ever understood them before," Nakasone told The New York Times on the sidelines of a national security conference.
Nakasone declined to specify exactly what the government was doing, except to say in broad terms that it's attempting to "impose costs," which is government-speak for causing disruption. "With a number of elements of our government, we have taken actions and we have imposed costs," he told the Times. "That's an important piece that we should always be mindful of."
Canada Announces Operations
The U.S. is not the only country moving to more actively disrupt ransomware. On Monday, the Canadian government announced that it has been pursuing similar measures, via its Communications Security Establishment, which is a sister agency to the U.S. National Security Agency.
"Although we cannot comment on our use of foreign cyber operations (active and defensive cyber operations) or provide operational statistics, we can confirm we have the tools we need to impose a cost on the people behind these kinds of incidents," spokesperson Evan Koronewski told Canadian news site Global News.
"We can also confirm we are using these tools for such purposes, and working together with Canadian law enforcement where appropriate against cybercrime," Koronewski added.
The move is not necessarily a surprise, given that Canada is a member of the Five Eyes intelligence alliance, which includes the U.S., Australia, New Zealand and the U.K.
In fact, multiple countries, as part of their anti-cybercrime strategies, are not just attempting to prosecute cybercriminals, but also working to promote better business resilience, to make it tougher for criminal hackers to hit domestic targets.
Together with improving international law enforcement collaboration and diplomacy, and targeting illicit cryptocurrency use, that was the focus of an anti-ransomware summit held in October, which was coordinated by the White House National Security Council and featured participation from more than 30 nations.
Ireland Targets Conti
Multiple anti-ransomware law enforcement efforts remain underway, says Interpol Director of Cybercrime Craig Jones. Speaking Thursday at cybersecurity firm Group-IB's annual CyberCrimeCon threat hunting and intelligence conference, Jones said Interpol has been "coordinating a number of operational activities in support of our member countries to target the prominent cybercrime threats and actors" tied to many high-profile attacks.
One example has been Ireland's response to the Conti ransomware group's May attack on the country's Health Service Executive, which disrupted healthcare in the country for months. "Interpol facilitated the identification and takeover of the attackers' command-and-control server in the Ukraine and supported the post-event disruption activities led by Ireland on that criminal infrastructure," Jones said. "That operation is still ongoing, and there is more to come in the future."
In recent weeks, the U.S. Department of Justice has announced arrests, cryptocurrency seizures and indictments against multiple suspects accused of either wielding ransomware directly or facilitating such attacks. Recently, Ukraine announced the arrest of suspected ransomware operators. And last month, police in Western Europe announced that since February, they have arrested six suspects accused of working with REvil or its predecessor, GandCrab, which operated from January 2018 to mid-2019.
Security experts have told me that these charges will be the culmination of efforts that began months, if not years ago. If some governments are now devoting even more resources to combating ransomware, hopefully the pace of arrests and disruptions will only increase.
The Language of Disruption
Exactly what governments are - or have been - doing will no doubt remain unclear until such time as one or more nations want to highlight whatever it is they've been doing, or such details come to light in court.
But disruption comes in many forms. If law enforcement authorities cannot arrest perpetrators, one of the tools in their arsenal remains sowing dissent, confusion and chaos. After REvil's infrastructure went offline in July, for example, key administrator UNKN - for Unknown - also disappeared. Fellow admins opined that maybe he'd been arrested and was quietly working with law enforcement officials, or maybe he was dead.
When another admin attempted to restore REvil's Tor sites, meanwhile, he made a rookie mistake, restoring from a backup that someone else - likely a law enforcement agency - also possessed, which allowed them to overwrite the criminals' restoration with one they controlled. In short order, REvil pulled the plug on its infrastructure again, leaving its brand in tatters.
Will it reboot, perhaps under a new name? No doubt some administrators as well as many former affiliates will remain active.
But time is money. In the criminal realm, another weak spot is trust, which runs in short supply. By targeting both, governments have multiple ways to "impose costs." And anything that makes criminals' lives tougher or the individuals involved more likely to make mistakes is a cost to be celebrated.