In discussions of ransomware, there's not always lots of good news. However, recently the Department of Justice (DOJ) has had a few victories against ransomware operators. What's important to note is that these successes are collaborative efforts and pushing back against the ransomware ecosystem, not just individual operators.
It's important to remember that cybercrime is big business with a vast network of players. The Ransomware-as-a-Service (RaaS) model is part of it. This model features “developers,” “operators,” and “affiliates.” Developers are responsible for creating and updating the ransomware. Operators are responsible for running the business, including creating the affiliate program, making the ransomware available to affiliates, and managing rates and settlement payouts. Affiliates identify and attack high-value victims with ransomware, and after a victim pays, the operator pays the ransom money out to affiliates. In some cases, this process is automated with control panels to make payouts.
Although ransomware and RaaS are certainly not on the decline according to FortiGuard Labs threat research, collaboration and attribution are helping. When it comes to threat intelligence and research, finding people is the ultimate goal. Even getting other data—such as discovering why a group is attacking or the vertical markets or infrastructure they're targeting—can help disrupt campaigns and activity and reduce the number of ransomware settlements paid out.
Partnerships that span across countries and vendors are helping to identify cybercrime syndicates. For example, the World Economic Forum’s Partnership Against Cybercrime is working to serve as a bridge between the digital expertise of the private sector and the global public sector organizations. Tracking down attackers and tactics makes it easier to know what to do about an attack. Attributing where funds are moving also helps, including crypto wallets and currency flows. And instead of focusing solely on operators, more investigations are going after affiliates, which sends the message that they are not immune from prosecution.
Here are a few successful examples where working together has led to DOJ successes.
On January 27, the DOJ announced a coordinated international law enforcement action to disrupt a sophisticated form of ransomware known as NetWalker, which affected companies, municipalities, hospitals, law enforcement, emergency services, school districts, colleges, and universities. The NetWalker attacks specifically targeted the healthcare sector during the COVID-19 pandemic, taking advantage of the global crisis to extort victims.
A NetWalker affiliate Sebastien Vachon-Desjardins was arrested and, on January 31, subsequently was sentenced to seven years in jail and ordered to pay restitution to a number of organizations. Authorities in Bulgaria also seized a dark web hidden resource used by NetWalker ransomware affiliates to provide payment instructions and communicate with victims. This success is notable because it required cross-border coordination and focused on the affiliate.
On February 8, two individuals were arrested in New York City for conspiring to launder the proceeds of 119,754 bitcoin that were stolen from a virtual currency exchange and initiated more than 2,000 unauthorized transactions. Law enforcement has seized over $3.6 billion in cryptocurrency linked to that hack so far. As this arrest shows, with due diligence and proper resources, even crypto blockchain can be traced. Although the criminals tried to obfuscate funds through multiple transactions and addresses, effectively “laundering” the money, they still were caught.
Back in 2018, the DOJ announced that it had unsealed a federal indictment charging 36 individuals for their alleged roles in the Infraud Organization, an internet-based cybercriminal enterprise engaged in the large-scale acquisition, sale, and dissemination of stolen identities, compromised debit and credit cards, personally identifiable information, financial and banking information, computer malware, and other contraband. At the time, federal, state, local, and international law enforcement authorities arrested 13 defendants from the United States and six countries. And on January 24, the Russian news agency TASS announced that four members of the Infraud Organization were arrested in Russia.
In January, 14 members of the notorious REvil cybersecurity gang were arrested in Russia at the request of U.S. authorities. REvil was responsible for the Kaseya attack, and one of the hackers was also involved in the Colonial Pipeline incident.
These DOJ successes don't mean ransomware is going away any time soon. Because cybercriminals are paying affiliates commissions to wage attacks, there's likely to be more diversification in cybercrime operations. When you think about all the elements that fall under cybercrime, like money laundering, all of those networks will expand and add to advanced persistent threats and threats from nation-state threat actors.
But here's some good news. The coordinated effort by global law enforcement agencies to dismantle the Emotet botnet led to a decline in activity. Emotet isn't completely dead, but the activity is well below what it once was and not nearly as rampant globally.
There are multiple ways to disrupt the cybercriminal ecosystem, and all of them can make a difference, in small amounts or collectively. Lowering ransomware activity means a reduced number of attacks, less lost data, and fewer ransomware settlements. Although it may be a long, slow, and frustrating process, detection, enforcement, and prosecution do have an impact.
Learn more about FortiGuard Labs threat research and the FortiGuard Security Subscriptions and Services portfolio. Read more on threat research and protection from the FortiGuard Labs team: - FortiGuard Labs Perspectives