How the US Government is Fighting Back Against Ransomware
As ransomware-related payments surged toward $600 million in the first half of 2021, the U.S. government knew it needed to do more to fight back against cyber criminals.
For many years, the Treasury’s Office of Foreign Assets Control (OFAC) had a Specially Designated Nationals and Blocked Persons List (SDN List for people or organizations acting against the national security, foreign policy and sanctions policy objectives of the United States).
But since 2021, the U.S. Department of Justice (DOJ) has upped the ante to tackle the growing problem. After all, most of the attacks were on government bodies, educational institutions and health care organizations.
This post will explore how the DOJ has been cracking down and reflect on how the tighter stance has impacted ransomware groups.
In September 2021, OFAC announced its intent to take a stronger stance against sanctioned ransomware groups. The updated advisory makes it clear the U.S. government:
In May 2022, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) formed the Joint Ransomware Task Force (JRTF) to tackle the growing threat of ransomware gangs. The DOJ also announced two international initiatives:
So, how has the landscape changed in the wake of the tougher stance from the U.S. government?
Here are six high-profile incidences where the government took action against known ransomware organizations since 2021:
After DarkSide extorted Colonial Pipeline for $4.4 million in cryptocurrency, the FBI followed the digital money for 19 days. Special agents kept a close eye on a publicly visible bitcoin ledger, waiting until the opportune moment to get a warrant and successfully recover $2.3 million.
The Gozi virus infected over one million devices before three European men were formally charged in a U.S. federal court in 2013. While two members spent time in custody, the Romanian national Mihai Ionut Paunescu was spared extradition. He was finally arrested in Colombia and extradited to the U.S., where he could face more than 30 years in prison.
One of the most notorious ransomware groups is the Ransomware-as-a-Service” operation, REvil. Since February 2021, seven suspects linked to REvil and the affiliated GandCrab have been apprehended, including the two most recent arrests in the wake of the attack on tech firm Kaseya.
Sanctions included the seizure of $6.1 million in funds linked to alleged ransom payments. A Ukrainian national, Yaroslav Vasinskyi, connected with over 2,500 attacks, stands accused. Russian national Yevgeniy Polyanin was also arrested for involvement in at least 3,000 ransomware attacks.
The DOJ announced an operation focusing on combating the threat posed by Russia’s foremost cyberattack capability, Sandworm. The hacker used a botnet called Cyclops Blink to infect thousands of computers worldwide. The operation eliminated the threat — reducing the impact to just 1% of appliances.
The FBI seized $500,000 in cryptocurrency that was paid as ransom to North Korean hackers. A state-sponsored group known as Maui targeted health care providers in Colorado and Kansas. During the seizure, authorities discovered a previously unidentified ransomware strain, aiding future efforts to thwart malicious cyber activity and illicit financial gain.
OFAC added ten individuals and two entities to the SDN list — all of which are connected to an Iranian ransomware group affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC). U.S. officials allege the group is responsible for various malicious cyber-enabled activities against the U.S. and Middle Eastern governments.
Coveware’s report for Q2 2022 indicates sanctions are having some effect. While there was an 8% increase in the average ransom payment from Q1 2022, several outliers contributed to the average $228,125 ransom payment.
A more accurate reflection of the impact is clear when you consider the median ransom payment fell to $36,360 — a dramatic 51% decrease from Q1 2022. This drop marks two consecutive quarters where the median ransom payment was lower, which could signal the start of a downward trend.
Another promising sign is that the average downtime from ransomware attacks was 24 days in Q2 2022, which is an 8% decrease compared to the previous quarter.
However, the war is far from over.
Despite increased efforts, attacks continue. It seems as if any time authorities cut off one head from a prominent hacking group, another two appear.
The Lazarus Group is a North Korean state-sponsored hacking entity best known for the WannaCry attack that infected 300,000 computers worldwide in May 2017.
In February 2021, the DOJ indicted three North Korean (DPRK) military personnel for criminal conspiracies and cyberattacks that generated $1.3 billion. However, despite the sanctions, the Lazarus Group remains active. The group is driving a new cyber-espionage campaign that aims to steal data from energy providers across the U.S., Canada and Japan.
After the indictment of Polyanin and Vasinskyi, reports from Russia indicated REvil now ceased to exist.
But in May 2022, a ransomware gang initiated a distributed denial of service (DDoS) campaign against a customer of the cloud networking provider Akamai. As the attackers demanded payment in Bitcoin, news emerged that the supposedly defunct REvil claimed responsibility.
The Secureworks Counter Threat Unit (CTU) analyzed code samples found online and confirmed that the developer has access to REvil’s source code.
