Thursday, July 15, 2021

A Modest Proposal About Ransomware

On the evening of July 2nd the REvil ransomware gang exploited a 0-day vulnerability to launch a supply chain attack on customers of Kaseya's Virtual System Administrator (VSA) product. The timing was perfect, with most system administrators off for the July 4th long weekend. By the 6th Alex Marquardt reported that Kaseya says up to 1,500 businesses compromised in massive ransomware attack. REvil, which had previously extorted $11M from meat giant JBS, announced that for the low, low price of only $70M they would provide everyone with a decryptor.

The US government's pathetic response is to tell the intelligence agencies to investigate and to beg Putin to crack down on the ransomware gangs. Good luck with that! It isn't his problem, because the gangs write their software to avoid encrypting systems that have default languages from the former USSR.

I've writtten before (here, here, here) about the importance of disrupting the cryptocurrency payment channel that enables ransomware, but it looks like the ransomware crisis has to get a great deal worse before effective action is taken. Below the fold I lay out a modest proposal that could motivate actions that would greatly reduce the risk.

It turns out that the vulnerability that enabled the REvil attack didn't meet the strict definition of a 0-day. Gareth Corfield's White hats reported key Kaseya VSA flaw months ago. Ransomware outran the patch explains:
Rewind to April, and the Dutch Institute for Vulnerability Disclosure (DIVD) had privately reported seven security bugs in VSA to Kaseya. Four were fixed and patches released in April and May. Three were due to be fixed in an upcoming release, version 9.5.7.

Unfortunately, one of those unpatched bugs – CVE-2021-30116, a credential-leaking logic flaw discovered by DIVD's Wietse Boonstra – was exploited by the ransomware slingers before its fix could be emitted.
DIVD praised Kaseya's response:
Once Kaseya was aware of our reported vulnerabilities, we have been in constant contact and cooperation with them. When items in our report were unclear, they asked the right questions. Also, partial patches were shared with us to validate their effectiveness.

During the entire process, Kaseya has shown that they were willing to put in the maximum effort and initiative into this case both to get this issue fixed and their customers patched. They showed a genuine commitment to do the right thing. Unfortunately, we were beaten by REvil in the final sprint, as they could exploit the vulnerabilities before customers could even patch.
But if Kaseya's response to DIVD's disclosure was praisworthy, it turns out it was the exception. In Kaseya was warned about security flaws years ahead of ransomware attack by J., Fingas reports that:
The giant ransomware attack against Kaseya might have been entirely avoidable. Former staff talking to Bloomberg claim they warned executives of "critical" security flaws in Kaseya's products several times between 2017 and 2020, but that the company didn't truly address them. Multiple staff either quit or said they were fired over inaction.

Employees reportedly complained that Kaseya was using old code, implemented poor encryption and even failed to routinely patch software. The company's Virtual System Administrator (VSA), the remote maintenance tool that fell prey to ransomware, was supposedly rife with enough problems that workers wanted the software replaced.

One employee claimed he was fired two weeks after sending executives a 40-page briefing on security problems. Others simply left in frustration with a seeming focus on new features and releases instead of fixing basic issues. Kaseya also laid off some employees in 2018 in favor of outsourcing work to Belarus, which some staff considered a security risk given local leaders' partnerships with the Russian government.
The company's software was reportedly used to launch ransomware at least twice between 2018 and 2019, and it didn't significantly rethink its security strategy.
To reiterate:
  • The July 2nd attack was apparently at least the third time Kaseya had infected customers with ransomware!
  • Kaseya outsourced development to Belarus, a country where ransomware gangs have immunity!.
  • Kaseya fired security whistleblowers!
The first two incidents didn't seem to make either Kaseya or its customers re-think what they were doing. Clearly, the only reason Kaseya responded to DIVD's warning was the threat of public disclosure.

Without effective action to change this attitude the ransomware crisis will definitely result in what Stephen Diehl calls The Oncoming Ransomware Storm:
Imagine a hundred new Stuxnet-level exploits every day, for every piece of a equipment in public works and health care. Where every day your check your phone for the level of ransomware in the wild just like you do the weather. Entire cities randomly have their metro systems, water, power grids and internet shut off and on like a sudden onset of bad cybersecurity “weather”.

Or a time in business in which every company simply just allocates a portion of its earnings upfront every quarter and pre-pays off large ransomware groups in advance. It’s just a universal cost of doing business and one that is fully sanctioned by the government because we’ve all just given up trying to prevent it and it’s more efficient just to pay the protection racket.
To make things worse, companies can insure against the risk of ransomware, essentially paying to avoid the hassle of maintaining security. Insurance companies can't price these policies properly, because they can't do enough underwriting to know, for example, whether the customer's backups actually work and whether they are offline enough so the ransomware doesn't encrypt them too.

