Ransomware attacks are alarmingly on the rise, and as predicted last year, the increase is alarming, tipping over 304.7 million incidents. That’s 151% more, compared to the year 2020! Near the end of the year, the payouts in ransomware surpassed 600 million dollars.
Mostly, we hear about large attacks like Colonial Pipeline, which threatened the east coast’s gas supply chain. Other incidents are newsworthy because they show progress by law enforcement, such as the recent arrest of REvil members and the recovery of millions of dollars in ransomware payments.
What is Ransomware?
Ransomware attacks typically follow a set pattern. A victim’s information system is infected by malware that renders the victim’s data unusable by encrypting it. Bad actors then demand a ransom payment, usually in cryptocurrency, in exchange for a decryption key to restore the data. Failure to pay the ransom most likely ends in deleting or exposing the data.
A recent analysis found that most ransomware attacks involve a handful of infection vectors. Unsecured Microsoft Remote Desktop Protocol (RDP) connections topped the list accounting for over 50% of all attacks. Email phishing came second, accounting for around 25%, with other software vulnerabilities making up 12%.
Colonial Pipeline’s Ransomware Attack
The most prominent ransomware attack in 2021 was launched by the group Darkside against Colonial Pipeline and disrupted gas supplies to the East Coast for weeks. As a result, there were gas shortages, a spike in prices, and a general sense of panic. The attack unchained a reaction from the government, starting with a declaration of emergency by President Biden, and ending with a Congressional hearing on June 8. But not everything was lost. A day before the Congressional hearing, the Department of Justice announced the recovery of 2.3 million in bitcoin that was part of the ransom paid by Colonial.
Kaseya’s Ransomeware Attack
Just weeks after the Colonial Pipeline attack, Kaseya, a major IT solutions company, revealed they were hacked, and this time the group REvil was to blame.
REvil, which stands for “ransomware” and “evil,” used phishing emails, compromised remote desktop credentials, and exploited other system vulnerabilities on Kaseya’s software to gain access to organizations using Kaseya systems. Once they gain “persistent” access, the hacker moves laterally through the network, deploying other malware that allows them to identify backups, encrypt or delete them.
The Kaseya attack illustrates a troubling escalation in ransomware attacks from merely encrypting data to exfiltrating sensitive information. To prove that the victim’s files were in their power, REvil posted some of them in a blog and threatened to disclose or delete the rest of the data if they did not receive the payment. Kaseya ultimately paid the ransom in cryptocurrency.
In spite of this, the FBI and others managed to use the payments to identify and catch some of the perpetrators. Cybercrimes are challenging to prosecute due to the difficulty of identifying specific individuals involved and the frequent complicity of State sponsors. So the fact that a few weeks ago, the United States successfully prosecuted some of the perpetrators of the Kaseya attack and recovered a substantial amount of payments is significant.
Colonial and Kaseya Open New Ground in Curtailing Cybercrime
Identifying, indicting, and seizing part of the ransom money from REvil and DarkSide is a victory for the United States and its allies. As mentioned before, we hardly ever hear about ransomware attacks or see the culprits brought to justice. This year, out of 300 million attempts, companies only reported 450 ransomware payments to the Financial Crimes Enforcement Network (FinCEN).
For years, after experiencing a ransomware attack, companies would handle the matter behind closed doors out of fear of damage to their reputation or subsequent lawsuits. Digital forensic and incident response (DFIR) companies would control the incidents in-house and by the time authorities had access to investigate, it was too late. This behavior has emboldened hackers who didn’t suffer any consequences for their crimes.
Colonial and Kaseya broke that pattern by immediately reporting the situation to the FBI and investigating. For Colonial, this action allowed them to reestablish operations quicker and to recover part of the ransom. Kaseya’s cooperation led to the arrest of the criminals and the recovery of some of the ransom money. An added benefit is all the intelligence that the FBI and the Department of Justice gathered during the collaboration. Learning how to follow the cryptocurrency trail will help put a dent in the operation of these criminal organizations and curtail future attacks.
Regulatory Compliance Can Help
Hackers request payment for ransom typically using cryptocurrencies like bitcoin or even newer versions designed to protect against re-identification, like Moreno, so that they won’t be identified by standard Know Your Customer (KYC) banking regulations. But cryptocurrencies aren’t completely untraceable because to convert them to usable currency requires an eventual link back to the highly regulated financial sector.
Laws like the Bank Secrecy Act (BSA) require financial institutions to report suspicious activity as well as payments made as a result of a ransomware attack. This requirement applies to both attempted and successful extortion transactions. The agency that enforces the BSA, FinCEN, has issued specific guidance regarding ransomware and identified twelve red flags that indicate a transaction may be related to ransomware and associated payments.
These are just some of the requirements financial institutions must meet that can help identify–and ultimately recover ransomware payments:
- knows, suspects, or has reason to suspect a transaction conducted or attempted by, at, or through the financial institution involves or aggregates to $5,000 (or, with one exception, $2,000 for MSBs) or more in funds or other assets and involves funds derived from illegal activity, or
- attempts to disguise funds derived from illegal activity;
- is designed to evade regulations promulgated under the BSA; lacks a business or apparent lawful purpose
- or involves the use of the financial institution to facilitate criminal activity. (Advisory Fin2021-A004)
Two ransomware affiliates and a virtual cryptocurrency exchange just saw their US assets seized for facilitating transactions law enforcement traced to the Kaseya ransomware attack and failing to adhere to these and other requirements that would have prevented them in the first place.
No Light at the End of the Tunnel Yet
Ransomware attacks are a threat to all private and public entities. As long as they have a connection to the internet, they become a target for cybercriminals. For example, just as we were closing this article, the information technology unit for Virginia’s General Assembly suffered a ransomware attack. Unfortunately, there is no respite in sight.
Professionals working in these fields better be prepared to identify the framework that can better protect them, comply with the rules and regulations that protect customers’ information, and learn how to respond to these incidents while keeping the business running. A Master of Legal Studies in Cybersecurity and Data Privacy from Cleveland-Marshall is a sound investment for any company who wants to have the most competent and prepared professionals or any individual who wants to stand out in this field.