The Treasury’s sanctions list is meant to thwart companies from paying sanctioned ransomware gangs, as the prospect of federal fines alongside a ransom payment could be too much for some companies to bear.
Norsk Hydro is one example of a company that refused to pay the ransom. The manufacturer chose to shut down its system and then totally rebuild it. Productivity slowed, and people worked double shifts, but they won.
“My experience has shown that 50-75% of organizations will negotiate and work with ransomware gangs,” explains Jonathan Couch, COO, ShadowDragon. “The remaining 25-50% rely on either network architecture and backups to recover without having to pay.”
However, depending on the industry and the severity of the attack, paying may sometimes be the only obvious answer.
When REvil took down the systems of the world’s biggest meat supplier, JBS Holdings, JBS CEO Andre Nogueira saw payment as the only way to regain control. The company informed law enforcement of its decision before paying the ransom of $11 million in Bitcoin.
Michael Lieberman, assistant director of OFAC’s enforcement division, explains that “a person subject to OFAC jurisdiction can be held civilly liable” for taking matters into their own hands.
So, as JBS engaged — and then paid — a sanctioned group, could it be penalized? For a large enterprise that is so integral to the world’s food supply, it seems improbable that the U.S. government will impose federal fines after the enterprise forked out $11M.
But what about smaller companies that don’t hold as much sway with the global economy or the U.S. government? Without guidance, there is a risk of paying threat actors on the sanctioned list. If you do that, there are no assurances that the government won’t add a fine on top of your ransom payment.
The government response shows some early promise, as median ransom payments are falling. But ransomware gangs are still coming back for more.
In truth, the sanctions offer no magic bullet. Ransomware is a $14 billion industry in 2022. It could grow exponentially in the years ahead as anonymous cyber criminals use ever-evolving technology to launch new sophisticated attacks against a backdrop of global crises, from energy concerns to cost-of-living struggles.
ShadowDragon CEO, Daniel Clemens, believes, “As multiple failures occur, there will be an increase in criminal activity. We should prepare for what we want to incentivize to control the outcomes.”
While many victims realize paying doesn’t guarantee they will get their data back or avoid further attacks, other companies are not deterred by the prospect of federal fines. Perhaps governments could offer incentives like tax breaks to encourage more companies to stand firm and collaborate in the efforts to eliminate the common vulnerabilities being exploited.
Read the Ransomware Response Guide to learn how you can protect your critical information and resources.
With a passion for creative writing and an unquenchable thirst to learn about futuristic tech, Christopher John Haughey segued from a journalism degree into …
4 min read – From Microsoft to AT&T to Home Depot, more companies are accepting cryptocurrency as a way to pay for products and services. This makes perfect sense as crypto coins are a viable revenue source. Perhaps the time is ripe for businesses…
2 min read – On March 17, the FBI, the U.S. Treasury Financial Crimes Enforcement Network and the Department of the Treasury released a joint cybersecurity advisory about AvosLocker, a ransomware-as-a-service (RaaS) affiliate-based group. According to the advisory, AvosLocker has targeted victims across multiple…
3 min read – The protection of the SAP systems, as mission-critical applications, is becoming the priority for the most relevant organizations all over the world. The security hardening of SAP systems is key in these uncertain times, where threat actors start seeing SAP…
As ransomware-related payments surged toward $600 million in the first half of 2021, the U.S. government knew it needed to do more to fight back against cyber criminals. For many years, the Treasury’s Office of Foreign Assets Control (OFAC) had a Specially Designated Nationals and Blocked Persons List (SDN List for people or organizations acting against the national security, foreign…
Cybersecurity at U.S. federal agencies has been running behind the times for years. It took an executive order by President Joe Biden to kickstart a fix across the agencies. The government initiative also serves as a wake-up call to enterprises lagging in getting zero trust up and running. Several organizations, including the Office of Management and Budget (OMB), the Cybersecurity and…
The Cybersecurity and Infrastructure Security Agency (CISA) recently published a report highlighting a range of critical security vulnerabilities requiring attention from organizations of all types. The report was published with input from the National Security Agency (NSA) and similar agencies worldwide. It should be considered essential reading. Many of the vulnerabilities in the report are not new. Instead, the report…
What happens when attackers breach local government, police departments or public health services? What would happen if attackers compromised the U.S. Treasury’s network? These types of incidents happen every month and lead to service interruptions at the very least. More serious problems could occur, such as leakage of classified data or damage to critical infrastructure. What about the cost of…
Analysis and insights from hundreds of the brightest minds in the cybersecurity industry to help you prove compliance, grow business and stop threats.
