Ransomware victims are refusing to pay — but is it working?

A new report has highlighted how ransomware payments to hackers have begun to slow down, with victims continuously opting to not cave in to demands.

Coveware, a company that provides ransomware decryption services, revealed some interesting analytics relating to the state of ransomware during the second quarter of 2022.

Getty Images

As reported by Bleeping Computer, the average payment pertaining to ransomware demands has indeed increased. However, the median value of these payments have decreased in a big way.

During 2022’s second quarter, the mean average ransom payment totalled $228,125, representing an 8% increase compared to the first quarter of this year.

The median ransom payment value, however, came to $36,360 — that’s a staggering 51% drop when compared to the first quarter of 2022.

The aforementioned fall in value follows consistent drops since the first quarter of 2021. That specific period saw average ransomware payments reach new highs ($332,168), while the median value reached a peak of $117,116. That said, this state of affairs was undoubtedly aided by the pandemic and the rise of individuals using their systems at home.

“This trend reflects the shift of RaaS affiliates and developers toward the mid-market where the risk-to-reward profile of attack is more consistent and less risky than high profile attacks,” Coveware said in its findings.

Coveware also mentioned how large corporations are not entertaining any ransom demands solely due to the amount. “We have also seen an encouraging trend among large organizations refusing to consider negotiations when ransomware groups demand impossibly high ransom amounts.”

A system hacked warning alert being displayed on a computer screen.
Getty Images

A shift in strategy

Hackers have increasingly shifted their efforts and focus toward smaller organizations that are delivering positive financial results, which is reflected by the fact that the median size of companies affected by ransomware fell during 2022’s second quarter.

Elsewhere, the most popular choices for ransomware list within the report show a few familiar names from the hacking scene. BlackCat controls 16.9% of the ransomware attacks, while LockBit 2.0 accounts for another sizable chunk (13.1%).

As for all the recent shutdowns of ransomware gangs, the individuals from these groups have turned to lower-tier attacks, which has subsequently aided various smaller ransomware-as-a-service (RaaS) operations popping up.

The report also revealed how the double extortion method — a way to threaten targets that their stolen files will be leaked before the encryption process — is still a favored scare tactic among threat actors, with 86% of the reported cases associated with this specific strategy.

For a considerable number of these cases, hackers will continue with their extortion schemes or leak the files they’ve obtained even if they’ve received the ransom payment.

If you’ve been a victim of ransomware, then be sure to seek the services of this anti-hacker group that provides free decryptors.

Editors’ Choice

Repost: Original Source and Author Link


This anti-hacker group helps you escape ransomware for free

This week marks the sixth anniversary of the No More Ransom project, an initiative aimed at helping ransomware victims.

Operating as an online platform to help anyone who’s experiencing trouble after their system has been infected by some form of ransomware, No More Ransom was formed as a joint venture between law enforcement (Europol and the Dutch National Police) alongside IT security firms (Kaspersky and McAfee).

Getty Images

As reported by Bleeping Computer, when it started out, the program only supplied a total of four ransomware decryptors. However, since launching in 2016, that number has soared to over 100 free decryption tools that can help combat numerous strains of ransomware.

“Six years later, No More Ransom offers 136 free tools for 165 ransomware variants, including Gandcrab, REvil/Sodinokibi, Maze/Egregor/Sekhmet, and more,” Europol said in a press release.

In total, No More Ransom has allowed more than 10 million individuals to successfully decrypt their infected files via free decryptors. Without access to such tools, the only remaining option would be to pay the cybercriminals behind the ransomware who are using innocent people’s files as leverage for a payday.

And that payday is substantial, to say the least. Upon No More Ransom entering its fifth anniversary last year, it was revealed that the initiative “prevented criminals from earning almost a billion euros through ransomware attacks.”

No More Ransom’s premise is simple but effective. Its Crypto Sheriff tool uploads two encrypted files alongside the ransomware note, after which it attempts to match them via a database of tools that can provide a solution. Once a match has been established, a compatible ransomware decryptor will be shared with the victim. Here, a detailed set of instructions within a manual can help the individual in unlocking their files.