In Cyber insurance model is broken, consider banning ransomware payments, says think tank Gareth Corfield reports on the Royal United Services Institute's (RUSI) latest report, Cyber Insurance and the Cyber Security Challenge:
Unfortunately, RUSI's researchers found that insurers tend to sell cyber policies with minimal due diligence – and when the claims start rolling in, insurance company managers start looking at ways to escape an unprofitable line of business.
RUSI's position on buying off criminals is unequivocal, with [Jason] Nurse and co-authors Jamie MacColl and James Sullivan saying in their report that the UK's National Security Secretariat "should conduct an urgent policy review into the feasibility and suitability of banning ransom payments."
The fundamental problem is that neither the software vendors nor the insurers nor their customers are taking security seriously enough because it isn't a big enough crisis yet. The solution? Take control of the crisis and make it big enough that security gets taken seriously.

The US always claims to have the best cyber-warfare capability on the planet, so presumably they could do ransomware better and faster than gangs like REvil. The US should use this capability to mount ransomware attacks against US companies as fast as they can. Victims would see, instead of a screen demanding a ransom in Monero to decrypt their data, a screen saying:
US Government CyberSecurity Agency

Patch the following vulnerabilities immediately!

The CyberSecurity Agency (CSA) used some or all of the following vulnerabilities to compromise your systems and display this notice:
  • CVE-2021-XXXXX
  • CVE-2021-YYYYY
  • CVE-2021-ZZZZZ
Three days from now if these vulnerabilities are still present, the CSA will encrypt your data. You will be able to obtain free decryption assistance from the CSA once you can prove that these vulnerabilities are no longer present.
If the victim ignored the notice, three days later they would see:
US Government CyberSecurity Agency

The CyberSecurity Agency (CSA) used some or all of the following vulnerabilities to compromise your systems and encrypt your data:
  • CVE-2021-XXXXX
  • CVE-2021-YYYYY
  • CVE-2021-ZZZZZ
Once you have patched these vulnerabilities, click here to decrypt your data

Three days from now if these vulnerabilities are still present, the CSA will re-encrypt your data. For a fee you will be able to obtain decryption assistance from the CSA once you can prove that these vulnerabilities are no longer present.
The program would start out fairly gentle and ramp up, shortening the grace period to increase the impact.

The program would motivate users to keep their systems up-to-date with patches for disclosed vulnerabilities, which would not merely help with ransomware, but also with botnets, data breaches and other forms of malware. It would also raise the annoyance factor customers face when their supplier fails to provide adequate security in their products. This in turn would provide reputational and sales pressure on suppliers to both secure their supply chain and, unlike Kaseya, prioritize security in their product development.

Of course, the program above only handles disclosed vulnerabilities, not the 0-days REvil used. There is an flourishing trade in 0-days, of which the NSA is believed to be a major buyer. The supply in these markets is increasing, as Dan Goodin reports in iOS zero-day let SolarWinds hackers compromise fully updated iPhones:
In the first half of this year, Google’s Project Zero vulnerability research group has recorded 33 zero-day exploits used in attacks—11 more than the total number from 2020. The growth has several causes, including better detection by defenders and better software defenses that require multiple exploits to break through.

The other big driver is the increased supply of zero-days from private companies selling exploits.

“0-day capabilities used to be only the tools of select nation-states who had the technical expertise to find 0-day vulnerabilities, develop them into exploits, and then strategically operationalize their use,” the Google researchers wrote. “In the mid-to-late 2010s, more private companies have joined the marketplace selling these 0-day capabilities. No longer do groups need to have the technical expertise; now they just need resources.”

The iOS vulnerability was one of four in-the-wild zero-days Google detailed on Wednesday.
Based on their analysis, the researchers assess that three of the exploits were developed by the same commercial surveillance company, which sold them to two different government-backed actors.
As has been true since the Cold-War era and the "Crypto Wars" of the 1980s when cryptography was considered a munition, the US has prioritized attack over defense. The NSA routinely hoards 0-days, preferring to use them to attack foreigners rather than disclose them to protect US citizens (and others). This short-sighted policy has led to several disasters, including the Juniper supply-chain compromise and NotPetya. Senators wrote to the head of the NSA, and the EFF sued the Director of National Intelligence, to obtain the NSA's policy around 0-days:
Since these vulnerabilities potentially affect the security of users all over the world, the public has a strong interest in knowing how these agencies are weighing the risks and benefits of using zero days instead of disclosing them to vendors,
It would be bad enough if the NSA and other nations' security services were the only buyers of 0-days. But the $11M REvil received from JBS buys a lot of them, and if each could net $70M they'd be a wonderful investment. Forcing ransomware gangs to use 0-days by getting systems up-to-date with patches is good, but the gangs will have 0-days to use. So although the program above should indirectly reduce the supply (and thus increase the price) of 0-days by motivating vendors to improve their development and supply chain practices, something needs to be done to reduce the impact of 0-days on ransomware.

