Just over a week ago, we wrote about the REvil ransomware gang’s latest braggadoccio.
As you probably know, ransomware operators like REvil, Clop and others don’t generally work on the front line themselves by conducting the actual network intrusions that deliver the final ransomware warhead.
Instead, they recruit teams of “attack affiliates” – subcontractors, if you like – who are given their own variants of the ransomware code and let loose on the world.
The affiliates don’t bother, or even need to know how, to program the malware in the first place, or to get involved in the process of negotiating and collecting the final blackmail money from victims who decide to pay up.
The affiliates bring different skills to the operation, such as:
- Breaking into networks and posing as sysadmins, sometimes for weeks or even months.
- Mapping out the network, possibly even including assets the victims have lost track of.
- Stealing what they can and exfiltrating data that might assist with subsequent attacks, or raise good money on the dark web, or be used for additional blackmail leverage after the ransomware has done its dirty work.
- Opening backdoors and creating bogus accounts that let them walk straight back in if they get locked out on the way.
- Finding out how the company does its backups, and trashing them in advance of the cryptographic denouement…
…in return for a big chunk of the ransomware payment, often as much as 70%.
(We have to guess that the core crooks originally set their share at 30% because that’s the number that seems to have worked out well for companies like Apple and Google when licensing products such as music and apps.)
Join up and aim big!
The affiliates get well-rewarded for each individual attack, which motivates them to make their attacks as network-wide and as disruptive as they possibly can.
The core crooks keep away from involvement in the actual network intrusions while nevertheless scooping up 30% of everything.
But in one of REvil’s most high-profile incidents to date, one of the gang’s affiliates pulled off an attack that was even broader and deeper than usual.
By exploiting bugs in code from network management company Kaseya, they were able to penetrate more than 50 MSPs in one go, and from there, apparently, to attack more than 1000 customers.
We’ll probably never know for sure whether the core REvil crew were delighted or dismayed at how the attack went down.
Sometimes, cybercriminals can “succeed” so surprisingly (as happened in the infamous 20-year-old Code Red virus outbreak that we reminisced about yesterday!) that everyone takes notice, and our worldwide cybersecurity vigour improves, at least for a while.
What we do know, however, is that the REvillers disdainfully made what they pitched as a global “offer of salvation” after the Kaseya incident:
If anyone want to negotiate about universal decryptor – our price is [$70 million in Bitcoin] and we will publish publicly decryptor that decrypts all files of all victims, so everyone will be able to recover from attack in less that an hour.
Stirring the pot
We can only assume that the crooks didn’t seriously expect to get paid out, but instead hoped to stir things up a bit, and perhaps to provoke infighting amongst the cybersecurity community about what to do.
Or maybe the criminals were being truly sarcastic, as though they were saying, “We don’t really expect you to be able to agree on what to do, so we’ve asked for a ludicrous amount just to rattle your collective cages. Also, who cares about the money from this one? We’re rich already. And anyway, to paraphrase a famous actor, ‘We’ll be back’.”
One reaction – and various legislatures seem to be giving this serious thought – might be to criminalise ransomware payments entirely, thus forcing any and all ransomware victims to “go it alone” if the time comes for recovery.
Of course, if your business has ground to a total halt and is almost certain to fold if you don’t pay up, the knock-on effects of a blanket payment ban might affect hundreds or thousands of employees who could suddenly lose their jobs.
Therefore this sort of regulatory payment-based intervention is not popular with everyone.
What to do?
After the Kaseya incident, which happened over the 2021 Independence Day weekend in the US, we asked you, our readers, what you thought.
Unsurprisingly, some of the more earnest replies weren’t entirely suitable for a family-friendly, community-oriented website, but we did get an idea of how many of you felt:
• A better solution would be to offer up Wanted – Dead or Alive ransoms at that same price point for the criminals. Let’s put a stop to this extortion with actual policy that may stop it.
• I think WE should BLOCK from the Internet countries who do not cooperate with OUR government in punishing the guilty party of such crimes.
• PAY THE RANSOM TO A REVENGE COMPANY TO ELIMINATE COMPLETELY THE CRIMINALS BY BEING INVESTIGATOR, JUDGE, JURY AND ELIMINATOR.
• Compulsory life sentence for any such crooks who break into the internet with a crime of that size and happen to get caught.
• We are finding all these criminals but just not punishing them severely enough.