A depiction of a hacked computer sitting in an office full of PCs.
Getty Images

Alternatively, if the search is unable to locate a suitable decryptor, victims will be encouraged to regularly check again due to the frequency of unlock tools being added to the system.

While programs like No More Ransom are useful in battling the ever-growing threat of ransomware, the groups behind the malicious software that holds files and folders hostage aren’t sitting idly by.

Security firm Kaspersky has observed how ransomware gangs are now evolving their “cross-platform capabilities,” as well as “updated business processes.”

“If last year we said ransomware is flourishing, this year it’s in full bloom,” the company stated. Elsewhere, throughout 2021, ransomware resulted in $49.2 million being extracted from victims. And that number is only attributed to publicly disclosed incidents — who knows what the overall figure amounts to.

Editors’ Choice

Repost: Original Source and Author Link


A small Canadian town is being extorted by a global ransomware gang

The Canadian town of St. Marys, Ontario, has been hit by a ransomware attack that has locked staff out of internal systems and encrypted data.

The small town of around 7,500 residents seems to be the latest target of the notorious LockBit ransomware group. On July 22nd, a post on LockBit’s dark web site listed as a victim of the ransomware and previewed files that had been stolen and encrypted.

Screenshot taken from a ransomware group’s website. Text reads: “The Town of St. Marys is located at the junction of the Thames River and Trout Creek, southwest of Stratford in southwestern Ontario. Rich in natural resources, namely the Thames River, the land that now makes up St. Marys was traditionally used as hunting grounds by First Nations peoples. European settlers arrived in the early 1840s. Stolen data (67GB): financial documents, plans, department, confidential data”

LockBit ransom listing for the Town of St. Marys

In a phone call, St. Marys Mayor Al Strathdee told The Verge that the town was responding to the attack with the help of a team of experts.

“To be honest, we’re in somewhat of a state of shock,” Strathdee said. “It’s not a good feeling to be targeted, but the experts we’ve hired have identified what the threat is and are walking us through how to respond. Police are interested and have dedicated resources to the case … there are people here working on it 24/7.”

Strathdee said that after systems were locked, the town had received a ransom demand from the LockBit ransomware gang but had not paid anything to date. In general, the Canadian government’s cybersecurity guidance discouraged the paying of ransoms, Strathdee said, but the town would follow the incident team’s advice on how to engage further.

Screenshots shared on the LockBit site show the file structure of a Windows operating system, containing directories corresponding to municipal operations like finance, health and safety, sewage treatment, property files, and public works. Per LockBit’s standard operating methods, the town was given a deadline by which to pay to have their systems unlocked or else see the data published online.

Brett O’Reilly, communications manager for the town of St. Marys, directed The Verge to a press statement issued by St. Marys in which the town gave further details. Per the statement, essential municipal services like transit and water systems have been unaffected by the incident, and the town is attempting to unlock IT systems and restore backup data.

According to an analysis by Recorded Future, the LockBit group alone took credit for 50 ransomware incidents in June 2022, making it the most prolific global ransomware group. In fact, St. Marys is the second small town to be targeted by LockBit in the space of just over a week: on July 14th, LockBit listed data from the town of Frederick, Colorado (population 15,000) as having been hacked, a claim that is currently under investigation by town officials. The LockBit listing for Frederick currently demands a ransom of $200,000 not to publish the data.

Increasingly, smaller municipalities are finding themselves the targets of sophisticated global ransomware groups with extensive technical knowledge and resources. In March, the FBI cyber division published a notification to private industry partners of government agencies, noting that ransomware attacks were “straining local US governments and public services.”

Repost: Original Source and Author Link


This researcher just beat ransomware gangs at their own game

A security researcher has discovered key flaws pertaining to popular ransomware and malware — a state of affairs that could lead to their creators entirely rethinking the approach to infiltrate potential victims.

