At this point, it's basically beating a dead horse to talk about the threat ransomware poses to organizations. We've all heard it a thousand times.
But what you might not know is that the tides are beginning to turn in the fight against ransomware.
The SecureWorld News team has been watching small victories slowly pile up as authorities around the world crack down on malicious hackers.
It all started after one of the most impactful ransomware attacks in U.S. history: the Colonial Pipeline incident.
Ransomware win #1
The Colonial Pipeline ransomware attack caused fuel shortages and hoarding across the Eastern seaboard of the United States. Many drivers had to wait for hours to fill their vehicles up, or simply were not able to find any gas.
The CEO of the company admitted to paying the ransom, all $4.4 million of it, to try to get operations back to normal as quickly as possible, saying "it was the right thing to do for the country." However, that payment was sent directly to cybercriminals, only furthering their capabilities.
Then came some surprising news to the cybersecurity world: the Department of Justice (DOJ) recovered more than $2 million of the paid ransom. This type of recovery was the largest of its kind relating to ransomware.
And according to Trend Micro Threat Researcher Mayra Rosario Fuentes, the global law enforcement attention from this attack sent some ransomware operators into hiding:
"So before the pipeline, a lot of these ransomware groups were in the open. They were advertising on the dark web, it was easy to find them. They're usually in specific forums that happen to be Russian based.
But after the pipeline made it to the news, some of these groups decided to not be on these sites and were like, 'we are going somewhere else we're going to go and hiding. We don't want to be out here in the public anymore. We don't want to be found that easily' for the journalists and the other people that know how to find them."
This was the start of a string of ransomware victories and disruptions happening during 2021.
Ransomware win #2
SecureWorld News recently reported that two Ukrainian hackers were arrested in Kyiv through a joint investigation between authorities from France, the U.S., Ukraine, and Interpol.
The hackers targeted over 100 companies, most of which were in the U.S. and Europe, and caused more than $150 million in damages. After searching seven properties, authorities arrested two suspects, seized $375,000 in cash and luxury vehicles, and froze $1.3 million worth of cryptocurrency.
Count this as another ransomware win for law enforcement in 2021.
Ransomware win #3
SecureWorld News also covered the recent arrests of a Russian national who was a co-conspirator in the development of the malicious software known as TrickBot. He faces 60 years in jail.
This followed on the arrest of one of Trickbot's developers in Miami, Florida. She faces multiple charges and more than 90 years in jail.
Trickbot malware stole the personal and financial information of millions around the world and included a suite of tools for ransomware attacks.
The FBI's Cleveland Field Office led this multi-year investigation in collaboration with the DOJ's newly-launched Ransomware and Digital Extortion Task Force and international partners.
Ransomware win #4
Another 2021 ransomware victory that SecureWorld News covered was the FBI's successful takedown of the REvil ransomware gang's "Happy Blog," which the group used to publish stolen data.
The FBI, working with other U.S. and global law enforcement, had apparently hacked the hacking group, compromised the group's backups, and took it offline.
This act angered many cybercriminals, some of which are now calling on fellow hackers to take action against the U.S.
One ransomware group put it like this:
"I call on all partner programs to stop competing, unite and start **cking up the US public sector, show this old man who is the boss here, who is the boss and will be on the Internet."
Ransomware win #5
In a very recent ransomware win, Europol announced a bust of 12 hackers involved in ransomware attacks against critical infrastructure. The attacks affected more than 1,800 victims in 71 countries.
They were known for attacks targeting large corporations which would essentially bring business operations to a standstill. And they used several strains of ransomware to do their damage.
Here is how Europol describes the crimes:
"The targeted suspects all had different roles in these professional, highly organised criminal organisations. Some of these criminals were dealing with the penetration effort, using multiple mechanisms to compromise IT networks, including brute force attacks, SQL injections, stolen credentials and phishing emails with malicious attachments.
Once on the network, some of these cyber actors would focus on moving laterally, deploying malware such as Trickbot, or post-exploitation frameworks such as Cobalt Strike or PowerShell Empire, to stay undetected and gain further access.
The criminals would then lay undetected in the compromised systems, sometimes for months, probing for more weaknesses in the IT networks before moving on to monetising the infection by deploying a ransomware. These cyber actors are known to have deployed LockerGoga, MegaCortex and Dharma ransomware, among others."
How did this ransomware win occur? Through significant international cooperation.
In total, more than 50 investigators were deployed to Ukraine to assist in the operations. Authorities from Norway, France, Netherlands, Ukraine, the United Kingdom, Germany, Switzerland, and the U.S. all played a critical role, highlighting the benefits of international cooperation.
On a recent SecureWorld Podcast episode, Jeremy Sheridan, Assistant Director of the United States Secret Service, shared how his agency is increasing its international cyber investigative powers:
"We have cyber fraud task forces located throughout the globe; we partner within their individual jurisdictions and geographic areas. This includes foreign locations.
We are embedded with Interpol, Europol. We've just recently stood up cyber positions within Sydney, Australia, with the Australian Federal Police, as well as within London, in order to facilitate this information sharing.
We're starting to put more dots out there to make these connections in order to build these cases and bring these individuals to justice."
Is there a tidal shift in cybersecurity?
All of the ransomware wins are signposts along the cybersecurity highway, pointing to a disruption of the hack without consequence mentality many threat actors proclaim.
Ed Cabrera, Chief Security Officer at Trend Micro, believes that we are reaching a significant milestone when it comes to defending against cyberattacks:
"I'm not one to quote poetry, but I believe the lowest ebb is a turn of the tide. And I believe we are really at the turning of the tide when it comes to understanding awareness and getting the buy in, be it from the board, or at the national level, from our executive in our elected leaders, but also on a global scale. Because I think we're reaching that point of critical mass."
Watch the SecureWorld News live stream with Ed Cabrera for more on cybersecurity at an inflection point.
If we have indeed reached a point of critical mass, it will certainly impact the threat landscape in 2022 and the coming years.
We'll keep tracking it, including future ransomware wins.
