Will U.S. Sanctions Disrupt Ransomware Business Models?
The Biden Administration is expected this week to reveal specific actions aimed at disassembling the financial ecosystem that underwrites ransomware hackers, the Wall Street Journal first reported.
Among the first moves: The Biden administration on September 21 unveiled sanctions against a cryptocurrency exchange over its alleged role in enabling illegal payments from ransomware attacks, Reuters reported. Specifically, the U.S. Treasury Department accused Suex OTC, S.R.O. of facilitating transactions involving illicit proceeds for at least eight ransomware variants, the report said. This is the Treasury Departments’ first such move against a virtual currency exchange over ransomware activity, Reuters noted.
What does all that mean? The U.S. Treasury Department strategy calls for sanctions on cryptocurrency exchanges that pave the way for hackers to whisk away millions of dollars from cyber data freezing scores. Before the year ends, the U.S. government will detail additional rules to crumble money laundering activities and terrorism financing. In addition, the Treasury Department’s Office of Foreign Assets Control intends to educate businesses on how not to run afoul of U.S. law should they elect to accede to a ransomware extortionist’s demands.
Will Biden’s plan work? Nothing to date has truly dented ransomware cyber hijackers’ resolve, making it hard to say what will slow them down. Blockading money sources usually moves the firing line back but in guerrilla cyber warfare such as this it’s not clear what will dislodge the attackers.
Countering Ransomware Attacks: Moving Beyond Diplomacy
The White House’s anti-ransomware menu marks the most heavy-handed moves yet made beyond diplomacy, some saber rattling and public statements terming the activity terrorism and a threat to national security. State sponsored cyber crews linked to Russia are said to be the main perpetrators but other syndicates supported by China, North Korea and Iran are also orchestrating hijacks. On the diplomatic side, last June President Biden warned Russian President Vladimir Putin to crack down Kremlin-backed hackers and took a slightly stronger stance a month later by asserting that the U.S. would take “any necessary action” to defend the nation’s critical infrastructure from cyber attackers.
A month earlier, Biden in May 2021 signed a cybersecurity executive order focused on improving the nation’s cyber stance, threat intelligence sharing and cyber attack response efforts. The order could accelerate cyber incident information sharing between IT service providers, cloud service providers, software companies and various federal government agencies.
There’s plenty of available evidence to justify Biden’s ire toward Moscow. Russian-backed Nobelium hackers are believed to have orchestrated and carried out the SolarWinds operation and have also been a prime mover of U.S. election meddling. The same syndicate has reportedly launched a malware blitz not only on federal government agencies but also researchers, consultants and non-government organizations that has hit some 3,000 email accounts in more than 150 different organizations.
In addition, REvil and Sodinokibi, the Russia-linked group fingered for the attack on meat producer JBS USA, is suspected in the Kaseya hacking offensive that involved dozens of its customers. The relatively new ransomware-as-a-service group DarkSide, which is said to be an Eastern European crew likely Russia-affiliated although not state sponsored, is said to be behind the devastating Colonial Pipeline attack earlier this year.
Sanction Strategy: A Promising Start?
Disrupting ransomware attackers’ financial underpinnings drew praise from the cybersecurity community. Sanctioning cryptocurrency exchanges, nation-state sponsors and hackers is a “good thing,” said Sam Curry, the chief security officer at Cybereason, a Boston-based cybersecurity provider. “If the Biden administration announces crypto sanctions this week, what will matter is how this plays out weeks, months and years later. Private and public organisations working together on sharing intel on threats that their business faces will also go a long way in turning the tables on attackers,” he said.
The administration’s strategy also prompted penetrating opinions from think tanks. Dmitri Alperovitch, co-founder former chief technology officer of CrowdStrike who now chairs the Silverado Policy Accelerator, wrote in a New York Times editorial that defensive strategies will not deter ransomware. “It is unrealistic to expect that every American hospital, school, fire department and small business can defend itself against highly sophisticated criminals,” he said. An effective ransomware strategy must impair cyber criminal groups and their nation-state sponsors from carrying out attacks, he said. “An aggressive campaign would target the foundation of ransomware criminals’ operations: their personnel, infrastructure and money.”
At the recent National Security Summit, General Paul Nakasone, who heads the U.S. Cyber Command and the National Security Agency, told attendees that U.S. intelligence and national security will mount a “surge” against nation-state sponsors of cyber attacks that have increasingly addled government agencies and forced critical infrastructure operators to pay millions in ransom.
“Even six months ago, we probably would have said, ‘Ransomware, that’s criminal activity,’” Nakasone said. “But if it has an impact on a nation, like we’ve seen, then it becomes a national security issue. If it’s a national security issue, then certainly we’re going to surge toward it.” Earlier this year, Nakasone told the Senate Armed Services Committee that CyberCom had carried out some two dozen strategic operations to safeguard the 2020 national elections.
(Please) Don’t Pay the Ransomware
Should an organization get hit by a ransomware offensive, the Federal Bureau of Investigation (FBI) continues to recommend victims not to pay a ransom. It should be noted, however, that acting against that advice, JBS paid $11 million to hackers to restore its systems and Colonial Pipeline shoveled some $5 million to the DarkSide syndicate, roughly half of which was subsequently recovered by U.S. law enforcement.
Among a long list of how organizations can reduce ransomware threat risk, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) recommend that companies engage in preemptive threat hunting on their networks and look for indicators of suspicious activity. CISA has published a ransomware guide for organizations to learn about cybersecurity best practices along with a checklist of mitigations to follow.