Currently, among the most active ransomware-based groups are the likes of Conti, REvil, Black Basta, LockBit, and AvosLocker. However, as reported by Bleeping Computer, the malware developed by these cyber gangs has been found to come with crucial security vulnerabilities.

Digital Trends Graphic

These defects could very well prove to be a damaging revelation for the aforementioned groups — ultimately, such security holes can be targeted in order to prevent what the majority of ransomware is created for; the encryption of files contained within a system.

A security researcher, hyp3rlinx, who specializes in malware vulnerability research, examined the malware strains belonging to the leading ransomware groups. Interestingly, he said the samples were exposed to dynamic link library (DLL) hijacking, which is a method traditionally used by attackers themselves that targets programs via malicious code.

“DLL hijacking works on Windows systems only and exploits the way applications search for and load in memory the Dynamic Link Library (DLL) files they need,” Bleeping Computer explains. “A program with insufficient checks can load a DLL from a path outside its directory, elevating privileges or executing unwanted code.”

The exploits associated with the ransomware samples that were inspected by hyp3rlinx — all of which are derived from Conti, REvil, LockBit, Black Basta, LockiLocker, and AvosLocker — authorize code that can essentially “control and terminate the malware pre-encryption.”

Due to the discovery of these flaws, hyp3rlinx was able to design exploit code that is assembled into a DLL. From here, that code is assigned a certain name, thereby effectively tricking the malicious code into detecting it as its own. The final process involves loading said code so that it commences the process of encrypting the data.

Conveniently, the security researcher uploaded a video that shows how a DLL hijacking vulnerability is used (by ransomware group REvil) to put an end to the malware attack before it can even begin.

The significance of the discovery of these exploits

As highlighted by Bleeping Computer, a typical area of a computer targeted by ransomware is a network location that can house sensitive data. Therefore, hyp3rlinx asserts that after the DLL exploit is loaded by placing that DLL in certain folders, the ransomware process should theoretically be stopped before it can inflict damage.

Malware is capable of evading security mitigation processes, but hyp3rlinx stresses that malicious code is completely ineffective when it faces DLLs.

That said, whether the researcher’s investigation results in long-lasting changes in preventing or at least reducing the impact of ransomware and malware attacks is another question entirely.

“If the samples are new, it is likely that the exploit will work only for a short time because ransomware gangs are quick to fix bugs, especially when they hit the public space,” Bleeping Computer said. “Even if these findings prove to be viable for a while longer, companies targeted by ransomware gangs still run the risk of having important files stolen and leaked, as exfiltration to pressure the victim into paying a ransom is part of this threat actor’s modus operandi.”

Still, the cybersecurity website added that hyp3rlinx’s exploits “could prove useful at least to prevent operational disruption, which can cause significant damage.”

As such, although it’s likely to be patched soon by ransomware groups in the immediate future, finding these exploits is an encouraging first step toward impacting the development and distribution of dangerous code. It may also lead to more advanced mitigation methods to prevent attacks.

Ransomware groups do not consist of your average hackers. Creating and spreading effective malware is a sophisticated task in and of itself, and the financial windfall from a successful attack can generate hundreds of millions of dollars for the perpetrators. A considerable portion of those ill-gotten gains is extracted from innocent individuals.

Editors’ Choice

Repost: Original Source and Author Link


Ransomware gangs are evolving in new and dangerous ways

With digital technology growing at a rapid pace, ransomware gangs and their methods continue to advance at an aggressive rate as well.

This observation was detailed by cybersecurity and antivirus giant Kaspersky via a new report, highlighting fresh ransomware trends that have materialized throughout 2022.

Andrew Brookes/Getty Images

Although leading cyber gangs have seen operations ceasing due to shutdowns, groups are still finding ways to develop dangerous strains of malware and ransomware. And their efforts are bearing fruits, Kaspersky stresses.

In particular, the company singled out brand new “cross-platform capabilities”, in addition to “updated business processes” and more.

Before we delve into the aforementioned aspects, it’s important to outline what ransomware is exactly. Simply put, it’s a type of code or software that affects files, folders, or the entire operating system of a PC.

