17 June 21, 07:01
Quote:Continue Reading
While the government has released cybersecurity requirements many times in the past, it's the first time we’ve seen them issued so quickly in response to a known attack
Are ransomware attacks on the rise? It would certainly seem so. From the Colonial Pipeline to JBS to Ireland’s Health Service, the effects of ransomware are being felt far and wide. At the same time though, the US government has responded to these attacks in new ways that are already having an impact on ransomware operators and could signal a new, positive phase in the battle against ransomware.
Colonial Pipeline was hit with a ransomware attack that shut down their pipeline system for nearly a week in early May of this year. The company said that while the pipeline system itself was not affected, their internal networks were, leading to the shutdown. Colonial Pipeline is a major fuel supplier to the United States East Coast, supplying 45% of fuel to the region. As a result, the shutdown had immediate effects, which were worsened by panic-buying induced shortages.
Then, in early June, a ransomware attack against JBS — the world’s largest meat processor — shut down processing at nine beef plants and disrupted operations at pork and poultry plants across the US. JBS was able to return to operation within a week.
The timing of these significant attacks, one after the other, has garnered a lot of attention and concern. But what hasn’t gotten as much attention — and is at least as important — is the response from the US government and the impact that appears to be having on the ransomware operators and the ransomware industry. We may be entering a new phase in the ransomware crisis that sees, finally, progress in stopping this problem.
New US government responses to ransomware attacks
While the Colonial Pipeline attack was still underway, the US government moved quickly to declare a state of emergency for the affected sector: a first in terms of speed and scope of response.
Then, within days of the attack, the FBI attributed the attack to the Darkside ransomware group, commonly believed to be Russian, though not part of the Russian government. While the FBI has made public attributions about cyberattacks before -- such as their attribution of the Sony Pictures attack in 2014 to North Korea -- this is the first time it was done this quickly.
Before the end of May, the US government released new cybersecurity requirements for pipeline operators. While the US government has released cybersecurity requirements many times in the past, this is the first time we’ve seen requirements issued so quickly in response to a known attack.
As the JBS attack unfolded, we saw another series of fast, unprecedented responses from the US government. The FBI moved quickly to publicly attribute the attacks to a specific ransomware group within days of the attack, this time naming REvil/Sodinokibi ransomware group.
Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technology, then released a memo urging business leaders to take the threat of ransomware seriously and providing specific guidance on steps they can and should take to help prevent these attacks.
Most significantly, we learned that the US Department of Justice released a memo to U.S. attorney's general offices across the country, telling them to prioritize ransomware attacks at the same level as terrorism cases. This is a truly unprecedented move that puts ransomware literally at the top of the list for US law enforcement.
To underscore how seriously the administration is taking these ransomware attacks, on Monday, June 7, 2021 the US National Security Adviser, Jake Sullivan said that the administration was planning to address ransomware “at every stop” of President Biden’s planned first international trip. He said they hoped this would lead to the US and allies developing an “action plan,” clearly indicating a goal of strong coordination to combat the problem.
That same day, the US Department of Justice announced that they had recovered $2.7 million of the $4.4 million ransom Colonial Pipeline had paid. Another action unprecedented in speed and scope.
Taken altogether, these actions constitute a significant change in posture by the US government and federal law enforcement towards ransomware. And we can see that some of these actions are already having an impact on the ransomware “industry.”
Impact of actions on ransomware groups
To see the impact of at least some of these actions, we can look at the Darkside ransomware group behind the Colonial Pipeline attacks.
First, it’s notable that within just a couple of days of the Colonial Pipeline attack, the Darkside ransomware group issued an unprecedented statement that appeared intended to put distance between themselves and the impact of the attack. The Darkside group actually operates with an affiliate model, meaning that others launch the actual attacks using Darkside’s technology and infrastructure for a fee. The tone of the statement and the fact that they blame the attack on a “bad affiliate” appears calculated to try and diffuse any potential retribution.
This is consistent with Darkside, whose ransomware specifically checks the language of the system before installing so as not to install on systems in Russian, countries in Russia’s “near abroad” and Syria (where Russian troops are stationed). Our researchers have verified this in recent versions of their ransomware and it’s widely believed this is a tactic to ensure they don’t cause domestic law enforcement and government to shut them down. This initial statement would seem to be another tactic in that playbook to keep “the heat” of law enforcement and government action against them low.
However, it appears that tactic failed. By the end of the week, as Colonial Pipeline was resuming operations, we learned that Darkside had lost control of their infrastructure and payment systems and was shutting down its affiliate program due to “pressure from the US.” They also indicated that their funds had been withdrawn to an unknown account. Presumably at least some of this represents the partial recovery of Colonial Pipeline’s ransom.
At about the same time, we learned that two major underground forums which host ransomware ads, XSS and Exploit, were banning those ads.
That move dealt a blow to the business side of the ransomware business by making it harder to advertise to possible affiliates and buyers of ransomware services.
And about two weeks after Darkside announced they were shutting down, we learned that some of Darkside’s affiliates were going to “hacker court” to try and recover funds they were owed by Darkside.
Finally, just days after the FBI named REvil as behind the JBS attacks, REvil released their own statement seeming to try and distance themselves from the impact of the attack, similar to Darkside’s statement.
...
![[Image: us-government-ransomware.jpg]](https://f.hubspotusercontent20.net/hub/486579/us-government-ransomware.jpg)
![[-]](https://www.geeks.fyi/images/collapse.png)
