Feds Offer $10 Million Reward for REvil Ransomware GangBut Will Rewards and Police Push Drive Practitioners to Quit the Cybercrime Life?
For practitioners of cybercrime, and especially ransomware, one lure remains the relative ease and safety offered by remote attacks, together with incredible earning potential. But if you're not at large for very long before police catch up with you, was breaking the law really a great idea?
That's the calculus facing cybercrime aficionados: Can they remain out of jail long enough - if not indefinitely - to enjoy their ill-gotten gains?
On Monday, the U.S. State Department announced a reward of up to $10 million "for information leading to the identification or location of any individual(s) who hold a key leadership position in the Sodinokibi (also known as REvil) ransomware variant transnational organized crime group."
A reward of up to $5 million is being offered as well, "for information leading to the arrest and/or conviction in any country of any individual conspiring to participate in or attempting to participate in a Sodinokibi ransomware incident."
Similar rewards were announced Thursday tied to rival ransomware outfit DarkSide, later reborn as BlackMatter.
As that demonstrates, Western governments have been devoting increasing time, attention and resources to combating cybercrime, and especially ransomware, following a summer of devastating attacks, including those against Colonial Pipeline in the U.S., Brazilian meat-processing giant JBS, IT managed software vendor Kaseya, Ireland's national health service and many others.
Doing anything to blunt the devastation caused by ransomware is of course welcome. While it doesn't cause the most losses in aggregate tied to cybercrime - that distinction goes to the many different flavors of business email compromise attacks, including CEO fraud - ransomware can cause massive disruptions for not just businesses, but consumers. Hence the U.S. treating it as a national security threat on par with terrorism.
12 Challenges for Combating Ransomware
Unfortunately, governments attempting to combat ransomware face numerous challenges, including:
- Scale: At least where ransomware is concerned, the bad guys have been winning. In 2020, ransomware-wielding attackers earned at least $350 million from ransom payoffs, according to blockchain analysis firm Chainalysis. And while not all ransomware groups run data leak sites, the number of victims being posted to such sites hasn't been declining.
- Safe havens: Many criminals launching online attacks are based in or around Russia, which never extradites citizens to face foreign charges. While the Biden administration has been urging Moscow to crack down, as yet it's not clear if it will do so.
- Automation: Ransomware developers continue to refine their malware to make it easier for affiliates to use and more effective at crypto-locking a large number of systems with minimal effort.
- Innovation: Big ransomware players have continued to find innovative new ways to shake down victims and boost profits. REvil, for example, based on challenges encountered by affiliates of predecessor GandCrab, added new management features to make it easier to attack a managed service provider, infect every one of its customers, and service each victim's ransom demand individually. And where one group innovates, others inevitably follow.
- Specialists: The ransomware-as-a-service business model facilitates operators recruiting affiliates who are specialists, since the more victims they can infect, the more both operators and the affiliate will earn.
- Services: Another innovation practiced by ransomware operators is to provide services such as a data leak portal to name, shame and pressure victims into paying. Some also negotiate with victims, or even contract with third parties to telephone victims or email victims' customers to increase the pressure.
- Stealth: In the words of one ransomware group, "silence is gold." If authorities don't know a company has fallen victim, and if the company pays, police can't trace the cryptocurrency payment, which complicates efforts to identify and disrupt attacks or directly help a victim.
- Self-service: Some groups use ransom payment portals to allow victims to automatically self-provision a decryptor once they transfer enough cryptocurrency to satisfy the ransom demand. Such functionality helps them hit more targets.
- Turnover: Ransomware operations come and go. Well over a dozen well-sized groups that run data leak sites are active now, each with legions of affiliates, as are a number of other operations that don't run data leak sites. There are also many smaller players that buy off-the-shelf ransomware or repurpose leaked code to run attacks themselves.
- Cryptocurrency: While Western governments have closely guarded abilities to "follow the money" when tracking ransom payoffs and criminals moving and laundering virtual currency, cryptocurrency provides a further layer of complication.
- Partners: Unlike traditional, hierarchical crime gangs - like the Mafia - most ransomware operations today run as a service, providing a portal where affiliates obtain the malware to use against victims in return for a share of every ransom they pay. This decentralized model, relying on the equivalent of contractors, makes such operations more difficult to disrupt.
- Deterrence: There's no evidence that arresting part of the current crop of cybercriminals drives the next generation to think twice before entering the fray.
Time Is on Law Enforcement's Side
Email address and password reuse remain rife. Even a single mistake - forgetting to activate a VPN, for example - can leave a user's real IP address exposed, enabling police to unmask them. Or evidence can come to light later, for example, when a suspect flips or when investigators uncover new intelligence tied to cryptocurrency moves.
For the U.S. and allies, when cybercrime suspects are based in - or visit - jurisdictions that are friendly with the FBI, they can get busted.
Law enforcement agencies need not arrest suspects immediately. Instead, they might track their vacation schedules. Others have been lured - for example, to the U.S. - with fake job or consulting offers.
War of Attrition
This week, Europol and the U.S. Justice Department collectively announced that seven REvil and GandCrab affiliates have been arrested in Kuwait, Poland, Romania and South Korea since February. That includes Ukrainian national Yaroslav Vasinskyi, 22, who is accused of being the REvil affiliate who hit IT managed software provider Kaseya on July 2. Vasinskyi was arrested at the Polish border on Oct. 8 and faces extradition to the U.S.
The Justice Department Monday also unsealed an indictment charging Russian national Yevgyeniy Polyanin, 28, who "is believed to be in Russia, possibly in Barnaul," with being the REvil affiliate who hit 22 Texas municipalities in 2019 via their IT managed service provider.
Important development in an operation that included 19 law enforcement agencies across 5 continents. It's an excellent example of how international coordination & cooperation lead to tangible results that make us all safer. https://t.co/RgpXCmGjlR— Europol (@Europol) November 9, 2021
Also this year, six suspected members of the Clop ransomware operation were arrested in Ukraine on charges tied in part to 2019 attacks against South Korean companies.
Unfortunately, as with the arrest of REvil affiliates, those suspects appeared to be at best midlevel players rather than core operators.
On the other hand, one of the perhaps half-dozen core administrators of REvil, who goes by UNKN - for Unknown - hasn't been seen or heard from by other members since July. Some have suggested he's dead. Or maybe he's seen the writing on the wall and decided to exit the cybercrime racket. Possibly, he's been arrested and is quietly working with law enforcement authorities.
As Western law enforcement agencies step up their anti-ransomware efforts, more cybercrime practitioners will face such possibilities. Whether it will blunt the volume or severity of ransomware attacks, however, remains to be seen.