Once it has successfully infiltrated its target, ransomware groups will then demand money from the victim if they want to unlock access to their computer.

“If last year we said ransomware is flourishing, this year it’s in full bloom.”

“Ransomware operations have come a long way — from clandestine and amateur beginnings to fully-fledged businesses with distinctive brands and styles that rival each other on the dark web. They find unusual ways to attack their victims or resort to newsjacking to make their attacks more relevant,” Kaspersky said.

The rise of cross-platform programming languages

As for the “prolific use” of cross-platform capabilities, Kaspersky points out that this method is particularly effective in damaging “as many systems as possible with the same malware by writing code that can be executed on several operating systems at once.”

Cross-platform programming languages, Rust and Golang, started picking up steam among the ransomware community during the latter stages of 2021.

For example, a leading group that is an ever-present name in the ransomware space, Conti, has managed to design a variant that is spread via certain affiliates in order to target Linux-based systems.

BlackCat, labeled as a “next-generation” malware gang, was mentioned as another group — one that has apparently attacked more than 60 organizations since December 2021. Rust was its language of choice for developing malware strains.

Elsewhere, a group known as DeadBolt relied on Golang instead for its ransomware endeavors. This cyber gang is notorious for its attacks on QNAP (network-based storage devices from a Taiwanese company).

Ransomeware groups are starting to evolve

Another trend that Kaspersky detailed is the fact that ransomware groups have not only been relying on more advanced tactics for their overall operations, but throughout late 2021 and the opening stages of 2022, they’ve also “continued activities to facilitate their business processes, including regular rebranding to divert the attention of the authorities, as well as updating exfiltration tools.”

Certain groups have developed and started to use entire toolkits that “resembled ones from benign software companies.”

“Lockbit stands out as a remarkable example of a ransomware gang’s evolution. The organization boasts an array of improvements compared to its rivals, including regular updates and repairs to its infrastructure. It also first introduced StealBIT, a custom ransomware exfiltration tool that enables data exfiltration at the highest speeds ever – a sign of the group’s hard work put towards malware acceleration processes.”

Dmitry Galov, a senior security researcher at Kaspersky’s Global Research and Analysis Team, commented on the state of affairs with a summary:

“If last year we said ransomware is flourishing, this year it’s in full bloom. Although major ransomware groups from last year were forced to quit, new actors have popped up with never before seen techniques. Nevertheless, as ransomware threats evolve and expand, both technologically and geographically, they become more predictable, which helps us to better detect and defend against them.”

Google, meanwhile, somewhat mirrored the same remark when it analyzed the record number of zero-day hacks in 2021.

“Zero-day exploits are considered one of the most advanced attack methods an actor can use, so it would be easy to conclude that attackers must be using special tricks and attack surfaces. But instead, the zero-days we saw in 2021 generally followed the same bug patterns, attack surfaces, and exploit “shapes” previously seen in public research.”

Still, that’s not to say that malware and ransomware don’t pose a dangerous threat in today’s digitally-driven world. In fact, ransomware in particular is an extremely lucrative business for cybercriminals. In 2021 alone, this crime type saw $49.2 million in losses for innocent individuals.

The fact that the rise in malware is more commonplace than ever before is not going unnoticed among the leading technology giants.

Microsoft recently confirmed a new initiative where businesses can use the company’s in-house security services and experts to combat cybercrime and strengthen their digital security measures.

Editors’ Choice

Repost: Original Source and Author Link


AstraLocker ransomware developer shuts themselves down

If you thought the threat actors behind ransomware were heartless criminals, think again. The person who made the AstraLocker ransomware virus has had a change of heart and shut down the malware. They even gave the decryption keys to Virus Total.