The Colonial Pipeline and JBS attacks, not to mention the multiple hospital chains that have been disrupted, show that it is just a matter of time before a ransomware attack has a major impact on US GDP (and incidentally on US citizens). In this light, the idea that NSA should stockpile 0-days for possible future use is counter-productive. At any time 0-days in the hoard might leak, or be independently discovered. In the past the fallout from this was limited, but no longer; they might be used for a major ransomware attack. Is the National Security Agency's mission to secure the United States, or to have fun playing Team America: World Police in cyberspace?

Unless they are immediately required for a specific operation, the NSA should disclose 0-days it discovers or purchases to the software vendor, and once patched, add them to the kit it uses to run its "ransomware" program. To do less is to place the US economy at risk.

PS: David Sanger reported Tuesday that Russia’s most aggressive ransomware group disappeared. It’s unclear who disabled them.:
Just days after President Biden demanded that President Vladimir V. Putin of Russia shut down ransomware groups attacking American targets, the most aggressive of the groups suddenly went off-line early Tuesday.
A third theory is that REvil decided that the heat was too intense, and took the sites down itself to avoid becoming caught in the crossfire between the American and Russian presidents. That is what another Russian-based group, DarkSide, did after the ransomware attack on Colonial Pipeline, ...

But many experts think that DarkSide’s going-out-of-business move was nothing but digital theater, and that all of the group’s key ransomware talent will reassemble under a different name.
This is by far the most likely explanation for REvil's disappearance, leaving victims unable to pay. The same day, Bogdan Botezatu and Radu Tudorica reported that Trickbot Activity Increases; new VNC Module On the Radar:
The Trickbot group, which has infected millions of computers worldwide, has recently played an active role in disseminating ransomware.

We have been reporting on notable developments in Trickbot’s lifecycle, with highlights including the analysis in 2020 of one of its modules used to bruteforce RDP connections and an analysis of its new C2 infrastructure in the wake of the massive crackdown in October 2020.

Despite the takedown attempt, Trickbot is more active than ever. In May 2021, our systems started to pick up an updated version of the vncDll module that Trickbot uses against select high-profile targets.
As regards the "massive crackdown", Ravie Lakshmanan notes:
The botnet has since survived two takedown attempts by Microsoft and the U.S. Cyber Command,

Via Barry Ritholtz we find this evidence of Willie Sutton's law in action. When asked "Why do you rob banks?", Sutton replied "Because that's where the money is."


And, thanks to Jack Cable, there's now, which tracks ransomware payments in real time. It suffers a bit from incomplete data. Because it depends upon tracking Bitcoin addresses, it will miss the increasing proportion of demands that insist on Monero.


Anonymous said...

Companies could also stop creating monoculture networks that are easy to manage and also easy to compromise. When every device is a domain joined Windows 10 machine running some low level centralized remote management system, it's just a matter of time before you are completely owned.

This is the "Encryption Backdoor" problem in Computer Science (aka "Exceptional Access Systems"). It is impossible to build an exceptional access system and then ensure it is only used by good people to do good things.

David. said...

Lorenzo Franceschi-Bicchierai reports on today's 0-day news in Mysterious Israeli Spyware Vendor’s Windows Zero-Days Caught in the Wild:

"Citizen Lab concluded that the malware and the zero-days were developed by Candiru, a mysterious Israel-based spyware vendor that offers “high-end cyber intelligence platform dedicated to infiltrate PC computers, networks, mobile handsets," according to a document seen by Haaretz. Candiru was first outed by the Israeli newspaper in 2019, and has since gotten some attention from cybersecurity companies such as Kaspersky Lab."

Alwyn Schoeman said...

How could we exploit the Russian Locale exception?

Unknown said...

The correct response is to copy the law that the EU passed that can fine companies up to 10% of revenue for lax cyber security.

Equifax, SolarWinds and Kaseya all had lax security that caused untold damage to businesses and the public. I do not support letting cyber criminals get away without punishment, but I do support holding companies liable for gross negligence in cyber security.

David. said...

