Anna Delaney: Is the decline and fall of ransomware-as-a-service groups imminent, and how cybersecurity professionals are responding to changes in remote work policies. These stories and more on this week’s ISMG Security Report.
Delaney: Hi, I’m Anna Delaney. Will we see the decline and fall of ransomware-as-a-service groups? These crime syndicates have earned hundreds of millions of dollars. But could they be on their last legs? To discuss, I’d like to welcome executive editor Mathew Schwartz, who runs our DataBreachToday site and European coverage and who keeps a close eye on ransomware trends.
Mathew Schwartz: Hello, Anna.
Delaney: Good to see you. Matt, a week ago, there was an interesting prediction tweeted by Vitali Kremez, CEO of AdvIntel, and it read, “Expect less ransomware locker deployment, but a prolonged phase of corporate espionage/exfiltration by cybercrime enterprises.” I would love your thoughts on this.
Schwartz: This is a fascinating trend. The ransomware groups shot themselves in the foot a bit, especially with Conti. And at RSA this year, Vitali was telling me this in person – fascinating to hear all of the different moves and intrigues – and one of the fascinating things he said, which I had not heard before, was that after Conti came out in support of Russia’s invasion of Ukraine, Conti stopped getting ransom payments. Basically, you’re not allowed to pay ransom workgroups that are known to be affiliated with sanctioned entities, which includes the Russian government. So, even if it wasn’t official, it seems like the legal advice to ransomware victims was, “you can no longer pay Conti.” So, in short order, we saw Conti going away, they had spun off a number of groups beforehand. So it declined and there’s fall of the ransomware-as-a-service operation. There have been a number of predictions along these lines over the past year after a lot of ransomware groups overstepped, for example, with the Colonial Pipeline attack done by DarkSide in May 2021. And around that timeframe, also the REvil, also known as Sodinokibi group, hitting big entities such as the world’s largest meat processor, and messing things up for them, and by extension, the rest of us. There’s been a big bullseye on these big ransomware-as-a-service operations. Some of them have been successfully disrupted by the likes of US Cyber Command for whom the gloves have come off a little bit, especially as some of these groups have announced their affiliation or intelligence or evidence has come out showing that they’re closely aligned with government agencies, in particular, Russian government agencies. So, it’s been more difficult to run these kinds of groups and to not get disrupted. And the affiliates who work with them, experts say, have been increasingly looking to not work with the big brands, because they have a big target on their back. And that’s why you’re seeing Vitaly talk about alternate methods of monetizing the sorts of attacks they’re doing, which have been, and seem likely to continue to be, less about crypto locking malware, and more about extortion, stealing the data, holding it to ransom, but not disrupting the organization’s operations. And thus, a lot of attackers hope not to draw such close law enforcement scrutiny.
Delaney: Yes, presumably this move toward corporate extortion with no encryption involved is not only easier to do, but there’s a better chance of remaining anonymous for the criminals.
Schwartz: Definitely. They’d like to fly by night. They love it when a victim pays them quickly and silently. That is their number one goal. And so, if they can make that happen, they’re going to be all over that. And as you say, running a ransomware attack that involves crypto locking malware that is more difficult, has more pieces involved in terms of you need to get that malware on their crypto lock systems after having already snuck the data out, then you need to negotiate with the victim, try to set a price that they will pay. Groups has been trying lots of different innovative strategies, as they always do. For example, they’ll charge different ransoms for different things, maybe give you a discount for all of them combined. So, you get a decrypted
, you pay a certain amount, you get a promise from the group – never believe it – but you get a promise from the group that they will delete the stolen data, never sell it to anybody else. You pay another fee to get your name removed from their data leak site, and so on. They find ways to bleed the victims dry. So, traditionally, ransom was a service operations. It relied on affiliates, their business partners, they receive ransomware from the service, they go to the infected victim in return, typically the affiliate will get 70%, maybe 80% of every ransom payment, the operators keep the rest. This specialized approach has led to massive increases in revenue for both the operators and the affiliates. But with affiliates wanting to no longer be associated with these large groups, they are preferring, it seems, the extortion approach in which they don’t need a big infrastructure behind them, they can contact the victims directly, issue their threats, try to get a payoff. And if they do, they’ve earned their criminal payday, if they don’t, we’re seeing more services in the cybercrime ecosystem come along to help with that. For example, there’s now services they can hand off the stolen data to, which will function as mediators-as-a-service where they’ll continue trying to shake down the victim. So, as always, lots of innovation, all aimed at helping these criminals earn illicit profit.
Delaney: Back to Vitali’s Twitter feed. Another prediction that I want to bounce off of you. He says, “The ransomware-as-a-service (RaaS) as well as the targeted ransomware deployment model is almost dead.” And he lists a number of reasons including one overt and shadow sanctions or bans of Russian cryptocurrency brokers, which has made it tougher for criminals to get paid. And also, he says backup software and services that have made the effect of ransomware less impactful than before. What’s your take?
Schwartz: That is extremely hopeful news, if true. So, working backward, if more organizations are getting their act together, because for years now what you need to do to defend against ransomware has been very clear, you need to keep multiple backups. And you need to make sure that some of them are stored offline. If you store them in the cloud, attackers can go and encrypt those. So there needs to be certain types of defenses you have in place to maintain business continuity. Experts have been saying this for years. But what Vitali is saying is that finally this message has gotten out there. And finally, organizations can just restore from backups. That means they never need to consider paying a ransom, which is wonderful news. This is part of the reason ransomware groups have tried to further shake down organizations by saying, “If you pay us, then we promise not to mention that you fell victim to our attack.” The FBI and others have been saying, “We understand it’s a business decision if you pay or not. But please don’t pay for empty promises from criminals.” So, that’s the backup angle, there’s reason for hope there, especially if what Vitali is saying is true. The other thing are cryptocurrency flows and sanctions. And it’s wonderful to hear from his perspective that these sanctions are having a big effect on ransomware operators. If they can’t get paid, then ransomware is no longer an effective strategy for them. And this is what experts have been saying for years. We need to disrupt the flow of money to the ransomware groups, it sounds like this is happening a bit. What we need is to hopefully have this happen a whole lot so that even if an organization gets hit, there’s no way that the money can get to the attacker. And eventually, the attackers go looking for some other kind of business opportunity that doesn’t involve ransomware, which isn’t the biggest kind of cybercrime that we see on an annualized basis, from the amount of money flowing to the criminals, but it’s arguably the most disruptive.
Delaney: And what about the defenders? Companies that have carved careers to help organizations with their ransomware response. What will happen on that side, you think?
Schwartz: So, if ransomware attacks go away, you could imagine that a lot of the ransomware and incident response firms out there that are helping organizations respond to these attacks, might need to rethink their approach a little bit. From having spoken with a lot of these groups, I don’t think they would mind. If the ransomware problem gets solved, organizations are still going to be suffering data breaches, and they’re still going to be having to investigate suspected intrusions. Ransomware attacks don’t exist in a vacuum. A lot of these attacks start out as network penetration. And then data gets infiltrated. And then attackers escalate their privileges. They take over active directory. If they haven’t already stolen some data, there’s still some more. And then as a coup de grâce, they unleash ransomware. So, even if ransomware as a criminal business model loses steam, you still have, because you’ve always had, hackers breaking in and looking for ways to monetize their attack, stealing data, for example, working on behalf of espionage agencies, all sorts of things that you can think about. They’re still going to be doing these things if there isn’t a ransomware component that doesn’t make these attacks go away. That also doesn’t obviate the need to investigate how an attacker got in. Because if you don’t figure that out, they’re probably going to break back in. And well before the dawn of ransomware, we saw some serious hacks that went undetected for months or sometimes years, occasionally driving those businesses out of business. So, lots of challenges. If ransomware declines, those aren’t going to go away.
Delaney: Right. Well, an excellent overview of the state of affairs. As always, thank you very much, Matt.
Schwartz: Thanks, Anna.
Delaney: Who is responsible for a domain name or an IP address? Answering that question is the job of internet registrars, who require anyone who registers a top-level domain name to share their name, email address and phone number, plus administrative and technical contacts. This WHOIS data is an essential tool for investigators battling cybercrime fraud and nation-state attacks, but there’s been a change with WHOIS and that change impacts how law enforcement and corporate investigators can pursue and investigate online crimes. Executive Editor Mathew Schwartz asked Kroll’s Alan Brill about what that change means and what are the consequences for our investigative abilities.
Alan Brill: When the European data security law, the GDPR, went into effect, the registrars, the people that sell you the URLs said, “Well, we’re going to consider that registration data to be covered by GDPR. Now GDPR covers people, human beings, natural people, doesn’t cover corporations. But the registrars didn’t make that distinction. And they basically just shut down WHOIS. Now, if you think about it, WHOIS has been around since the very beginning of the internet. You could always go in and ask who is and put in a URL and find out who was behind it. And as you can imagine, when you’re doing an investigation, whether you’re a corporate investigator, or a law enforcement investigator, that’s useful information. And it also impacts individuals. When there’s a disaster, we often see sites popping up looking for donations, and they look terrific. But are they real? Or are you funding a fraudster? And it used to be that you can do it at WHOIS and you would see whether it made sense or not, if they claim to be a major charitable organization, but it was registered by somebody you’d never heard of, or it was in a country that made no sense, you’d know it. But that’s going away. And now you get virtually no information when you go into WHOIS.com or.org. And that’s a problem. In fact, the Coalition for a Secure and Transparent Internet did a survey and they found that over 70% of the investigations that were being carried out relating to cyber were being negatively impacted by this change at WHOIS and frankly, there’s not a lot being done to remedy this situation.
Delaney: And finally, a new (ISC)2 member poll looks at how organizations are changing remote work policies in 2022 and what it means for worker satisfaction. I spoke with (ISC)2 CEO Clar Rosso who said that 57% of the individuals polled say that their employers have changed their remote work policies with a return to the office either full time or part time. And there’s been a 10% decline in remote working globally. I asked Rosso how that’s been received by cybersecurity employees.
Clar Rosso: Not so great. So, it’s interesting. There are people who like to be in the office. So we don’t want to forget people that like to be in the office. But we also know, from our workforce study a year ago, that job dissatisfaction went way up when cybersecurity professionals were sent home to work remotely because of the pandemic. Despite the intensity of work they were doing during that time, satisfaction was up because they liked working remote, but what the survey really tells us is people want choice. People want to choose when and how they go into the office. And if I look at the results, they say 38%, who were fully remote and now required to go in the office part-time, have said they have had a decline in their job satisfaction and those that were fully remote and asked to go into the office full-time, 47% say their job satisfaction has declined. So this is a big issue. We always talk about salary for individuals. I think the choice of where to work is for some people as important, or more important than their salaries.
Delaney: That’s it from the ISMG Security Report. I’m Anna Delaney. Until next time