The news comes from a Bleeping Computer report after the AstraLocker developer contacted them. The developer told Bleeping Computer it was fun running AstraLocker but it was time to shut it down. See? They’re not all bad.

stevanovicigor / 123RF Stock Photo

AstraLocker was a malicious little virus that got around normal anti-virus protections by blasting the victim’s computer with a full viral load directly from a Word document. This tricked the anti-virus into thinking it was a normal operation. To get around sandboxing, the virus checked to see if it was running on a virtual machine and would kill processes if it was, allowing it into the actual computer.

Once on board the machine, it would do what all lockers do: encrypt the hard drive and force the victim to pay money to unlock it. It was the computer version of a smash-and-grab.

AstraLocker was a lesser-known virus until the developer released version 2.0 earlier this year. Then several sites began to report on it, and law enforcement began to take an interest in the virus. Although we here at Digital Trends like to think the virus’ developer was simply a misunderstood person who had a change of heart, some suggest it was the growing attention from federal agencies that motivated the shutdown.

Anyone who has their files locked with AstraLocker malware can contact Virus Total for the decryption keys. VirusTotal is a free collaboration between more than 70 anti-virus and computer intelligence companies. It serves as a sort of knowledge database of all the computer viruses we know about, and they research ways to fight them.

The AstraLocker developer was kind enough to drop the decryption keys in a ZIP file with VirusTotal before scurrying away. Now that the anonymous developer has shown themselves to be a kind and compassionate member of the human family, they’ve vowed to change their ways.

“I’m done with ransomware,” the developer told Bleeping Computer. “I’m switching to cryptojacking.”

Editors’ Choice

Repost: Original Source and Author Link


US State Department announces $10 million bounty after Costa Rica ransomware attack

In the wake of a massive ransomware attack on the Costa Rican government in April, the US government issued a notice last week declaring a bounty potentially worth millions of dollars on people involved with the Conti ransomware used in the hack. Rodrigo Chaves Robles, Costa Rica’s recently sworn-in president, declared a national emergency due to the attack, according to CyberScoop.

According to BleepingComputer, the ransomware attack affected Costa Rica’s ministries of finance and Labor and Social Security, as well as the country’s Social Development and Family Allowances Fund, among other entities. The report also says that the attack affected some services from the country’s treasury starting on April 18th. Hackers not only took down some of the government’s systems, but they’re also leaking data, according to CyberScoop, which notes that almost 700GB of data has made its way onto Conti’s site.

The Department of State Bureau of International Narcotics and Law Enforcement Affairs (INL) Offers  Rewards of up to $10,000,000 United States dollars for Information Leading to the Identification or Location of key leaders, and up to $5,000,000 United States dollars for Information Leading to the Arrest, and/or Conviction of the Owners/Operators/A...  Conti Ransomware as a Service Group  Contact the FBI with any tips by phone or internet: Phone: +1-800-CALL-FBI +1-800-225-5324 

The US State Department says the attack “severely impacted the country’s foreign trade by disrupting its customs and taxes platforms” and offers “up to $10 million for information leading to the identification and/or location” of the organizers behind Conti. The US government is also offering $5 million for information “leading to the arrest and/or conviction of any individual in any country conspiring to participate in or attempting to participate” in a Conti-based ransomware attack.

Last year, the US offered similar bounties on REvil and DarkSide (the group behind the Colonial Pipeline attack). REvil is largely thought to be defunct after the US reportedly hacked the group’s servers and the Russian government claimed to have arrested several members.

The Costa Rican government isn’t the only entity to fall victim to Conti’s ransomware. As Krebs On Security notes, the group is particularly infamous for targeting healthcare facilities such as hospitals and research centers.

The gang is also known for having its chat logs leaked after it declared that it fully supported Russia’s government shortly after the invasion of Ukraine began. According to CNBC, those logs showed that the group behind the ransomware itself was having organizational issues — people weren’t getting paid, and there were arrests happening. However, like many ransomware operators, the actual software was also used by “affiliates,” or other entities who used it to carry out their own attacks.

In Costa Rica’s case, the attacker claims to be one of these affiliates and says that they aren’t part of a larger team or government, according to a message posted by CyberScoop. They have, however, threatened to carry out “more serious” attacks, calling Costa Rica a “demo version.”