What’s been done
No jurisdiction that we know of has yet activated any of the proposed solutions listed above…
…but the US Department of State has gone some of the way towards tipping the balance against cash-rich cybercriminals with funds to spare for their next attack.
The US is now officially offering a reward of up to $10 million for help in finding and acting against serious cybercriminals:
The U.S. Department of State’s Rewards for Justice (RFJ) program, which is administered by the Diplomatic Security Service, is offering a reward of up to $10 million for information leading to the identification or location of any person who, while acting at the direction or under the control of a foreign government, participates in malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act (CFAA).
As you can see, this isn’t $10 million for turning over just anyone involved in ransomware attacks.
We’re talking here about so-called “state sponsored actors”, and we’re talking about attacks that specifically touch on “critical infrastructure”, which doesn’t cover every big attack, even if it were to cause the collapse of a huge company with thousands of employees.
On the other hand, it doesn’t apply only to ransomware attacks, but to cybercriminality in general.
That’s a good thing, because even though ransomware may hog the headlines, it is one of only many seriously disruptive and economically damaging side-effects that criminal hackers, malware peddlers and network intruders can cause.
What next?
The RFJ program doesn’t pay out terribly often, it seems, but it pays out big when it does.
The Department of State says that the scheme has been operating for nearly 40 years, notably in search of information about terrorists and terrorism, and has paid out “in excess of $200 million to more than 100 people across the globe” over that period.
While that averages out at fewer than three payments a year, informants seem to have trousered an average of about $2 million each time, so the rewards do indeed sound large enough to be tempting.
What do you think?
Will this help, or will the bulk of cybercriminality simply continue unhindered by this sort of reward?
Stoat
“Up to” includes zero, which is what is usually paid out in such cases (if you look deeper into the payouts you’ll find they seldom go to individuals)
Unfortunately the USA has soiled its nest on this one by repeatedly stiffing people on rewards or finding ways to go after them too. the headline figures look nice but the reality is rather more tawdry
Paul Ducklin
Well, this is (I think) only the second time that this type of reward has been offered in respect of hacking-type crimes so I think you may be jumping the gun when you use the word “repeatedly”. I guess we shall see how this plays out over the next year or so and if anyone gets anything (or if, as you seem to suggest, a whole load of people get rewards and then get prosecuted themselves.
Wilderness
“The Department of State says that the scheme has been operating for nearly 40 years…” They needed to make it more high profile for malicious hacking years ago.
Paul Ducklin
Might not have had approval for that until recently. It looks as though it was originally the “Counter-Terror Rewards Program” and focused on militaristic terrorism until very recently.
Anyway, it’s still not strictly targeting “malicious hacking” – I don’t think that simultaneously hacking, say, 1000 US employers each with 1000 employees and putting them all out of business at once would necessarily qualify as attacking “critical infrastructure”, and if the crooks who did it funded it themselves and kept all the money they made, they wouldn’t really qualify as “funded by a nation-state”. (You could argue, of course, that they were *effectively* funded by a country, namely by the US, whose economy they leeched the funds from. But that might be considered legal sophistry and fail to pass regulatory muster for the funding of the reward.)
Will be interesting to see if anyone applies for the money, and if so what they have to offer…
ecobrain
It should be a mix of various measures, the core of which are exceedingly high financial incentives (i.e. even >10 million $/€ wherever justified and appropriate) for anyone with productive information, combined with tangible threat of draconic punishment (life sentence compulsory without parole).
In addition every convict should be stripped of all assets which he might ever have gained by means of his crimes. In jail he under no circumstances should be granted the opportunity to operate any sort of electronic device again throughout the rest of his life. Keeping such a scumbag in permanent isolation could help to ensure that he wouldn’t be able to pass his special skills and specific cyber knowledge on to other inmates for their possible further use after discharge from prison.
Cyber crooks who put critical public or economic infrastructure in danger or even manage to incapacitate it must not touch or come close to a computer again, never ever. No mercy for such filthy jerks!
Philip Le Riche
I think it’s time for the NSA to start doing some pretty mean hack-backs, or as an antipodean fellow podcaster would say, “release the hounds!” Maybe for a start they could switch off the lights in the Kremlin, and of course, hide behind plausible deniability – should work – Putin has been using implausible deniability for years!
Paul Ducklin
Well, there was the recent DarkSide Bitcoin recovery by the FBI… court authorised it and all.