30 August 2022

Restraining Russian Ransomware

Scott Jasper

Last May, Americans up and down the East Coast waited in long lines for gas. The panic wasn’t caused by a foreign war or sanctions but by a Russian ransomware attack. The Russia-based criminal group DarkSide had infected Colonial Pipeline with ransomware and demanded millions of dollars to unlock Information Technology systems. Colonial shut down the flow of fuel from the Gulf Coast for a week, even after paying the hackers roughly $5 million.

Soon after, DarkSide went dark when its blog site and payment server were taken down by its service provider. However, the group adapted. It rebranded as BlackMatter in an attempt to avoid law enforcement. That tactic worked until Russian authorities arrested a DarkSide hacker behind Colonial Pipeline in January after President Joe Biden asked President Vladimir Putin to crack down on Russian cyber criminals.

Another prolific ransomware operation named Conti, run by a Russian cybercrime syndicate, chose a different, more clever strategy to continue its operations in the face of efforts by law enforcement to stop them. Conti drew undue attention after the Russian invasion of Ukraine by officially announcing full support for the Russian government, and declaring that it would strike back at the critical infrastructure of any country that decided to organize war activities against Russia. In response, an infuriated Ukrainian security researcher leaked thousands of internal Conti messages and the source code for the Conti ransomware encryptor and decryptor.

Within months, the Conti operation shut down its public facing internet sites used to leak data and negotiate with victims. Instead of a major rebrand, the Conti syndicate continues to operate with gang members splintered into smaller cells that infiltrate other ransomware operations, known as BlackCat, Hive, and HelloKitty. This prevented the whole network from being taken down at once by the authorities. The groups take advantage of the penetration (break into the device) testers (that probe for system weaknesses), developers, and programmers still loyal to the Conti syndicate, gaining access to seasoned expertise and vulnerability exploits. Other syndicate members have created their own data extortion operations that do not encrypt data, such as Karakurt.

Despite the public exposure, Russian ransomware groups have been able to adjust strategies in order to survive. Previous attempts to coerce the Russian government into cracking down on hacker groups on their own territory have produced only superficial results—Russia did make some arrests of lower-level hackers, primarily for political theater. Even if Moscow had done more, it would be impossible now given the dismal relations between the United States and Russia over the war in Ukraine.

With this level of resilience to continue operations, how can the United States restrain Russian ransomware? America’s strategy is to disrupt ransomware actors’ activities, finances, and infrastructure. Washington can pursue criminal charges against Russian ransomware with assistance and insight from the intelligence community. The Justice Department has already stepped up efforts to impose costs through arrests of ransomware actors and seizure of their proceeds.

US Cyber Command and the National Security Agency have enabled cross-government actions by sharing key insights on ransomware actors in near real-time. Their commander recognizes that Russian protected gangs carrying out ransomware attacks are a national security issue. Yet as criminals, they operate based on financial motivations. While the government is doing what it can to prosecute cyber criminals, American companies and organizations have no choice but to protect their networks to avoid becoming a victim.

What the Government Can Do

Well before Russia’s war against Ukraine, Biden asked Putin to rein in ransomware gangs operating from Russian soil. Biden warned him in Geneva in June 2021 that the United States would respond to attacks on US critical infrastructure. Biden gave Putin a list of sixteen areas that the United States considers off-limits.

In July 2021, the REvil ransomware group, based in Russia, hacked into Kaseya, a Miami-based software supplier for technology service providers. REvil had attacked meat processor JBS USA a couple of months prior, disrupting the distribution of beef and pork for days. However, Biden discounted the Kaseya attack, saying “the impact on US businesses appeared to be minimal.” Months later, Russia took steps to remove ransomware attacks from Russian territory. In January 2022, the Russian Federal Security Service, the FSB, claimed that they arrested REvil members and seized funds from more than two dozen residences at the request of US authorities.

One year after Geneva, relations between Washington and Moscow are perhaps at an all-time low in the post-Cold War period. Any hope for a predictable and stable understanding on cybersecurity and ransomware has fallen apart. Dialogue and cooperation today are virtually non-existent on strategic stability matters, such as arms control and cyber attacks. The imposition of significant new sanctions to hold Putin accountable for the invasion of Ukraine dominated the recent G-7 leader meetings. While economic measures intended to deprive Russia of resources necessary to wage war are already imposing drastic costs. Thus, the deterrence levers of diplomacy and sanctions are somewhat spent when it comes to ransomware. Instead, US security agencies warn of Russian criminal cyber threats to critical infrastructure as a response to the unprecedented economic cost imposed on Russia. They pose a threat primarily through deploying ransomware or conducting distributed denial of service attacks that overload websites.

The United States is left with some options to impose costs directly on Russian ransomware gangs. Authorities can go after the actor, their money, or their infrastructure. The legal instrument proved successful in the arrest of Yaroslav Vasinskyi, a REvil operator, responsible for the ransomware attack against Kaseya. Vasinskyi was apprehended in Poland in November 2021 to face extradition to the United States. The Justice Department also announced at the same time the seizure of $6.1 million in funds traced to REvil ransom payments received by Yevgeniy Polyanin, a Russian national.

Likewise, earlier in June 2021, the department announced it seized $2.3 million in cryptocurrency paid to DarkSide for the Colonial Pipeline ransom demand. The FBI was able to track multiple transfers of bitcoin to a specific address for which they had the private key to access the assets. The US government is currently offering a reward of up to $15 million for information leading to the identification and location of the leaders of the Russia-based Conti syndicate. The same offer goes for leaders of Darkside and variant rebrands.

Deputy Attorney General Lisa Monaco says the Biden administration strategy has shifted to rely less on solely charging foreign hackers who may never see the inside of a courtroom. Her remarks came after US law enforcement disrupted a North Korean state-sponsored ransomware operation using a strain dubbed Maui and recovered about a half-million dollars in ransom payments by hospitals and medical facilities. Monaco says the new strategy is to dedicate resources to disrupt and dismantle malicious cyber activity. This approach uses all available tools and centers on private sector reporting and collaboration.

Embracing a strategy to disrupt and dismantle the activities of cyber criminals would allow law enforcement, in theory, to follow the money, extract decryptor keys, and prevent the next victim. In practice, disrupting cyber activity is easier said than done. Not only are many cyber actors out of reach of US authorities, but their infrastructure might be inaccessible, too. The hosting provider that agreed to shut down a DarkSide server was in New York, whereas a server provider for Conti that supports anonymous payment methods is located in Russia. The provider named Inferno Solutions says that they always side with the client and “do not disturb clients in case of dubious and unlawful complaints (abuse).”

Playing Defense

To protect companies and organizations from ransomware attacks, the United States has already embraced boundary firewalls, strong passwords, and vulnerability patch management. In addition, critical infrastructure entities should segment networks, enforce multifactor authentication, and adopt endpoint (any physical device connected to a network) and detection response tools.

Conti partners have also deployed the ransomware against US healthcare and first responder networks. These are tempting targets for ransomware criminals because they are eager to restore services and therefore likely to pay the ransom. The potential for lucrative payouts is a stark reminder that beyond advancing the interests of the Russian state, Russian ransomware groups are relentless to obtain financial gains.

Targets of ransomware have no choice but to harden their defenses. US security agencies routinely provide technical details and suggested mitigations in their joint cybersecurity advisories on these groups. For instance, an advisory on Conti ransomware describes twenty-three techniques routinely employed by Conti actors, along with what is called the MITRE ATT&CK framework adopted by industry and the government. Going forward, Conti syndicate members will undoubtedly use these same methods to gain access, move across networks, evade detection, and impact targets by data encryption.

Mitigations are meant to help network defenders reduce the risk of compromise by ransomware attacks. It’s common for companies and organizations to require multifactor authentication and strong passwords to remotely access networks, and implement block lists to prevent users from reaching nefarious websites. In addition, ensuring network segmentation helps prevent the spread of ransomware, and maintaining offline encrypted backups of data assists recovery efforts. Finally, upgrading software and scanning for vulnerabilities or flaws that actors could misuse for code execution is part of a strong cybersecurity strategy.