Repost: Original Source and Author Link


Costa Rican president says country is ‘at war’ with Conti ransomware group

Ransomware — and particularly the Conti ransomware gang — has become a geopolitical force in Costa Rica. On Monday, the new Costa Rican president Rodrigo Chaves, who began his four-year term only 10 days ago, declared that the country was “at war” with the Conti cybercriminal gang, whose ransomware attack has disabled agencies across the government since April.

In a forceful statement made to press on May 16th, President Chaves also said that Conti was receiving help from collaborators within the country and called on international allies to help.

“We’re at war and this is not an exaggeration,” Chaves told local media. “The war is against an international terrorist group, which apparently has operatives in Costa Rica. There are very clear indications that people inside the country are collaborating with Conti.”

President Chaves’ declaration of war against Conti comes in the face of unusually belligerent rhetoric from the ransomware group, which stated its intent to “overthrow the government by means of a cyberattack.” In a message posted to the Conti website, the ransomware group urged citizens of Costa Rica to pressure their government to pay the ransom, which has been doubled from an initial $10 million to $20 million.

Over the period of the attack, the US government has also offered a bounty of up to $10 million for information that could identify or locate the main coordinators of the Conti group’s operations or $5 million for information leading to the arrest of any Conti member.

The severe impact of Conti’s attack on the Costa Rican government points to the continued ability of the largest ransomware groups to operate on a scale that can pose a threat to nation states and draw on funding reserves that allow them to buy their way into some of the most sensitive computer systems by bribing those with access.

“We’re at the point now where these ransomware groups make billions of dollars, so their ability to get access to these [networks] is only limited by their own desire,” said Jon Miller, CEO and co-founder of anti-ransomware software platform Halcyon. “Month after month, more of these groups are coming online. This is a drastically growing problem.”

As the Costa Rican crisis continues, more knock-on effects are reaching citizens of the country. Statements made by Chaves put the number of government agencies hit at 27, including the Finance Ministry and the Ministry of Labor and Social Security. One of the effects was that the government was unable to collect taxes through traditional means, Chaves said.

So far, the Costa Rican president has remained intransigent that the government will pay nothing to the ransomware gang. With neither side appearing to budge, the situation has reached a standoff — but one that will be closely watched by other governments hoping to avoid a similar fate.

Repost: Original Source and Author Link


Notorious ransomware gang Conti shuts down, but not for good

The ransomware group known as Conti has officially shut down, with all of its infrastructures now offline.

Although this might seem like good news, it’s only good on the surface — Conti is not over, it has simply split into smaller operations.

Advanced Intel

Conti was launched in the summer of 2020 as a successor to the Ryuk ransomware. It relied on partnerships with other malware infections in order to distribute. Malware such as TrickBot and BazarLoader was the initial point of entry for Conti, which then proceeded with the attack. Conti proved to be so successful that it eventually evolved into a cybercrime syndicate that took over TrickBot, BazarLoader, and Emotet.

During the past two years, Conti carried out a number of high-profile attacks, targeting the City of Tulsa, Advantech, and Broward County Public Schools. Conti also held the IT systems of Ireland’s Health Service Executive and Department of Health ransom for weeks and only let go when they were facing serious trouble from law enforcement around the world. However, this attack gave Conti a lot of attention from the global media.

Most recently, it targeted the country of Costa Rica, but according to Yelisey Bogslavskiy of Advanced Intel, the attack was just a cover-up for the fact that Conti was disbanding the whole operation. Boguslavskiy told Bleeping Computer that the attack on Costa Rica was made so public in order to give the members of Conti time to migrate to different ransomware operations.

“The agenda to conduct the attack on Costa Rica for the purpose of publicity instead of ransom was declared internally by the Conti leadership. Internal communications between group members suggested that the requested ransom payment was far below $1 million (despite unverified claims of the ransom being $10 million, followed by Conti’s own claims that the sum was $20 million),” says a yet-to-be-published report from Advanced Intel, shared ahead of time by Bleeping Computer.

