Fraud Management & Cybercrime , Ransomware
Police Doxing of Criminals Raising Ransomware-Attack Stakes
Incident Responders Say Disruptions Help, See No Spike in Median Ransom PaymentsFor anyone dreaming that law enforcement agencies might somehow be able to arrest ransomware bigwigs or intelligence agencies take them out via drone strikes, keep on dreaming.
See Also: SBOM and Connected Device Security
For now, real-world disruptions are less dramatic. Law enforcement continues to infiltrate attacker infrastructure to disrupt operations, unmask and indict key players - and sometimes make arrests, though these generally involve low-level players or affiliates based outside Russia.
The challenge remains this: ransomware is highly lucrative and carries orders of magnitude less risk than other types of crime, such as holding up a bank with a sawed-off shotgun.
The good news is that Western law enforcement efforts do appear to be having an impact, despite some outsize ransom payments recently coming to light. So far this year these include the record-breaking $75 million paid to the Dark Angel ransomware group, and UnitedHealth Group's Change Healthcare paying Alphv, aka BlackCat, a ransom worth $22 million (see: Ever More Toxic Ransomware Brands Breed Lone Wolf Operators).
Thankfully, these are outliers, and median payments are relatively stable, says a new report from ransomware incident response firm Coveware, based on thousands of cases it helped investigate from July through September. When organizations it helped chose to pay a ransom during the third quarter - and a third of them did - they paid an average of $479,237, which was an increase of 23% from the second quarter. The median payment was $200,000, up 18% from the second quarter.
Extortion amounts are increasing but "they are not skyrocketing," which Coveware attributes to serious improvements in collective defense. "Organizations have gotten safer," it says. "Every additional hour, tool or specialist a cyber extortion group must employ to succeed adds to their costs and reduces their profit margins."
While some ransomware groups are more successful than others, Coveware's finding that one-third of the victims it assisted paid a ransom - combined with the payoffs on offer - shows that digital extortion is profitable. With the threat of arrests mostly off the table, that makes disincentivizing such attacks difficult.
Ransomware affiliates who typically do the drudgery of hacking and maliciously encrypting files appear ready and willing to change allegiance whenever circumstances demand. Coveware said that while for five quarters running, it's seen the greatest number of attacks tied to the ransomware-as-a-service group Akira, the next most frequently seen groups during the third quarter were RansomHub and Fog, both of which debuted this year.
Fog in particular appears to have recruited former affiliates of LockBit as well as BlackCat, judging by the sophistication of its attacks. "The group is using an encryptor of new technical origin which is somewhat rare these days given the easy availability of leaked builders for early versions of Babuk, Lockbit and Conti," it said.
Imposing Costs
Western law enforcement hasn't been standing still, and one of the most notable recent shifts has been its doxing of key ransomware figures. In the case of Operation Cronos, spearheaded by the U.K.'s National Crime Agency and the FBI, authorities named and indicted Russian national Dmitry Yuryevich Khoroshev, 31, who stands accused of being the head of LockBit known as "LockBitSupp."
Law enforcement earlier this year infiltrated LockBit's private administration environment and public-facing data leak site, also obtaining decryption keys for thousands of its victims and a list of 194 usernames and IDs for the group's affiliates. Operation Cronos operatives began trolling those affiliates and LockBit, accusing its leaders of being unequal to the task of securing their business partners' information (see: Cybercrime Is Still Evil Incorporated, But Disruptions Help).
"The goal of this investigation specifically was to disrupt the trust of the crime community for this specific ransomware family and for providers of the ransomware family," Donatas Mazeika, head of the forensic support team at Europol's European Cyber Crime Centre, said at a recent security conference.
Experts say this strategy appears to be bearing fruit. "Anonymity is one of the few things cybercriminals fiercely protect," and calling into question the ability of ransomware operations to keep their affiliates' personal details secret will change the calculus for some players, Coveware said.
"While increasing the risk profile will not end these attacks, it will decrease the number of participants in the industry," it said. Cybercriminals on the verge of engaging in the extortion economy "are highly sensitive to shifts in economics and risk. A slight decrease in profits pushes them toward other careers, while a slight increase in risk drives them to pursue safer ways of earning a living."
Repeat Challenge: Groups Rebrand, Regroup
Open questions remain, such as whether discord in the cybercrime underground spread by law enforcement will stick, and for how long.
Previously, one problem has been that "a lot of these groups are dispersed enough and have enough different actors that they're able to rebrand and regroup fairly quickly" after being disrupted, Taylor Grossman, deputy director for digital security at the Institute for Security and Technology, recently told me. "The one piece that's been helpful is when we're able to discredit the credibility of a group as well."
Another helpful shift has been treating ransomware as the true menace to society that it is, not least because of the rampant targeting of healthcare and other critical infrastructure sectors, which has a demonstrable effect on public safety and people's well-being.
"There has been this huge shift in thinking about ransomware not just as a cybercrime issue but as a national security issue, and that means that we're putting in more resources," said Grossman, who works on the Ransomware Task Force at IST.
Even if disrupting ransomware groups' infrastructure, doxing the leadership and releasing decryption tools for victims doesn't necessarily spell groups' downfall, such actions stand as "a powerful signal" about law enforcement being aware of the problem, and putting increasing resources toward making life difficult for practitioners, she said.