Brian Krebs originally suggested to Try This One Weird Trick Russian Hackers Hate by installing Russian keyboard support, but the bad guys figured out quickly that what they needed to test was not the keyboard support but the default language. So unless you want your machine to talk to you in Cyrillic, forget it. Hat tip to Bruce Schneier.

David. said...

I can't find anything that says the EU can impose 10% of revenue. When the UK implemented the EU regulations in 2018 (my emphasis):

"some of these organisations could be liable for fines of up to £17 million - or four per cent of global turnover - if lax cyber security standards result in loss of service under the Government’s proposals to implement the EU's Network and Information Systems (NIS) directive from May 2018."

£17M is chickenfeed compared to the damage, this only applies to critical infrastructure, and I don't see any evidence that the EU has levied any such fines.

David. said...

All I could find for the US was this from 2018:

"The U.S Department of Health and Human Services has fined Fresenius Medical Care Holdings Inc., a major supplier of medical equipment, $3.5 million for five separate data breaches that occurred in 2012."

A derisory fine, 6 years late, for losing control of physical devices containing health information. Not exactly impressive.

HMTKSteve said...

How about keeping an air gap between critical systems and the internet? When companies used dedicated data circuits this kind of thing did not happen. Too many accountants have veto powers over IT and it shows.

David. said...

Static, tell that to the FBI. Alex Hern reported April 14 that FBI hacks vulnerable US computers to fix malicious malware:

"The FBI has been hacking into the computers of US companies running insecure versions of Microsoft software in order to fix them, the US Department of Justice has announced.

The operation, approved by a federal court, involved the FBI hacking into “hundreds” of vulnerable computers to remove malware placed there by an earlier malicious hacking campaign, which Microsoft blamed on a Chinese hacking group known as Hafnium."

David. said...

The Washington Post's Gerrit De Vynck, Rachel Lerman, Ellen Nakashima and Chris Alcantara have a excellent explainer from 10 days ago entitled The anatomy of a ransomware attack.

David. said...

And the class action lawyers get in on the ransomware act. In First came the ransomware attacks, now come the lawsuits, Gerrit De Vynck reports on Eddie Darwich, a pioneering plaintiff:

"Now he’s suing Colonial Pipeline over those lost sales, accusing it of lax security. He and his lawyers are hoping to also represent the hundreds of other small gas stations that were hurt by the hack. It’s just one of several class-action lawsuits that are popping up in the wake of high-profile ransomware attacks.

Another lawsuit filed against Colonial in Georgia in May seeks damages for consumers who had to pay higher gas prices. A third is in the works, with law firm Chimicles Schwartz Kriner & Donaldson-Smith LLP pursuing a similar effort.

And Colonial isn’t the only company being sued. San Diego-based hospital system Scripps Health is facing class-action lawsuits stemming from a ransomware attack in April."

David. said...

Charlie Osborne's Updated Kaseya ransomware attack FAQ: What we know now is a useful overview.

David. said...

In the wake of major attacks, ransomware groups Avaddon, DarkSide and REvil went dark. Now Dan Gooding reports that they may be re-branding themselves in Haron and BlackMatter are the latest groups to crash the ransomware party:

"Both groups say they are aiming for big-game targets, meaning corporations or other large businesses with the pockets to pay ransoms in the millions of dollars.
As S2W Lab pointed out, the layout, organization, and appearance of [Haron's] site are almost identical to those for Avaddon, the ransomware group that went dark in June after sending a master decryption key to BleepingComputer that victims could use to recover their data.
Recorded Future, The Record, and security firm Flashpoint, which also covered the emergence of BlackMatter, have questioned if the group has connections to either DarkSide or REvil."

David. said...

Just a reminder that the ransomware threat has been being ignored for a long time. Nearly five years ago I wrote Asymmetric Warfare. The first comment was:

"Ransomware is another example. SF Muni has been unable to collect fares for days because their systems fell victim to ransomware. The costs to mount this attack are insignificant in comparison to the costs imposed on the victim. Quinn Norton reports:

'The pre­dic­tions for this year from some analy­sis is that we’ll hit seventy-five bil­lion in ran­somware alone by the end of the year. Some esti­mates say that the loss glob­al­ly could be well over a tril­lion this year, but it’s hard to say what a real num­ber is.'"

David. said...

Catalin Cimpanu reports that Accenture downplays ransomware attack as LockBit gang leaks corporate data:

"Fortune 500 company Accenture has fell victim to a ransomware attack but said today the incident did not impact its operations and has already restored affected systems from backups.

News of the attack became public earlier this morning when the company’s name was listed on the dark web blog of the LockBit ransomware cartel.