Conti ransomware group logo.

The ultimate end to Conti was brought on by the group’s open approval of Russia and its invasion of Ukraine. On official channels, Conti went as far as to say that it will pool all of its resources into defending Russia from possible cyberattacks. Following that, a Ukrainian security researcher leaked over 170,000 internal chat messages between the members of the Conti group, and ultimately also leaked the source code for the gang’s ransomware encryptor. This encryptor was later used to attack Russian entities.

As things stand now, all of Conti’s infrastructure has been taken offline, and the leaders of the group said that the brand is over. However, this doesn’t mean that Conti members will no longer pursue cybercrime. According to Boguslavskiy, the leadership of Conti decided to split up and team up with smaller ransomware gangs, such as AvosLocker, HelloKitty, Hive, BlackCat, and BlackByte.

Members of the previous Conti ransomware gang, including intel analysts, pentesters, devs, and negotiators, are spread throughout various cybercrime operations, but they are still part of the Conti syndicate and fall under the same leadership. This helps them avoid law enforcement while still carrying out the same cyberattacks as they did under the Conti brand.

Conti was considered one of the most expensive and dangerous types of ransomware ever created, with over $150 million of ransom payments collected during its two-year stint. The U.S. government offers a substantial reward of up to $15 million for help in identifying the individuals involved with Conti, especially those in leadership roles.

Editors’ Choice

Repost: Original Source and Author Link


Winning the war on ransomware

In the past 10 years, ransomware has become inescapable. All kinds of institutions have been targeted, from the schools children go to, to fuel and medical infrastructure. A report from the US Treasury estimates there were over half a billion dollars in ransomware payouts in the first half of 2021 alone. Law enforcement has struggled to get a handle on the situation, with many groups operating for years with no apparent fear of repercussions.

This year, federal law enforcement decided to try something new. In April, the Department of Justice created the Ransomware and Digital Extortion Task Force in a move to prioritize the “disruption, investigation, and prosecution of ransomware and digital extortion activity.” The task force is supposed to help share information between DOJ departments, as well as work with outside and foreign agencies. In the months since, it’s made some impressive prosecutions, but they’re just a sliver of the overall — and the bigger picture remains maddeningly unclear.

One of the first publicized wins for the group came in June, when the Department of Justice said the group was handling the case of an individual alleged to be partially responsible for the malware suite known as Trickbot, which could help expose a system to a ransomware attack. Days after that announcement came an even bigger win: the DOJ announced it had seized back $2.3 million of the $4.4 million ransom paid by oil company Colonial Pipeline, and that the task force had coordinated the efforts. Then, in October, its biggest win yet — the arrests of a few alleged members of REvil, a hacking group, by European police forces, and the seizure of over $6 million in funds the department says were linked to ransomware payments.

Still, the sheer volume of attacks means a handful of prosecutions is unlikely to make a difference. Prosecutors need the threat of law enforcement action to scare criminals away from ransomware — and some experts say the scheme is still too lucrative for criminals to give up.

Hackers “prefer to take the risk instead of leaving this lucrative malicious activity behind,” according to Dmitry Bestuzhev, a researcher at cybersecurity company Kaspersky. “So what they try to do is to learn from others’ mistakes and improve their opsec, but there is no evidence they feel intimidated and want to quit.” Bestuzhev says they’ll continue to re-form groups, even as the government works to shut them down — “even with the successful arrest we have recently witnessed, many ransomware groups are just here to stay.”

But not everyone agrees with Bestuzhev. John Fokker, the head of cyber investigations for McAfee Enterprise Advanced Threat Research, is more optimistic that the task force is starting to change the outlook for criminals. For years ransomware “had been relatively untouched,” not getting too much attention from governments, Fokker told The Verge. Now that the task force was starting to crack down, he says, “what used to be a safe space isn’t a safe space anymore. There’s beginning to be an atmosphere of distrust.”

