Ransom v. Rewards

Ransomware has been a cyber security issue for the past several years and somewhat hits its peak - with the Colonial Pipeline ransomware attack. Ransomware is defined as a form of malicious software that is designed to restrict users from accessing their computers or files stored on computers until they pay a ransom to cybercriminals.

Ransomware typically operates via the cryptovirology methods or using cryptography (encryption) to design powerful malicious software. The software then uses symmetric as well as asymmetric encryption to prevent users from performing managed file transfer or accessing particular files or directories.

Cybercriminals use ransomware to lock files from being used assuming that those files have extremely crucial information stored in them and the users are compelled to pay the ransom in order to regain access.

Cyber historians say that Ransomware was introduced as an AIDS Trojan in 1989 when Harvard-educated biologist Joseph L. Popp sent 20,000 compromised diskettes named “AIDS Information – Introductory Diskettes” to attendees of the internal AIDS conference organized by the World Health Organization.

The Trojan worked by encrypting the file names on the customers’ computer and hiding directories. The victims were asked to pay $189 to PC Cyborg Corp. at a mailbox in Panama. From 2006 and on, cybercriminals have become more active and started using asymmetric RSA developed encryption. One example had bad actors launching the Archiveus Trojan that encrypted the files of the My Documents directory. Victims were promised access to the 30-digit password only if they decided to purchase from an online pharmacy.

After 2012, ransomware really started spreading worldwide, infecting systems and then transforming into more sophisticated forms to promote easier attack delivery as the years rolled by. In early 2012, about 60,000 new ransomware variants were discovered, which doubled to over 200,000 in Q3 of 2012. Fast forward to the last several years – we now have a huge worldwide problem.

Ransoms and cyber have been dramatically escalating in the past several years. Thousands of dollars have been sent to get numerous networks back in operation. In fact, several years ago, our company helped with the ransom of a major oil company in the south west area of the US. Unfortunately, in our cased, money was lost not only in the ransom, but in days lost in production and business.

Earlier this year the ransomware problem was brought to the forefront in the Colonial Pipeline ransomware incident. Many people were directly affected because fuel actually stopped flowing in the pipeline and many auto and truck drivers were directly affected. Colonial’s network was frozen and a $4.4 million dollar ransom was demanded. The FBI actually did a great job with tracking the ransom and was able to get part of the ransom back to Colonial and even better - were able to identify the criminals as the DarkSide hacking group who are associated with Russia.

So, who pays the ransoms? In reality, we all do - as a company’s losses trickle down to the consumers. But during the process, insurance companies are placed in the middle of the ransoms and getting the victim companies back in operation. Insurance companies who did provide cyber insurance protection initially paid out millions of dollars to their clients to pay ransoms and get the businesses back in operation. Insurance companies don’t like paying out coverages – they like to make money.

The cyber insurance market is currently undergoing a massive shift as premiums have increased upwards of 50%. This according to infosec experts and insurance vendors, with some insurance quotes jumping closer to 100%. Cyber insurance is getting more expensive and the industry protection amounts are getting smaller. Between millions in ransom demands and an increase in threats like supply chain attacks, enterprises require different coverage than in the past. Not only has the price of coverage surged, but the cyber insurance business model is rapidly evolving as well. According to an S&P Global report last June, cyber insurers' loss ratio increased for the third consecutive years in 2020, surging more than 25 points to reach 72.8% (the loss ratio is costs and claims payments divided by total premiums).[1]

Since the insurance industry is now doing the moonwalk on cyber coverage, now enter the government. Governments have the authority and jurisdiction to help protect businesses. What is now tricky is that we are dealing with a global arena of communication and travel. What was once a local, state or national jurisdictional enforcement of laws, we now have global crimes that cover borders, foreign laws and treaties. So - what to do? Like with most criminal, money talks. It always has. How do you motivate international citizens to help find these bad actors? Money & Rewards.[2] Just like the Old Wild West, offering rewards to individuals to help law enforcement – actually works. Weather it’s the Jesse James gang of the 1800’s or the DarkSide hacking group – money is a great motivator to provide information to law enforcement. A resent Tweet was observed cautioning hackers that the US government is offering rewards for the information on cyber hacking. Very smart – I say.

OK – let’s go back to the DarkSide and the Russian connection. It is currently being reported that the former DarkSide cybercriminal group, and I stress the word FORMER, will shut down due to increased pressure from authorities, who may have arrested a key team member of the group. Enter the group BlackMatter – this ransomware group appears to have developed from the demise of DarkSide who has somewhat disappeared from the Dark web. BlackMatter is now saying it will shut down due to current and increased pressure from authorities, this - according to a message posted on its own website.

VX-Underground, which aggregates a collection of malware source code, samples and assorted resources, posted a screenshot of the Russian-language message, on a recent Twitter feed. It also posted an English translation which reads, “Due to certain unsolvable circumstances associated with pressure from the authorities (part of the team is no longer available, after the latest news) – the project is closed,” the message said.

The question is - Did monetary rewards play a part in the arrest and current shut down of both the DarkSide and BlackMatter? We may never know. But the old adage of “There is no honor among thieves.,” may be ringing true. BTW – This past Monday – the US Justice Department announced it has charged a suspect from Ukraine and a Russian national over the JBS Meatpacking company cyber-attack according to indictments made in court filings. This another ransomware attack that directly affected the average citizen in many countries. The US government has seized $6 million in ransom payments. REvil ransomware was used by these individuals to shut down the food producer.

While governments and law enforcement are working innovative ways to combat the ransomware hazards, what can we as individuals - do right now? The current cyber reality is that many network breaches can be prevented by using some basic cyber hygiene tactics, coupled with a Zero Trust approach. Zero Trust (ZT) is the term for the developing set of cybersecurity models that move defenses from static, network- based perimeters to focus on users, assets, and resources. A zero trust architecture (ZTA) uses zero trust principles to plan industrial and enterprise infrastructure and workflows. This user mindset focuses on the human element of the cyber kill chain that is which is the most vulnerable.

Despite all the new technologies, strategies, and artificial intelligence being employed by security experts and threat actors alike, one thing remains constant: the human element. Humans are the weak point in any network that threat actors frequently exploit when launching phishing and social engineering campaigns to establish a foothold in their victim’s IT environment.

A new trend shows that hackers do not even bother to hack in networks anymore. They now log in using weak, default, stolen, or otherwise compromised credentials - all easily available on the dark web for sale or some for free. Most organizations continue investing the largest percentage of their cyber security budget on protecting their network perimeter - rather than focusing on security controls which can actually effect positive change to protect against the leading attack vectors: that is - credential abuse and endpoints serving as main access points to an enterprise network. Many cyber security experts believe this is a big mistake.

Implementing an effective enterprise security strategy requires an understanding of hackers’ tactics, techniques, and procedures (so-called TTPs). In this context, it is vital for security professionals to review the entire cyberattack lifecycle to gain a full grasp of the areas - that need to be addressed as part of an in-depth cyber defense approach. The bottom line is – TRUST NO ONE

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com

Weekly Cyber Intelligence Briefings: