The White House continues to make multiple moves to try and better combat the increasing damage being done by ransomware-wielding attackers. "The number and size of ransomware incidents have increased significantly, and strengthening our nation's resilience from cyberattacks in both the private and public-sector is a top priority" for President Joe Biden, says a memo issued by the White House to U.S. corporate executives and business leaders on Wednesday, urging them to ensure they are following a detailed list of cybersecurity best practices.
On Thursday, the Justice Department issued new guidance for prosecutors, to ensure that all cases they are tracking domestically and abroad to coordinate with the government's recently launched Ransomware and Digital Extortion Task Force. Based in Washington, the task force counts the FBI, National Security Division, computer crime, anti-money laundering and other parts of the DOJ as participants.
Those efforts follow the non-stop rate of ransomware attacks. In May 2021, the DarkSide gang hit Colonial Pipeline Corp., leading to supply concerns and panic-buying of fuel along the U.S. Eastern seaboard. Ireland's National Health Service was also hit last month, leading to disruptions in medical care.
The world's largest meat producer by sales volume, Sao Paulo-based JBS, warned that a ransomware attack had disrupted operations in the U.S., Canada and Australia. The FBI attributed that attack to REvil, aka Sodinokibi, which is a notorious ransomware-as-a-service operation. Recently, U.S. Deputy Attorney General Lisa Monaco issued a memo to all federal prosecutors detailing "new requirements relating to ransomware or digital extortion attacks and investigations and cases with a nexus to ransomware and digital extortion."
The release of which was first reported by Reuters, notes that the ransomware attack that disrupted privately run Colonial Pipeline underscores "the growing threat" posed by such attacks to the U.S., "and the destructive and devastating consequences ransomware attacks can have on critical infrastructure." She stated, the imperative is to better focus, coordinate and appropriately resource the government's response, including investigating suspects who use ransomware or digital extortion, or provide supporting cybercrime services, all of which can be complicated by so many such efforts being transnational.
"To ensure we can make necessary connections across national and global cases and investigations, and to allow us to develop a comprehensive picture of the national and economic security threats we face, we must enhance and centralize our internal tracking," per her report.
DOJ says the guidance applies to all cases involving ransomware and digital extortion, but also to individuals being investigated for operating infrastructure used in such schemes. It says this can include, but is not limited to services meant to counter antivirus tools; illicit online forums and marketplaces that supply the Cybercrime-as-a-Service economy, for example, by selling tools or remote desktop protocol credentials; "cryptocurrency or digital currency exchanges, mixers or tethers"; bulletproof hosting services; botnets; and online money laundering services.
"It’s a specialized process to ensure we track all ransomware cases regardless of where it may be referred in this country, so you can make the connections between actors and work your way up to disrupt the whole chain," John Carlin, the DOJ's principle associate deputy attorney general, tells Reuters. "We’ve used this model around terrorism before but never with ransomware."
But attempting to deter and disrupt ransomware-wielding suspects will never be a complete strategy for stopping such attacks, especially if suspects are operating from countries in Eastern Europe such as Russia that never extradite citizens. So notes the Biden administration in its Wednesday call to businesses to "take ransomware crime seriously and ensure your corporate cyber defenses match the threat."
That memo, issued by Anne Neuberger, Biden's deputy national security advisor for cyber and emerging technology, says that one lesson to be learned from recent, damaging attacks that have hit not just the U.S., but also the Irish and German healthcare sector, U.K. banks and others, "is that companies that view ransomware as a threat to their core business operations rather than a simple risk of data theft will react and recover more effectively."
The government is urging businesses to ensure they immediately implement practices. The following is what Red Sky Alliance recommends:
- All data in transmission and at rest should be encrypted.
- Proper data back-up and off-site storage policies should be adopted and followed.
- Implement 2-Factor authentication-company wide.
- For USA readers, join and become active in your local Infragard chapter, there is no charge for membership. infragard.org
- Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.
- Institute cyber threat and phishing training for all employees, with testing and updating.
- Recommend/require cyber security software, services and devices to be used by all at home working employees and consultants.
- Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
- Ensure that all software updates and patches are installed immediately.
- Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories including Keyloggers, with having to connect to your network.
- Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.
Among other ransomware-battling strategies, the Biden administration has also been attempting to increase diplomatic pressure on Moscow to do something about cybercriminals, operating from inside Russia, who hit U.S. targets. "The White House is engaging directly with the Russian government on this matter and delivering the message that responsible states do not harbor ransomware criminals," press secretary Karine Jean-Pierre told reports aboard Air Force One on Tuesday, in the wake of the attack on JBS.
The REvil ransomware operation has now responded to the Biden administration's move, as spotted by Mikko Hypponen, chief research officer of Finnish security firm F-Secure. "We're not going anywhere, we will work even harder," reads the Russian-language message from the group, which regularly issues self-promoting, public pronouncements.
Please see Ransoms with REvil: https://redskyalliance.org/xindustry/redpane-revil
REvil's message also asks what exactly the White House thinks it can do to truly disrupt ransomware. "Even if they pass a law banning the payment of ransoms in the United States or put us on a terrorist list, this will not affect our work in any way," it claims.
The White House is also investigating how authorities might better track the flow of cryptocurrency from victims to attackers, The Wall Street Journal reports. Western governments are also continuing to revise their approach domestically. Britain's Financial Conduct Authority on Wednesday, for example, warned that for U.K. vendors of bitcoin and other cryptocurrencies, "a significantly high number of businesses are not meeting the required standards under the Money Laundering Regulations."
The FCA, which regulates Britain's financial services sector, says it has temporarily extended the ability of some of those businesses to continue operating until March 31, 2022, but that it expects to see robust AML processes in place by then, amongst numerous other requirements. "Anti-money laundering and counter terrorist financing legislation are aimed at protecting against enabling the transfer and disguise of funds from criminal activity, or funding of terrorist groups," it says. "The FCA will only register firms where it is confident that processes are in place to identify and prevent this activity."
But many cryptocurrency-using criminals are based in Eastern Europe, and specifically countries that lack extradition treaties with the United States. Attackers have also historically favored cryptocurrency exchanges operating from countries that lack anti-money laundering and "know your customer" rules.
Experts say the U.S. and other governments must bring more international pressure to bear on such countries to drive them to better regulate domestic exchanges, before law enforcement can hope to better disrupt the flow of digital currencies - and by extension, the ongoing surge in ransomware and digital extortion.
Red Sky Alliance has been has analyzing and documenting cyber threats and groups for over 9 years and maintains a resource library of malware and cyber actor reports available at https://redskyalliance.org at no charge. Many past tactics are reused in current malicious campaigns.
To protect your own supply chain, consider subscribing to RedXray, Red Sky Alliance’s cyber threat notification service. Details can be found at: https://www.wapacklabs.com/redxray.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
TR-21-169-002_Ransomware_Defenses.docx
Comments