Our Blog | ActZero

On Ransomware: Government Strategy and Secret Service Tactics | ActZero

Written by Sameer Bhalotra | Oct 16, 2022 4:00:00 AM

Let’s dive right in.

WHAT IS RANSOMWARE?

Ransomware is a type of malicious software designed to take your systems hostage. Once the threat actor gains control, they deny you access, encrypt your data and exfiltrate it for extortion. You can expect a ransom note shortly after. However, paying the ransom does not guarantee restored access or deletion of stolen data. As the age-old proverb says, there is no honor among thieves.

The White House reported in 2021 that ransomware incidents disrupted critical services worldwide. Among them are schools, banks, government offices, emergency services, hospitals, food, transportation, and energy companies. With an estimated $20 billion loss incurred each year, this business is global and thriving, affecting everyone.

In my recent keynote , I discuss how we arrived at this point, the government's role, mitigation strategies that have been successfully deployed and what we need to do going forward.  

THE LAY OF THE LAND

I have been fortunate to work in four administrations, seated front row to critical debates around the changing landscape of cybersecurity and how to stay ahead of the curve.

In 1991, the world wide web was made public, but cybersecurity only became a topic of interest in the early 2000s as threats multiplied and diversified. A threat to the nation required defense. The issue, however, was novel, and there were no laws to dictate how it should be addressed. As a result, I was brought in as a subject matter expert, and tasked with bridging the gap, educating the Senate of the inner workings of these cyberattacks to improve understanding and build awareness.

You may know that while the government has substantial power, it cannot impose cyber defense on the private sector. Hence, laws were needed to define defense parameters for non-governmental organizations without stifling innovation.

This sparked impassioned debates on cybersecurity policy. What should be done about cyber defense? Should it be mandated or incentivized? By introducing a compromise bill with a tailored regulatory approach, Senator Rockefeller drew the line in the sand on critical infrastructure protection i.e., water systems, banks, and power grids, from increasingly commonplace cyberattacks. Senator Whitehouse, on the other hand, took an economic approach by promoting cyber insurance. While other senators, with resounding support from large corporations, maintained an anti-regulatory stance.

It is interesting to note that while the private sector fought against regulation, it threw up its hands when it came to formulating a viable common defense plan, thereby placing many, including individuals and Small to Mid-sized businesses (SMBs) at risk. 

In 2011, the Obama administration presented a cybersecurity legislative proposal to Congress, outlining recommendations for safeguarding personal data, and critical infrastructure while still protecting civil liberties. This light touch regulatory approach was a strategic step forward and had all the characteristics of a watershed moment. As you can imagine, rounds of debates ensued, and many bills were introduced. Which way will the tide turn? Will the Senate vote in favor of or against the proposal?

The answer remains a disappointment to me. Although cleverly crafted to balance privacy concerns with national security concerns, the proposal garnered 53 Senate votes, seven short of the required number, and therefore failed to pass. Following this failed vote, Congress took a hands-off approach deciding that it was not prepared to enact the comprehensive cybersecurity legislation needed to ensure national cyber defense. 

Consequently, paving the unscrupulous path for the rise of ransomware.

Big business: Who are cybercriminals?

From the early 2000s till now, we have seen a drastic shift in the landscape of cyberattacks. What was once simple and automated, ‘take it or leave it’ campaigns targeting individuals for small ransom payments of $75-$750 has grown into big league, sophisticated extortion operations targeting large corporations and critical infrastructure.

In 2013, Crypto Locker generated $27 million in ransomware payments from only 30% of its targeted victims over a two-month period. This windfall caught the attention of cybercrime groups who seized the opportunity to scale operations, even to the point of franchising.

Due to the lucrative nature of this ‘business’, organized cybercrime syndicates such as Dridex Botnet, TrickBot, and GandCrab grew in popularity between 2016 and 2019. Cerber and LockE made out with $7 million before people figured out how to block the destructive ransomware. As of today, eight of the top ten ransomware groups have generated at least $10 million per year. The number one group on the list, REvil, an offshoot of the GandCrab group generates $100 million annually. As per law enforcement reports, the total value of cryptocurrency received by monitored ransomware addresses has increased from $25 million in 2016 to $700 million in 2021. According to a recent survey, there has also been a sharp growth in victims agreeing to pay ransoms, from 30% to 83%.

In the last two years, a malware derivative, ransomware-as-a-service (RaaS) has gained ground and shows no signs of slowing down. The forceful nature of ransomware attacks is in part because of the rise of RaaS. This business model is structured like any other business and has specialized departments, including human resources and 24/7 technical support that operate efficiently and effectively. A REvil ransomware gang defector reported to law enforcement that at one point they had 60 affiliate groups conducting attacks on their behalf.

Read more on this trending issue in our white paper: The Rise of Ransomware-as-a-service.

The key tenet of effective defense is proactive thinking. Adversaries have evolved their tactics, skills, and tools over the last decade. How might they exploit your security vulnerabilities? Watch our webinar, Thinking about the Adversary: Offensive and Defensive Strategies to find out how to create attack and defense plans.

A snapshot of recent cyberattacks

At the peak of the COVID-19 crisis, United Healthcare, a multinational managed healthcare, and insurance provider, suffered a ransomware attack that affected 250 affiliated healthcare facilities, compromising patient data.

In May 2021, there was yet another high-profile cyber-attack. Colonial Pipeline, the largest and most vital pipeline system in the US, was hacked by a cybercrime group known as DarkSide. The company regained access after paying the ransom demand of $4.4 million in bitcoin. However, the six-day shutdown resulted in fuel shortages across the nation.

In both cases, having robust cyber defense strategies would have circumvented the attack.

The ugly truth

Cyberattacks are ever-evolving, and the frequency on a steady incline. It is upsetting to me that in the absence of comprehensive cybersecurity laws, citizens suffer the consequences. The US private sector remains a low hanging fruit for cyber criminals. Defense shouldn’t be optional, not when it is a matter of national security. 

To combat this evolving problem, we must first understand it. The three known contributing factors to the rapid growth of Ransomware attacks are as follows.

  1. Threat actors take advantage of poor security habits, and unfortunately, security poor organizations are plentiful. In today's complex and evolving tech environment, cybersecurity is a necessity for every organization, regardless of size or industry. As an advocate for defense preparedness, I encourage you to test your systems. 

  2. The method of payment, cryptocurrency, is decentralized and largely unregulated. As of now, it is unclear how the government will address this poorly regulated monetization.

  3. Cybercriminals stay true to character, exploiting jurisdictional boundaries to evade law enforcement. 

THE ROLE OF THE SECRET SERVICE IN CYBERSECURITY

Besides protecting the president, the Secret Service investigates and responds to cyber-attacks.

A division of the Secret Service, the Cyber Fraud Task Force (CFTF) has 44 offices nationwide, as well as two overseas in London and Rome. Their responsibility is to identify, prevent, deter, mitigate, and investigate cybercrime. In partnership with the Global Investigation Operation Center (GIOC), the CFTF monitors security threats, gathers intelligence, and alerts companies of compromised accounts in real time.

The companies may then exercise their free will and choose to either resolve the matter internally or pursue a criminal investigation. If the latter, the company extends an invitation and signs a consent form. After which a Secret Service technical special assistant, and network intrusion agents set up shop on site. A war room as it is called is where in-depth situation analysis and remediation planning happens.

My conversation with Mike Alvarez regarding ransomware strategy and Secret Service tactics was candid and insightful. As a cyber first responder for the Secret Service, he has handled complex intrusion investigations, computer forensic examinations, and assisted with prosecuting individuals exploiting our nation’s critical infrastructure. A recent arrest is that of Diego Santos Coelho, a facilitator and administrator for raidforums.com.

During our chat, Mike disclosed the details of a recent attack, reminding us yet again that no one is immune. In fact, thanks to multimillion dollar contracts with larger companies, SMBs have become increasingly attractive targets, as the end goal is to gain access to the privileged data housed by larger corporations.

A case study: Cause and Effect

A cybercrime group called FIN7 engineered a cyberattack on a Houston based small construction company. This occurred because the company ignored multiple warnings of compromised accounts by the Secret Service and chose not to deploy cyber defense. They also refused to pay the ransom and consequently had to start from ground zero.

Though this was not a traditional happy ending, it is comforting to know that the CFTF is not exclusive to multinationals. A mom-and-pop business can have access to the power of the Secret Service and all their global intelligence capabilities, including high-tech decryption tools like the password cracker, to stop a ransomware attack.

Now is as good a time as any to learn how to respond effectively and quickly to an incident, with minimal disruption to business processes. Download our asset Elevating Incident Response Readiness to get started.

Should you pay the ransom?

The government advises against ransom payments, but it will usually allow you to make your own decision.  However, it is illegal under US law to disburse payment in these instances.

  1. If the attackers are a known terrorist group.

  2. If they funnel through a money mule account, or to a foreign country on the FBI’s watch list.

LESSONS LEARNED

The unfamiliar nature of cybersecurity in the early days required balancing on a knife-edge. Initial cyber hearings were classified, which slowed down the learning process. As cybersecurity is such a nuanced topic, I believe public debate earlier in the timeline would have provided more robust insights into threat readiness and response.

Furthermore, corporations should have been included in the earliest discussions to develop shared understanding. But as with all things in life, continuous improvement is the key.

CYBERSECURITY: HOW TO BUILD YOUR DEFENSE

There are no shortcuts to implementing safeguards in the harsh terrain of cybersecurity. A crucial first step to boosting your company's security posture and protecting the health of your organizations’ network and assets is maintaining good cyber hygiene. It is as simple as updating software, web browsers and operating systems regularly, installing antivirus and using multi-factor authentication.

Mike Alvarez stated a quote that rings true; a chain is only as strong as its weakest link. Social engineering, which includes phishing emails and malicious websites, is responsible for a large percentage of data breaches. As part of the process of configuring for security, employees must be empowered through ongoing cybersecurity awareness training. This way, everyone is vigilant.

I cannot overstate the value of an emergency preparedness plan. It is your personalized playbook for mitigation, remediation, and safeguarding your network and assets in a coordinated way. This free guide: Foundations for Incident Response Readiness provides user-friendly templates for creating an adaptive and mature incident response plan.

Lastly, in the event of an attack, fight the instinct to power down and unplug your system. Instead, collect log files, memory scrapes, RAM captures and the encryption keys in the Bitcoin wallet. Also, do not forget to take your backup server offline.

THE FUTURE OF CYBERSECURITY: INTEGRATED DEFENSE

Some think ransomware is on the decline, and others believe otherwise. The bottom-line is there is a looming risk that requires continued, cutting-edge management. The government may not have the authority to enforce cyber defense, but it has found creative ways to help.

ActZero is a purpose-built security ‘middle-man’ leveraging years of comprehensive research and development, and Artificial Intelligence (AI) to deliver first-rate cyber defense. Our AI and ML-enabled Managed Detection and Response Service (MDR) integrates quality detection tools, an elite force of threat hunters, and incident response processes to elevate your cybersecurity. We help organizations regardless of size and industry, harden their defense and stand firm in the face of relentless cyberattacks. See our service live in action; book a demo here