The LockBit gang claimed it gained access to the company’s network and was preparing to leak files stolen from Accenture’s servers at 17:30:00 GMT.
Just before this article was published, the countdown timer on the LockBit gang’s leak site also reached zero. Following this event, the LockBit gang leaked Accenture’s files, which, following a cursory review, appeared to include brochures for Accenture products, employee training courses, and various marketing materials. No sensitive information appeared to be included in the leaked files."

David. said...

What will it take for this to be a crisis? Dan Gooding reports that Hospitals hamstrung by ransomware are turning away patients:

"Dozens of hospitals and clinics in West Virginia and Ohio are canceling surgeries and diverting ambulances following a ransomware attack that has knocked out staff access to IT systems across virtually all of their operations.

The facilities are owned by Memorial Health System, a nonprofit network of services that represents 64 clinics, including hospitals Marietta Memorial, Selby, and Sistersville General in the Marietta-Parkersburg metropolitan area in West Virginia and Ohio. Early on Sunday, the chain experienced a ransomware attack that hampered the three hospitals’ ability to operate normally."

David. said...

T-mobile was lucky that the guy penetrating their network didn't ransomware them and bring their network down. Dan Goodin reports that T-Mobile has been hacked yet again—but still doesn’t know what was taken:

"By some counts, T-Mobile has experienced as many as six separate data breaches in recent years. They include a hack in 2018 that gave unauthorized access to customer names, billing ZIP codes, phone numbers, email addresses, and account numbers. In a breach from last year, hackers absconded with data including customer names and addresses, phone numbers, account numbers, rate plans and features, and billing information."

T-mobile may claim not to know what was taken, but they could read Joseph Cox's T-Mobile Investigating Claims of Massive Customer Data Breach:

"T-Mobile says it is investigating a forum post claiming to be selling a mountain of personal data. The forum post itself doesn't mention T-Mobile, but the seller told Motherboard they have obtained data related to over 100 million people, and that the data came from T-Mobile servers.

The data includes social security numbers, phone numbers, names, physical addresses, unique IMEI numbers, and driver licenses information, the seller said. Motherboard has seen samples of the data, and confirmed they contained accurate information on T-Mobile customers."

In other T-mobile news, Jon Brodkin reports that T-Mobile apparently lied to government to get Sprint merger approval, ruling says:

"T-Mobile apparently lied to government regulators about its 3G shutdown plans in order to win approval of its merger with Sprint, according to a ruling in a proceeding in front of the California Public Utilities Commission (CPUC).
T-Mobile's false and misleading statements under oath indicated, among other things, that T-Mobile would make its CDMA network "available to Boost customers until they were migrated to Dish Network Corporation's LTE or 5G services" and that Dish would have up to three years to complete the migration, the ruling said."

Ax Sharma reports on another of today's data breaches in Secret terrorist watchlist with 2 million records exposed online:

"A secret terrorist watchlist with 1.9 million records, including classified "no-fly" records was exposed on the internet.

The list was left accessible on an Elasticsearch cluster that had no password on it.
The 1.9 million-strong recordset contained sensitive information on people, including their names, country citizenship, gender, date of birth, passport details, and no-fly status."

I don't expect any of the people responsible for these breaches and lies to suffer any consequences. Which pretty much guarantees that the breaches and lying will continue.

Six years ago Maciej Cegłowski's posted Haunted by Data, asking you to:

"imagine data not as a pristine resource, but as a waste product, a bunch of radioactive, toxic sludge that we don’t know how to handle."

David. said...

Brian Barrett points out that The T-Mobile Breach Is Much Worse Than It Had to Be:

"Assorted data from more than 48 million people was compromised, and while that’s less than the 100 million that the hacker had initially advertised, the vast majority of those affected turn out not to be current T-Mobile customers at all.

Instead, T-Mobile says that of the people whose data was compromised, more than 40 million are former or prospective customers who had applied for credit with the carrier."

T-mobile didn't need data on non-customers for its operations. Presumably it was hoarding this data in order to sell it. They should have paid attention to Cegłowski.

David. said...

Dominic Connor's When the bits hit the fan: What to do when ransomware strikes is a useful compendium of advice. In particular, that your cyber insurance policy is unlikely to pay out:

"Some of the insurers sell themselves on having a list of recommended firms to help you in a crisis, from law to technical and – given that attacks now make front pages – PR.

But here's the thing. The technical people work for the insurer, not you, so while they provide help and untangle your systems, they will also be looking for the ways you have not complied with the "reasonable" precautions mandated by your policy.

Providing that every single piece of software is patched up to date, there are scanners on everything, a full inventory, all access is at least 2FA, you don't ever ignore alerts, your backups are regularly validated as is pentesting, and all this is documented – then that might not be a problem. But back in the real world, it is."

And that paying the ransom might not help:

"Ransomware victim Colonial Pipeline, which is said to have paid criminals $5m in May this year for a decryptor, reportedly found that it ran so terribly slowly that they might as well restore from backups and just take the hit of the data loss despite having paid the ransom.

So it may be that you need to spin up a whole pile of cloud instances to get your data back quickly enough, after all - your systems mean the business can still make sales. This also lowers the risk of the ransomware re-infecting your systems. But if you do pay the ransom and use a decryptor, you need to be ready for the fact that the data may have been mangled unintentionally – since encrypting live files is an inherently unreliable action and the criminal developers won't have been trying all that hard to manage its integrity."

David. said...

In This is the perfect ransomware victim, according to cybercriminals, Charlie Osborne discusses a report from KELA:

"on listings made by ransomware operators in the underground, including access requests -- the way to gain an initial foothold into a target system -- revealing that many want to buy a way into US companies with a minimum revenue of over $100 million.
When you consider a successful ransomware campaign can result in payments worth millions of dollars, this cost becomes inconsequential -- and can mean that cybercriminals can free up time to strike more targets.
Ransomware operators are willing to pay, on average, up to $100 000 for valuable initial access services."

David. said...

Charlie Osborne's The state of ransomware: national emergencies and million-dollar blackmail reports on Trend Micro's Attacks from all angles: 2021 midyear security roundup. Osborne writes:

"Banks have been "disproportionately affected" by a surge in ransomware attacks, clocking a 1,318% increase year-on-year in 2021.
This year alone, we have seen high-profile cases of ransomware infection -- including against Colonial Pipeline, Kaseya, and Ireland's health service -- cause everything from business disruption to fuel shortages, declarations of national emergency, and restricted medical care.

These attacks are performed for what can end up being multi-million dollar payouts and now these campaigns are becoming easier to perform with initial access offerings becoming readily available to purchase online, cutting out the time-consuming legwork necessary to launch ransomware on a corporate network. "

David. said...

Dmitri Alperovitch's NYT op-ed America Is Being Held for Ransom. It Needs to Fight Back. argues for taking the offensive against ransomware gangs:

"The United States should build off the model used by Task Force ARES, targeting ransomware criminals’ technical and financial infrastructure. Such a campaign could reveal personal details about the perpetrators, take down the ransom payment servers they are using to conduct operations, seize their cryptocurrency wallets and perhaps even introduce subtle bugs into their code that enable victims to unlock their data without paying a ransom."

David. said...

Ax Sharma reports that $5.9 million ransomware attack on farming co-op may cause food shortage:

"Iowa-based provider of agriculture services NEW Cooperative Inc. has been hit by a ransomware attack, forcing it to take its systems offline. The BlackMatter group that is behind the attack has put forth a $5.9 million ransom demand. The farming cooperative is seen stating the attack could significantly impact the public supply of grain, pork, and chicken if it cannot bring its systems back online."

David. said...

Crypto Channels Targeted in Biden’s Fight Against Ransomware by Kartikay Mehrotra and Jennifer Jacobs covers announcements by Deputy Treasury Secretary Wally Adeyemo:

"sanctions would be imposed on Suex, a cryptocurrency transferring service that’s registered in the Czech Republic. He said Suex had “facilitated transactions involving illicit proceeds for at least eight ransomware variants.”

He said “exchanges like Suex are critical to attackers’ ability to extract profits,” pointing out that this was the first such action by the Office of Foreign Assets Control against a virtual currency exchange."


"Since its inception in 2018 as a venue for transferring digital currency and turning it into cash, Suex has moved hundreds of millions of dollars in illicit digital coins, including more than $160 million in Bitcoin alone, according to the cryptocurrency research firm, Chainalysis.

Suex’s addition to the Treasury Specially Designated Nationals and Blocked Persons List prohibits Americans from doing business with it."

This really isn't a credible response to the problem.

David. said...

Russia apparently views ransomware attack prevention as a national security problem. Max Seddon reports that Russia arrests cybersecurity expert on treason charge:

"The founder of one of Russia’s largest cybersecurity companies has been arrested on suspicion of state treason and will be held in a notorious prison run by the security services for the next two months, a Moscow court said on Wednesday.

The charges against Ilya Sachkov, founder of Group-IB, are classified and details of them were not immediately clear. State-run news agency Tass cited an anonymous source who said Sachkov denied passing on secret information to foreign intelligence services.

Group-IB, which specializes in preventing cybercrime and ransomware, confirmed that law enforcement raided its officers yesterday but said it did not know the reason for Sachkov’s arrest."

David. said...

In Ransomware attacks against hospitals are having some very grim consequences Danny Palmer reports:

"Ransomware attacks against hospitals are having direct consequences for patient care as a result of the reduced availability of systems and services when cyber criminals encrypt networks.

According to a survey of healthcare organisations, ransomware attacks have resulted in patients being kept in hospital longer, delays in tests and procedures – and, most disturbingly of all, an increase in patient deaths."

David. said...

Gareth Corfield reports that Ukrainian cops cuff two over $150m ransomware gang allegations, seize $1.3m in cryptocurrency:

"A round of speculation was triggered when inter-EU law enforcement body Europol declared this morning that Ukrainian fuzz had arrested "two prolific ransomware operators known for their extortionate demands," claimed to be up to €70m.

One of the two suspects arrested on 28 September, according to the National Police of Ukraine, was a "hacker". The other allegedly "helped to withdraw money obtained by criminal means." $1.3m in cryptocurrency was said to have been frozen."

David. said...

Catalin Cimpanu reports that US govt reveals three more ransomware attacks on water treatment plants this year:

"Ransomware gangs have silently hit three US water and wastewater treatment facilities this year, in 2021, the US government said in a joint cybersecurity advisory published today by the FBI, NSA, CISA, and the EPA.

The attacks —which had been previously unreported— took place in March, July, and August and hit facilities in Nevada, Maine, and California, respectively."

The attacks led to the threat actors encrypting files, and in one case, even corrupting a computer used to control the SCADA industrial equipment deployed inside the treatment plant.

David. said...

North America Is Biggest Ransomware Target, Chainalysis Says by Joanna Ossinger reports that:

"North America has been extorted for the most money by ransomware attackers of any region -- and the groups targeting it tend to be associated with Russia-based cybercriminal groups, according to a new report.

Users in the region paid $131 million in cryptocurrency to ransomware attackers between July 2020 and June 2021, according to a report from Chainalysis Inc., crypto-forensics firm. That’s more than double the amount sent from Western Europe, which paid the second-most."

David. said...

The Joint statement of the Ministers and Representatives from the Counter Ransomware Initiative meeting, October 2021 is pathetically inadequate to the scale of the problem. Its Countering Illicit Finance section is an example:

"Taking action to disrupt the ransomware business model requires concerted efforts to address illicit finance risks posed by all value transfer systems, including virtual assets, the primary instrument criminals use for ransomware payments and subsequent money laundering. We acknowledge that uneven global implementation of the standards of the Financial Action Task Force (FATF) to virtual assets and virtual asset service providers (VASPs) creates an environment permissive to jurisdictional arbitrage by malicious actors seeking platforms to move illicit proceeds without being subject to appropriate anti-money laundering (AML) and other obligations. We also recognize the challenges some jurisdictions face in developing frameworks and investigative capabilities to address the constantly evolving and highly distributed business operations involving virtual assets."

David. said...

Simon Sharwood's US gov claims ransomware 'earned' $590m in the first half of 2021 alone – mostly in Bitcoin makes depressing reading:

"Ransomware extracted at least $590 million for the miscreants who create and distribute it in the first half of 2021 alone – more than the $416 million tracked in all of 2020, according to the US government’s Financial Crimes Enforcement Network (FinCEN). Total ransomware-related financial activity may have reached $5.2 billion."

David. said...

Catalin Cimpanu reports that Sinclair TV stations disrupted across the US after ransomware attack:

"TV broadcasts for Sinclair-owned channels have gone down today across the US in what the stations have described as technical issues, but which multiple sources told The Record to be a ransomware attack.

The incident occurred in the early hours of the day and took down the Sinclair internal corporate network, email servers, phone services, and the broadcasting systems of local TV stations.

As a result of the attack, many channels weren’t able to broadcast morning shows, news segments, and scheduled NFL games, according to a barrage of tweets coming from viewers and the TV channels themselves."

Couldn't happen to a nicer company.

David. said...

In Joseph Menn and Christopher Bing's exclusive Governments turn tables on ransomware gang REvil by pushing it offline they report on the latest whack-a-mole action:

"The ransomware group REvil was itself hacked and forced offline this week by a multi-country operation, according to three private sector cyber experts working with the United States and one former official.
"The FBI, in conjunction with Cyber Command, the Secret Service and like-minded countries, have truly engaged in significant disruptive actions against these groups,” said Kellermann, an adviser to the U.S. Secret Service on cybercrime investigations. “REvil was top of the list.”

A leadership figure known as "0_neday," who had helped restart the group's operations after an earlier shutdown, said REvil's servers had been hacked by an unnamed party."

David. said...

Lorenzo Franceschi-Bicchierai reports that Sinclair Workers Say TV Channels Are in ‘Pandemonium’ After Ransomware Attack:

"The ransomware attack interfered with several channels’ broadcast programming, preventing them from airing ads or NFL games, as reported by The Record, a news site owned by cybersecurity firm Recorded Future. It has also left employees confused and wondering what's going on, according to current Sinclair workers."

David. said...

Ellen Nakashima and Dalton Bennett A ransomware gang shut down after Cybercom hijacked its site and it discovered it had been hacked:

"A major overseas ransomware group shut down last month after a pair of operations by U.S. Cyber Command and a foreign government targeting the criminals’ servers left its leaders too frightened of identification and arrest to stay in business, according to several U.S. officials familiar with the matter.

The foreign government hacked the servers of REvil this summer, but the Russian-speaking criminal group did not discover it was compromised until Cybercom last month blocked its website by hijacking its traffic, said the officials who spoke on the condition of anonymity because of the matter’s sensitivity."

And Lisa Vaas reports that Suspected REvil Gang Insider Identified:

"German investigators have identified a deep-pocketed, big-spending Russian billionaire whom they suspect of being a core member of the REvil ransomware gang.

He lolls around on yachts, wears a luxury watch with a Bitcoin address engraved on its dial, and is suspected of buying it all with money he made as a core member of the REvil ransomware gang.

The showy billionaire goes by “Nikolay K.”on social media, and German police are hoping he’ll cruise out of Russia on his next vacation – preferably, to a country with a cooperation agreement with Germany so they can arrest him. In case he decides to kick back somewhere other than sunny Crimea, they’ve got an arrest warrant waiting for him."

David. said...

Hannah Murphy and Stefania Palma report that US charges Ukrainian and Russian nationals over ransomware attacks. They are:

"Ukrainian Yaroslav Vasinskyi, 22, for allegedly conducting one of the largest global supply chain ransomware attacks, the Kaseya hack, among others. The US said it is seeking to extradite Vasinskyi, who was arrested in Poland after crossing the border from Ukraine,"


"Russian national Yevgyeniy Polyanin, 28, for allegedly targeting US government entities and private-sector companies in about 3,000 attacks that reaped an estimated $13 million, Garland said. The US has seized $6.1 million in ransom proceeds from his activities,"


"Separately on Monday, Europol announced that law enforcement in Romania had arrested two ransomware hackers associated with the Sodinokibi/REvil ransomware cartel."

David. said...

Catalin Cimpanu reports that: FBI says the Cuba ransomware gang made $43.9 million from ransom payments:

"The US Federal Bureau of Investigations said today that the operators of the Cuba ransomware have earned at least $43.9 million from ransom payments following attacks carried out this year.

In a flash alert sent out on Friday, the Bureau said the Cuba gang has “compromised at least 49 entities in five critical infrastructure sectors, including but not limited to the financial, government, healthcare, manufacturing, and information technology sectors.”

The FBI said it traced attacks with the Cuba ransomware to systems infected with Hancitor, a malware operation that uses phishing emails, Microsoft Exchange vulnerabilities, compromised credentials, or RDP brute-forcing tools to gain access to vulnerable Windows systems.

David. said...

Steven Musil reports that US military has reportedly acted against ransomware groups:

"Nakasone didn't describe the action taken or identify the groups targeted, but said one of the goals is to "impose costs" for ransomware groups.

"Before, during and since, with a number of elements of our government, we have taken actions and we have imposed costs," Nakasone said. "That's an important piece that we should always be mindful of."

The increased activity follows a string of cyberattacks on the federal government and private companies, reigniting concerns about the vulnerability of critical infrastructure."

"Imposing costs" will certainly prevent any further ransomware attacks. So there's no need take action against cryptocurrencies. Everyone can relax and keep on getting rich as "number go up". We are safe behind the shield of the US military's "Cyber Command".

David. said...

Matthew Field's Crackdown on crypto firms needed to ‘wreck’ ransomware, says ex-GCHQ boss starts:

"Regulators need to “wreck the business model” of ransomware gangs by cracking down on cryptocurrency companies that facilitate Bitcoin payments, according to the former head of GCHQ.

Robert Hannigan, who was director of Britain’s signals intelligence agency from 2014 to 2017, said more coordinated action was needed to tackle a surge in ransomware attacks during the pandemic."