The attention from the task force has also been affecting ransomware groups’ ability to advertise to potential customers, the ones who often use their malware to infect targets. In a blog, Fokker discussed how cybercrime forums have become hesitant to play host to ransomware operators, banning them from advertising in the wake of the Colonial Pipeline attacks. Forum administrators, when they offered an explanation for the decision, said that ransomware was attracting a lot of unwanted attention — as one admin put it, according to The Record, the word “ransom” was now associated with “unpleasant phenomena — geopolitics, extortion, government hacking.” Another forum had a cheekier explanation for why it was banning posts about ransomware: “if it ran somewhere, then you should probably go catch it?”

The ability to advertise on forums cut off the groups’ easy access to customers, made it harder for ransomware creators to get in touch with the affiliates making them billions of dollars, and made the contact that does happen riskier on both sides. Transferring money or giving demos becomes harder when there’s not a (somewhat) trusted third-party platform to help mediate. That, along with bounties for up to $10 million, has started to create “little cracks in the model,” says Fokker. He even mentioned an instance where an affiliate, angry with what they considered to be a meager payout, posted a ransomware group’s entire playbook. “That kind of environment hurts business,” he says.

The task force has also been helping the people on the other side of ransomware: the companies and organizations that are targeted by it. Government agencies have been working together to keep industries informed about what actions they’ve taken against ransomware operators, and to issue guidance to help keep companies safe. ”The Department of Commerce, Department of Treasury, State, Homeland Security, and Defense, all of them have taken a very clear, concrete action on ransomware actors to disrupt and each of them have their own press release and their own guidance,” says Vishaal Hariprasad, CEO of cyber-focused insurance company Resilience.

When asked to grade the government’s actions, he says, “I would actually give the government an A for what they’ve done in the past 90 days. I think it’s been pretty incredible to see that we’re actually taking action, we’re taking the fight to the bad guys with disruption, with arrests, with warrants, sanctions, the $10 million bounty for any information.”

Hariprasad says while the government had carried out similar actions in years prior, the publicity was a boon to victims. “I think the task force has helped coordinate it, but coordinating in the back end where nobody can see isn’t valuable. It doesn’t have the motivating psychological impact unless you can talk about it … the government’s always been doing things, it’s just never been able to publicly talk about it in a clear and concise, coordinated way.”

Still others are optimistic that the task force can have an impact if it keeps up its legal actions. “As long as there is a sustained effort against these somewhat decentralized and shifting crime gangs; this isn’t just ‘whack-a-mole,’” says Kurt Baumgartner, principal security researcher at Kaspersky, echoing Fokker’s optimism. “While we are seeing the resurrection of certain parts of the ransomware-as-a-service chain in response,” Baumgartner thinks the “coordinated anti-ransomware efforts are just the start. It is great to see evidence of some ransom payments clawed back, decryption keys obtained, communications infiltrated, successful multi-national law enforcement efforts.”

In particular, Hariprasad thinks massively disruptive attacks could become less frequent. “I think you’ll still have the one or two major coordinated campaigns that will be very sophisticated,” he says. “But as they get a lot of attention and people start focusing on them, you’ll see that happen less, and the younger or the less sophisticated operators will continue to get back to the lower end of the ransoms and just kind of go for quantity over quality.” Better to collect a few $50,000 ransoms without making headlines, the thinking goes, than to bag $40 million and have law enforcement kicking down your door.

It’s hard to say which of the task force’s tactics will end up having the greatest effect, and there’s always the possibility that things get worse before they get better. If ransomware operators wind up desperate, they could end up going after a massive target, in a Hollywood-style “one last job” scenario. Ransomware could also become a more manageable annoyance, as hackers look for the next big cash cow, one that the world’s governments aren’t paying as much attention to. Or attackers could get creative and start developing entirely new ways to make trouble.

Cybersecurity is always a cat-and-mouse game, and the incentives to hack big companies won’t be going away — but as Hariprasad told me, “a big part of deterrence is making sure they understand that there are repercussions to their actions and that the government is actively doing something.” On that point, at least, governments seem to be making progress.

Repost: Original Source and Author Link