FBI FLASH reports also disseminate identified techniques and indicators of compromise associated with ransomware variants to cyber security professionals and system administrators. A FLASH on BlackCat ransomware revealed that cyber actors leverage Windows scripting language (PowerShell and Batch) to deploy ransomware, and leverage Windows administrative tools during compromise. These observed methods reinforce recommendations for organizations to implement an endpoint and detection response tool for identifying abnormal activity.

US Military Cyber Operations

In recent congressional testimony, General Paul Nakasome, the head of US Cyber Command and the director of the National Security Agency, declared that ransomware can have strategic effects, citing the disruption of Colonial Pipeline. He referenced that incident telling participants at the 2021 Mandiant Cyber Defense Summit, "when ransomware affects critical infrastructure, it’s a national security issue.” This is even more the case if ransomware attacks are carried out by criminal gangs that are protected by the nation-states in which they live, specifically Russia. Nakasone told Congress his command has taken numerous actions over the past year to combat ransomware. They have worked with interagency and industry partners to disrupt and degrade the operations of ransomware groups that attack critical infrastructure. One of the goals of their actions is to impose costs on these criminal gangs, which according to Nakasone is “an important piece that we should always be mindful of.”

The US military's first and only publicly reported action against a Russian ransomware gang occurred in October 2021. US Cyber Command blocked the website of the Russia-based REvil ransomware group by diverting its traffic. This operation deprived the group of the medium they used to extort and negotiate ransoms from victims. Cyber Command redirection of the traffic was enabled by information on servers and private keys shared by the FBI. Within hours after the Cyber Command operation, a REvil leader wrote “Domains hijacked from REvil” on a Russian language forum. Then he wrote “they are looking for me” and “Good luck everyone. I’m taking off.” Soon after REvil stopped operations, at least temporarily. The REvil disruption was clear evidence that ransomware operations will be treated as risks to U.S. national security.

US military and law enforcement operations have forced top-tier Russian gangs to shut down. IBM security unit X-Force states seventeen months is the average time before a group disappears and reemerges under new names. BlackCat rose from BlackMatter after police pressure and a decryptor was created and used by the security firm Emsisoft to help victims recover files. Gang members confirmed in an interview they are affiliated with DarkSide and BlackMatter. BlackCat was blamed for a ransomware attack on two German oil companies in January 2022 that affected hundreds of gas stations across Germany. Other rebrands, like GrandCrab switching to REvil, after arrest of affiliates, depict a vicious cycle.

Looking Ahead

Before Conti disbanded into splinter cells, US security agencies warned in March 2022 that Conti ransomware has been used in more than 1,000 attacks against US and international organizations. At that time, BlackCat had breached at least sixty organizations worldwide, including victims in construction, transportation, insurance, telecommunication, and pharmaceuticals. The targets of Russian-protected ransomware gangs constitute a national security issue. Yet even before the invasion of Ukraine, the Russian government did not seriously crack down on ransomware operators. The raid on REvil was a political stunt during security talks. Russian security services arrested low-tier members who were only charged with “illicit money control/ laundering”­—not hacking.

US law enforcement and the military are left to chase down the actors behind ransomware, money, and infrastructure. Russian-linked groups will invariably become more sophisticated and evasive over time. BlackCat. Is the first ransomware group to code their encryptor in Rust, a more secure and highly customizable programming language that facilitates the ability to pivot and individualize attacks.

The technical innovations and rebrands made by ransomware gangs will require the US government to take a proactive approach focused “from every angle” to restrain Russian ransomware. As the Colonial Pipeline incident demonstrated, an effective ransomware attack can undermine the economy and upend domestic politics. The best defense for American companies and organizations, therefore, is to harden defenses with procedures and tools suggested by government security agencies.

No comments: