XXI century mafia: criminal enterprises at the heart of ransomware
The US Federal Bureau of Investigation (FBI) and the Department of Justice (DOJ) now prioritize ransomware attacks on the same level as terrorism. Recent Solar Winds, Colonial Pipeline, and Irish health sector cyber attacks, to name just a few, leave no choice but to fight cybercriminals as if they were terrorists.
In an interview with The Wall Street Journal, the FBI's Director Christopher Wray revealed that the agency was investigating 100 ransomware attacks, most of which could be traced back to Russia. The challenge that cyberattacks pose is somewhat similar to the challenge posed by the Sept. 11, 2001, terrorist attacks.
Cybercriminal gangs, such as Darkside that was behind the Colonial Pipeline attack, claim they are after money, not chaos. But it is not entirely accurate as attacks against critical infrastructure, health services, or large companies delay critical operations and leave victims dry of financial resources. For example, JBF beef, the world's largest meat processing company, temporarily shut down some operations in Australia, Canada, and the US due to ransomware attacks. The company paid $11M to put an end to the cyber-attack.
Here's the thing - cybercriminals now work in cahoots. So even if the attackers honor their word and provide the encryption or delete any compromising information they have, the breach still exists and may quickly be sold afresh to a new cybercriminal to exploit.
"I do feel pretty comfortable saying that the trends are going to continue. There is big money in the notion of ransomware. We've seen that throughout the year, and there's no reason to believe that is going to change," Corey Bodzin, chief technology officer at cybersecurity service provider Deepwatch, told CyberNews.
Bodzin has been in the security industry for 25 years. "When I was young, I watched movies like Wargames, and at that point, the attacker was the pretty typical kid in a basement. Now, there's a lot of discussion about things like sovereign governments and sophisticated attackers, but at the heart of things like ransomware, what we are seeing is a criminal enterprise," Bodzin said.
Criminal enterprises run things like businesses do. Ransomware and the attendant malware is their product.
"They have really good portals on the dark web, and they have customer support numbers. They are well organized, and so that's what companies are facing - a notion that there's a big business in establishing a foothold in their environment and then selling that foothold to whoever wants to undertake the campaign, whether that's a specific target for geopolitical purposes, or it is simply profits motive. Criminals are leveraging the infrastructure that those ransomware businesses have built," an expert explained.
The problem is that it sometimes takes months even to notice that you have been compromised. Hackers establish a foothold and persist undetected for a long time. So one of the key pushes in the security industry, Bodzin explained, is to reduce the amount of time that attackers act unnoticed. Detecting strange activities on your system requires sophistication.
"When you know that something unconventional, unexpected, or what doesn't fit a profile of what we believe to be a regular business, notifying, beginning an investigation, and getting engaged with your partner immediately can help reduce that time. Many attacks happen so quickly, and it is going to be difficult to do any prevention. You are going to need to be good at response and resilience, but for the majority of what we see today, there's still ample time to detect as long as you know what you are looking for and you have the right tools and staff to do it," Bodzin said.
To prevent cyberattacks or at least mitigate the damage appropriately, every company should have a playbook.
"Inevitably, you are going to have a bad day, and if you are making things up as you go along during that bad day, you still could be successful, but as with all things, if you've practiced, if you have an idea, a plan, then odds are that things will go better," he said.
The shifting approach to fighting cybercrime
Russian President Vladimir Putin and US President Joe Biden have agreed to develop a bilateral cybersecurity arrangement after discussing ransomware in Geneva. Biden gave Putin a list of 16 entities that should be considered "off-limits" for future cyberattacks. Putin, unsurprisingly, said it has nothing to do with the Russian government. The truth is, even when the Kremlin does not engage in cyberattacks directly, it is blamed for turning a blind eye to cybercriminal gangs, as long as it is American and not Russian entities they are attacking.
Can this agreement do any good?
"Any sort of diplomacy that can be leveraged is helpful. Is it a panacea? Absolutely not," Bodzin said.
He compared the cybersphere to tax policy. There are safe havens for those who want to pay fewer taxes or stay out of the radar, and there are safe havens for cybercriminals where they can operate uninterrupted.
"I think there's value in global agreements and global norms. We need to be realistic about what they can accomplish, but even if they have limits, I'm pleased to see that leadership is at least talking about it and trying to set some ground rules," Bodzin said.
There are other initiatives for fighting cybercrime more effectively, too. For example, the United States and European governments formed a new ransomware working group to address the scourge of ransomware that has hurt many European countries and the US.
According to Bodzin, sharing information among governmental institutions, law enforcement, and private entities is crucial in this battle against cybercrime.
"There's a tremendous opportunity for that to be not just the commercial sector but also a public and private sector partnership to expand the visibility of what is happening, what best practices are," he said.
Not that long time ago, maybe ten years or so, the prevailing attitude used to be, "yea, who's going to attack us." Why would anybody care about attacking us." But because of recent significant cyberattacks and interconnectivity of so many devices, there is much greater awareness about the importance of cybersecurity.
Bodzin reckons that after attacks that brought unwanted attention to cybercriminals from governments and law enforcement (Darkside is a great example here), more things will be "happening in the dark of the night." It means there will be ransomware attacks, but maybe it just won't make the news.
More from CyberNews:
Subscribe to our newsletter