The evolving threat of ransomware and the emerging US response
Whither ransomware?
By Katie Aulenbacher, the CyberWire staff
Jan 28, 2022

Are ransomware gangs passing their prime, or will they continue to mutate in response to diplomatic and defensive pressures? What role is CyberCom playing in the fight, and what concrete steps should organizations take today? The CyberWire had the opportunity to explore these topics and more with Egress Vice President of Threat Intelligence Jack Chapman. 

The evolving threat of ransomware and the emerging US response

A conversation with industry on the state and prospect of the struggle to control ransomware. We spoke at length with Egress Vice President of Threat Intelligence Jack Chapman.

Ransomware gangs’ evolution and outlook.

“We’re currently playing catch-up with ransomware gangs,” says Jack Chapman of Egress, and “it can seem that the cybercriminals are one step ahead.”

But with a close eye on darknet fora and an ear to the ground where malware campaigns propagate and breed, Chapman has identified three emerging trends in ransomware gangs’ tactics, techniques, and procedures. The hoods increasingly work together, target multiple pain points, and time attacks to coincide with holidays or delicate business transactions.  

While gangs’ collaborative approach on the whole makes them more “resilient,” he says—as they swap skills, diversify revenue streams through ransomware-as-a-service offerings, welcome novice affiliates into the fold, and clutter the playing field—loose cannons in the network can garner unwanted attention from legal and political authorities and drive interventions that in the long run may complicate business.

For now, however, the trend is toward greater aggression with the goal of maximizing profits. Gangs are “trying inventive and increasingly brazen tactics to pressure victims into paying a ransom,” Chapman says. Double extortion has become the norm, and accompanying DDoS attacks and abuse of associated individuals, as seen in the deployment of Yanluowang ransomware, are on the rise. “I would expect these tactics to become increasingly popular,” he says, “making it all the more difficult for victims to resist paying.”

The third pattern of note is gangs’ tendency to launch assaults during national holidays, “when security teams are thin on the ground,” he says, as with the Mother’s Day weekend Colonial Pipeline attack and Fourth of July Kaseya attack, or around “highly sensitive periods” like mergers.

Chapman doesn’t think the cybercrime economy will be winding down any time soon, although ransomware may have peaked given mounting international attention to the threat. “There is some hope that the ‘golden age of ransomware’ is beginning to come to an end. Governments and organizations are starting to take the threat seriously and are taking proactive steps to disrupt the ransomware economy,” he says. “However, cybercriminals are highly skilled and adaptable. If ransomware becomes too difficult to do, they’ll simply turn to another form of cybercrime and the problem will evolve into something else.”

In the meantime, Chapman says, ransomware threat actors “will continue to operate as long as the reward outweighs the risk,” and “will continue to find new ways to keep the ransomware gold rush going.”

CyberCom’s successes and other US Government solutions.

In addition to sharing malware signatures like those favored by by Iranian APT Static Kitten (also known as MuddyWater), Chapman say, Cyber Command is taking direct action against ransomware threat actors, having “played a key role in the operation to knock REvil offline last year,” for example. “Their action not only helps to take down key players in the ransomware ecosystem, but it also serves to intimidate others. Eventually, this might play a part in increasing the risk versus reward for cybercriminals, making ransomware an untenable business venture.”

Chapman thinks the future of Cyber Command’s efforts lies in multinational collaboration and tackling cybercrime infrastructure. “The recent REvil arrests in Russia were the result of a joint operation, and hopefully this success will open the door for similar initiatives in the future to take down international cybercriminal gangs,” he says. And taking on gangs’ infrastructure, he says, “means taking down dark web forums and VPNs, as we saw with the recent operation to shut down which was supported by Europol and the FBI, among others.”

The Biden Administration’s critical infrastructure red line, delivered to President Putin in the Geneva summit last June, Chapman sees as another step in the right direction: “After the Colonial Pipeline attack, it was clear that more needed to be done to protect critical infrastructure from cyberattacks. Biden’s proposals should put the US on the right path and will ultimately make it harder for threat actors to target infrastructure again.” 

Legislative initiatives should center on “the areas most at risk of attack,” Chapman says, “and that means the supply chain. Ransomware gangs are increasingly ‘poisoning the well’: looking for vulnerabilities in vendor or open-source software that they can use to propagate attacks against multiple targets.” Events of the past two years have driven home this point. The SolarWinds, Kaseya, and Log4j incidents all underscored the criticality of supply chain security and the far reaching effects of upstream vulnerabilities. He would like to see “targeted” regulations that raise standards and safeguard the supply chain. 

An ounce of prevention.

If you’ve heard it once, you’ve probably heard it dozens of times. Organizations, Chapman says, should prioritize prevention, and “need to use all the tools at their disposal to stop ransomware from taking hold: anti-phishing and anti-malware solutions, patching vulnerabilities, using VPNs, and deploying MFA (to name a few!).” Forking over a ransom won’t cure the headaches brought on by damaged databases—not to mention blackmailing and leaking risks. “Threat actors are likely to keep hold of some of your data, subsequently auctioning it off or using it as further leverage for a payment even after the initial ransom is paid,” he explains.  

One attack vector company leadership should not underestimate is email. “The single most important step an organization can take to prevent ransomware,” Chapman says, “is to deploy intelligent email security to stop phishing attacks. Email is the delivery channel for over 90% of malware, so it’s important to ensure that even the most sophisticated malicious emails are detected.”

Ripples from the REvil arrests.

Whatever the long-term trajectory of ransomware operations, this month’s law enforcement action against REvil has apparently shaken up the Russian privateering community. Digital Shadows says talk on Russaphone darknet fora has turned to rumination over what conditions might be like in the big house, and suggests that some hoods may be questioning their life choices. No longer secure in Mother Russia’s protection as long as they avoid Commonwealth of Independent States targets, conversations about prison have hit an all-time high. The hoods are wondering, for instance, whether they’d be exploited for their cyber talent, applauded for their derring-do, overlooked, given the technical nature of their crime, or destroyed for being “weak nerds.” “Now more than ever,” Digital Shadows concludes, “they must keep looking over their shoulders, fixing past mistakes, and coming up with new ways to beat the technology used to track them.”

As the CyberWire has reported, questions remain about the crackdown. What motivated Moscow to move now? Could it be an olive branch aimed at de-escalating tensions with NATO, or a PR stunt designed to depict Russia as a good global citizen? Why single out REvil? Was it a signal to other gangs to steer clear of high profile victims, which landed the group in hot water last year? Were those arrested lower-level operatives served up as scapegoats? (Video of the apprehensions shows the suspects enjoying sparse, dorm-like fixtures, not opulent digs.) Does the action promise further Washington-Moscow cooperation on cybercrime in the future?

Digital Shadows says the arrests “seem to indicate some sort of willingness to provide concessions to the US and its allies, or at the very least, some semblance of cooperation. For example, increased cooperation in the cybersphere if diplomatic negotiations between the two countries would evolve into more favorable conditions for Moscow.” They note that REvil was a low-level give due to its dormancy, with darkweb denizens characterizing the gang as “pawns in a big political game,” handed over to “calm down” Washington. 

(And we note in an aside that the FSB arrests may have been more show than substance. Researchers at ReversingLabs have been keeping an eye on REvil with a view to assessing how significant the much ballyhooed FSB raids on those mingy REvil apartments actually were, and they tell us the answer may be "not very." "The week before the arrest: There were 24 implants a day (169 per week)," they wrote. "The week before the arrest: There were 26 implants a day (180 per week)." That is, there's not much change.)

Applications from the war on ransomware to the developing hybrid war over Ukraine

The response from Washington to Russian cyber operations launched as the Ukraine situation deteriorates will in all probability bear resemblances to the ongoing battle against Russian privateering, despite important contextual and geopolitical differences. We’ve already seen an alert from the US Cybersecurity and Infrastructure Security Agency (CISA), common fare in the daily grind against cybercrime, complete with mitigation guidance tailored to Kremlin tactics, techniques, and procedures (TTPs). Information sharing and admonitions to patch, defend, and otherwise prepare for attacks are par for the course, as are public shows of strength and arm-linking with international and private sector allies. Behind-the-scenes defend-forward activity, including takedowns of adversarial infrastructure, may compliment defensive and diplomatic solutions, as might naming and shaming where relevant, sanctions, and seizures of assets.

Following the tumult of the past two years, Washington has in its toolkit new partnerships and task forces, budget lines and lines of communication, legal and organizational structures, and solidified international norms. US Cyber Command can be expected to continue its attempts to impose costs for cyber aggressions to influence the risk evaluations of threat actors, as politicians try to strike a dissuasive chord that resonates with Russian leadership.