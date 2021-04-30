



BOSTON Political wrangling in Washington over Russia’s hacking into federal agencies and interference in US politics has mostly eclipsed a digital scourge that escalates with a much larger plague: crippling extortionate ransomware attacks and disheartening by cybercriminal mafias that operate primarily in foreign shelters outside the reach of Western law enforcement.

In the United States alone last year, more than 100 federal, state and municipal agencies, more than 500 health centers, 1,680 educational institutions and thousands of businesses, according to cybersecurity company Emsisoft. The dollar losses run into the tens of billions. The exact numbers are elusive. Many victims avoid reporting, fearing the scourge of their reputation.

All the while, ransomware gangsters have grown increasingly brazen and arrogant as they increasingly put lives and livelihoods at risk. This week, a union threatened to make available to local criminal gangs data they say stole from Washington, DC subway police, on informants. Another recently offered to share stolen data from victimized businesses with inside Wall Street traders. Cybercriminals even reached out directly to people whose personal information was collected from third parties to pressure victims to pay.

In general, ransomware players have become bolder and more ruthless, said Allan Liska, analyst at cybersecurity firm Recorded Future.

On Thursday, a public-private task force including Microsoft, Amazon, the National Governors Association, the FBI, the Secret Service and elite British and Canadian criminal agencies delivered to the White House an urgent 81-page plan of action. for an aggressive and complete set. government attack on ransomware.

During the report’s online launch, Homeland Security Secretary Alejandro Mayorkas said in a pre-recorded video that the White House is developing a plan to disrupt ransomware and that his department “will work to implement many. recommendations (from the group), because one thing is clear. : Ransomware is a threat to our national security.

Mayorkas announced a DHS ransomware initiative last month, and the Justice Department has just created a task force to tackle the scourge.

WHERE DID RANSOMWARE COME FROM? HOW IT WORKS?

The criminal syndicates that dominate the ransomware industry are mostly Russian-speaking and operate with near impunity from Russia and allied countries. They are a continuation and the ransomware refinement was barely a failure three years ago in more than two decades of cyber-theft that spammed, stole credit cards and identities, and emptied bank accounts. Unions have grown in sophistication and skill, taking advantage of dark web forums to organize and recruit while hiding their identities and movements with tools like the Tor browser and cryptocurrencies that make payments and money laundered more. difficult to follow.

Ransomware scrambles the data of a victim organization with encryption. Criminals leave instructions on infected computers on how to negotiate ransom payments and, once paid, provide software decryption keys.

Last year, ransomware crooks turned into data theft blackmail. Before triggering the encryption, they quietly exfiltrate sensitive files and threaten to expose them publicly unless ransoms are paid. Victims who diligently backed up their networks to protect themselves from ransomware now had to think twice before refusing to pay. At the end of 2019, only one ransomware group had an online extortion site that would publish such files. Now more than two dozen are doing it.

Victims who refuse to pay may incur costs that far exceed the ransoms they could have negotiated. It recently happened to the University of Vermont health network. He suffered losses estimated at $ 1.5 million a day in the two months it took to recover. More than 5,000 hospital computers, whose data was scrambled into gibberish, had to be cleaned up and rebuilt from saved data.

The University of California-San Francisco, heavily involved in COVID-19 research, hardly hesitated before paying. He gave criminals $ 1.1 million last June. Manufacturers have been hit particularly hard this year, with $ 50 million in ransoms demanded from computer makers Acer and Quanta, a major supplier of Apple laptops.

HOW ARE THESE CRIMINALS ORGANIZED?

Some of the top ransomware criminals think of themselves as software service professionals. They pride themselves on their customer service, providing support services that help paid victims decrypt files. And they tend to keep their word. They have brands to protect, after all.

If they keep their promises, future victims will be encouraged to pay, Maurits Lucas, director of intelligence solutions at cybersecurity firm Intel471, said in a webinar earlier this year. As a victim, you really know their reputation.

The business tends to be compartmentalized. An affiliate will identify, map and infect targets, choose victims, and deploy ransomware which is typically leased from a ransomware-as-a-service provider. The provider gets a reduction in the payment, the affiliate normally taking more than three-quarters. Other subcontractors can also get a share. This can include the authors of the malware used to break into victimized networks and the people running the so-called bulletproof domains behind which ransomware gangs hide their command and control servers. These servers handle remote malware seeding and data mining before activation, a stealthy process that can take weeks.

WHY DO RANSOMS CONTINUE TO CLIMB? HOW CAN THEY BE STOPPED?

In Thursday’s report, the task force said it would be wrong to try to ban ransom payments, in large part because ransomware attackers continue to find sectors and parts of society that are terribly ill-prepared for this style of attack.

The task force recognizes that payment may be the only way a struggling business can avoid bankruptcy. Worse yet, sophisticated cybercriminals have often done their research and know the limit of a victim’s cybersecurity insurance coverage. We know that they mention it in the negotiations.

This level of awareness of crime helped push average ransom payments to over $ 310,000 last year, up 171% from 2019, according to task force member Palo Alto Networks.

Unsurprisingly, the still young cyber insurance industry is in shock. Premiums have risen 50% to 100% over the past year as ransomware has become claim # 1, said Michael Phillips, chief claims officer at Resilience Insurance and co-chair of the task force. On average, cyber insurance claim payments can now exceed 70% of what is paid in premiums, prompting some insurers to abandon this type of insurance altogether, according to industry reports.

The multi-pronged response to ransomware proposed by the task force will require the kind of concerted diplomatic, legal and police cooperation with key allies that the Trump administration has avoided, replacing what the authors call the current uncoordinated and rambling response.

There is no quick fix, but if the trajectory of this type of attack is to be changed, the US government has to do it with some speed, said task force co-chair Philip Reiner, CEO of the nonprofit institute for security and technology. .

Ransomware developers and their affiliates should be named and humiliated (they’re not always easy to identify) and regimes that allow them to be punished with sanctions, the report insists.

He calls for mandatory disclosure of ransom payments and a federal response fund to provide financial assistance to victims in the hope that in many cases this will prevent them from paying ransoms. And he wants tighter regulation of cryptocurrency markets to make it harder for criminals to launder ransomware proceeds.

The task force is also calling for something potentially controversial: to change the US law on fraud and computer abuse to allow the private sector to actively block or limit criminal activity online, including botnets, internet networks, etc. Hacked zombie computers that ransomware criminals use to spread infections.

The odds of successfully quelling ransomware are high, acknowledge the report’s authors: the old adage that a cybercriminal should only be lucky once, while an advocate should be lucky every minute of every day, has never been truer.

