At a glance.
- Ransomware and privateering.
- A call for clarity with respect to cyber deterrence.
- Reaction to coming TSA cybersecurity regulations.
Privateering with ransomware?
Flashpoint researchers are tracking the resurgence of the well-known REvil ransomware gang, which is making an attempt at a comeback in the Groove collective's criminal RAMP forum:
“The ‘REvil’ profile on RAMP was created on October 6. In a post underneath its profile, REvil advertised their affiliate program in detail and claimed that their practices are anonymous and secure. REvil followed up their post with a claim that it will wait until November to begin actively recruiting affiliates on RAMP. Cybersecurity analysts note that this post follows a report that REvil was scamming their affiliates through a backdoor in their ransom code."
Security firm Mandiant yesterday released a report on FIN12, an "aggressive, financially motivated" ransomware gang noteworthy for its concentration on healthcare organizations. FIN12 appears to be a Russophone group, and is in all probably based in Russia. Its victims have been concentrated in North America, but there are recent signs that the gang is branching out to Europe and Asia. It doesn’t hit Russia or, usually, the former Soviet Republics in the Near Abroad, a group of countries sometimes known by the name of the moribund association that connected them--the Commonwealth of Independent States. Circumstantially, at least, it looks like privateering.
FIN12 also isn't the only group operating against targets where a reasonable person would see a direct human cost. In the case of FIN12, it's healthcare. In the case of BlackMatter, it's agriculture. NBC News reviews BlackMatter's recent attacks against grain cooperatives in the American farm belt. The timing of the attacks is troubling, coming as they do around the time of the harvest.
Roger Grimes, data-driven defense evangelist at KnowBe4, points out that it's no accident (as we remember Pravda saying, back in the day) that so many of the ransomware gangs operate from Russia (or for that matter, from North Korea):
"If it isn't nation-states directly supporting malicious hackers and actively providing a cybercriminal safehaven, then they are at least knowingly allowing it. In Russia, it is widely believed that its law enforcement and government officials are personally and directly profiting off of cybercriminal activity, actively taking bribes to overlook criminal activity. I am not sure if that is true, but it often appears that way. One of the top Russian cybercriminals who is sought under warrant by the U.S. government drives an expensive sports car with the license plate that says thief and he tells anyone who listens how he is friends with Russian senior law enforcement and government officials. He is not hiding. He is bragging. And it is unfortunate that many countries allow it or even seem to encourage it. All capable nations hack each other. It is just life. But there is a difference between the normal intelligence operations being conducted by most countries and a country actively encouraging its hackers to lock up the data of any company it wants and ask for an illicit ransom to be paid to unlock it. North Korea actively steals from bank and cryptocurrency accounts. It is like they are allowing cybercriminals to be a legitimate way their country is funded. It is unfortunate. The question is what will it take, how bad will it get, to make it stop?"
A call for an articulated deterrence policy.
State-tolerated or state-sponsored ransomware attacks have proven, so far, resistant to effective deterrence. Members of the Cyberspace Solarium Commission speaking this week in Aspen called upon the US Administration to articulate a clear, publicly stated deterrence policy. Senator Angus King (Independent, Maine) said:
“I think the most important thing is for the administration and the President to develop a clearly articulated declaratory deterrent policy, a deterrence doctrine to put our adversaries on notice that they will pay a price for attacking us in cyberspace. I think one of the great gaps in our national response has been a tepid or non-response to these series of attacks that we’ve seen over the past 15 or 20 years.”
More reaction to anticipated US TSA regulation.
This week's announcement of the US Transportation Security Administration's plans to establish cybersecurity regulations for passenger railroads and airlines continues to prompt reaction from industry. Some, notably representatives of the railroads, think the regulations unnecessary, as they steps the regulations will mandate are already well-established, and being followed. Others have expressed concern about unintended consequences. Still others wonder how piecemeal regulation of different sectors will fit into the sort of whole-of-nation approach Homeland Security Secretary Mayorkas espoused, according to the Federal News Network, at the Billington Cybersecurity Summit. Nick Cappi, Cyber Vice President, Portfolio Strategy and Enablement at Hexagon PPM, likes the concern for critical infrastructure, but would like to see more commonality across sectors:
“I am pleased to see any action that improves cyber security for critical infrastructure. With that said, I am concerned with the disjointed approach of going from one industry to the next defining standards and or mandates. It’s time to take a step back and define a single critical infrastructure cyber security standard. If your industry is defined as critical infrastructure, then by definition it requires protection. Again, I am pleased to see movement and action, but I don’t think we need to wait for the next critical infrastructure attack to decide that we need another mandate to cover that specific industry. Let’s define a singular critical infrastructure cyber security standard now and start enforcing protection for everyone.”