The year the tide turned on ransomware

This year was rife with ransomware. 2021 witnessed the attack on IT software company Kaseya that knocked 1,500 organizations offline, the CD Projekt Red hack that saw threat actors make off with source code for games including Cyberpunk 2077 and The Witcher 3, and several high-profile attacks targeting big-name tech companies, from Olympus to Fujitsu and Panasonic.

It was also the year that hackers seized global attention by targeting critical infrastructure, hacking American oil pipeline system Colonial Pipeline, meat-processing giant JBS and Iowa New Cooperative, an alliance of farmers that sells corn and soy, to name just a few.

After the attacks led to prolonged shutdowns, inflated oil prices and ran the risk of food shortages, the U.S. government began to take notice — after years of inaction — and scored some rare wins in what once seemed like an unwinnable battle against the ransomware epidemic.

It began in April when the Department of Justice formed the Ransomware and Digital Extortion Task Force. The move, which followed what the DOJ described as the “worst year” for ransomware attacks, aimed to prioritize the “disruption, investigation, and prosecution of ransomware and digital extortion activity.” The task force declared its first victory two months later when the DOJ announced it had arrested 55-year-old Latvian national Alla Witte and charged her for her role in “a transnational cybercrime organization” that was behind TrickBot, one of the most well-known and widely used banking trojans and ransomware tools.

An even bigger win came just days later when the DOJ announced it had seized $2.3 million in bitcoin that Colonial Pipeline paid to the DarkSide ransomware gang to reclaim its data. Since then, the U.S. government has offered a reward of up to $10 million for information that helps identify or track down leaders of the notorious ransomware group.

At the same time, the Treasury Department announced sanctions against the Chatex cryptocurrency exchange for facilitating ransom transactions, just weeks after taking similar action against the Suex crypto exchange.

The biggest win for the Task Force came in October with its disruption of the notorious REvil ransomware gang. Prosecutors announced they had charged a 22-year-old Ukrainian national linked to the gang that orchestrated the July ransomware attack against Kaseya, and said it had seized more than $6 million in ransom tied to another member of the notorious ransomware group.

The U.S. government’s efforts to target ransomware groups this year were applauded by many, particularly for its tactic of following the money. Chainalysis, a provider of blockchain transaction analysis software, lauded the Treasury’s action against Suex as a “big win” against ransomware operators, telling TechCrunch that dismantling the mechanisms for ransomware groups to cash out their cryptocurrency would be vital in slowing them down. Morgan Wright, chief security advisor at SentinelOne, said that without removing the main incentive — financial gain — ransomware gangs will continue to operate and expand.

“Attackers will always have the advantage because they don’t have to follow the rules or the law. However, there are two approaches that could seriously impact the ability of transitional ransomware gangs to achieve their goals — removing the ability to use cryptocurrency for ransoms and machine speed responses to machine speed attacks,” said Wright.

The U.S. government also offered rewards for information on ransomware tactics, like the $10 million bounty for information on DarkSide, and the subsequent reward for intel on REvil. “With rewards this large, there’s a substantial incentive for these criminals to turn on one another. This action undermines trust across the ransomware as a service affiliate model,” Jake Williams, CTO at BreachQuest, told TechCrunch.

But some believe that while the government’s actions have undoubtedly scared off some, it’s unlikely to disincentive ransomware gangs that continue to reap the financial rewards.

“While I applaud law enforcement efforts to bring those responsible for ransomware attacks to justice, the likelihood of apprehension and jail time simply does not outweigh the large sums of money being made by these criminal groups,” said Jonathan Trull at Qualys, an IT security company. “Unfortunately, the battle against ransomware is an asymmetric one, meaning there simply is not enough law enforcement resources globally to deal with the volumes and complexity of investigations needed.”

Wright agreed, and was less than impressed by the U.S. government’s activity so far: “Arresting two people and recovering a few million dollars isn’t a victory over ransomware. This is more of a political statement to ’show’ something is being done about ransomware. $2.3 million isn’t even worthy of a rounding error when you look at the billions of dollars already lost.”

Similarly, many believe that these tactics will unlikely be enough to fend off the growing threat of ransomware as we enter the new year, particularly as threat actors adapt their own. Experts believe that the ransomware-as-a-service (RaaS) model — in which operators lease out their ransomware infrastructure to others in return for a percentage of the ransom proceeds — will continue to thrive in 2022, making it more difficult for law enforcement to track down operators.

Others expect multi-staged attack chains — the breaches that start with a phish and lead to data theft and eventually ransomware — to become more prevalent, which could enable hackers to infiltrate even the most well-protected network infrastructures.

The latter will likely lead to the U.S. government collaborating more closely with the private sector in 2022, according to Trull. “Law enforcement alone is not going to turn the tide, in my opinion. It will need to be a combination of enforcement actions paired with dedicated efforts to harden systems, develop, and operationalize backups of key data and systems, and effective response from the private sector.”

While it’s clear that more action is needed, the U.S. government is making progress. While a handful of prosecutions has been mocked by some, it’s clearly had an impact — particularly on ransomware groups’ ability to advertise and recruit potential partners. In the wake of this unwanted attention, ransomware was banned from several popular hacking forums, leading to one hacking group setting up a fake company to lure unwitting IT specialists into supporting its continued expansion into the lucrative ransomware industry.

“Ransomware gangs are less welcome on certain cybercrime forums than they once were,” said Brett Callow, a ransomware expert and threat analyst at Emsisoft.

6 things in cybersecurity we didn’t know last year