The snow was heavy on the ground in Moscow as disguised members of Russia’s formidable security agency. The FSB prepared to knock down the doors of one of the 25 residences they would attack that day. Their target was REvil, a clandestine group of hackers who claimed to have taken more than $100 million (£74 million) every year through “ransomware” assaults before mysteriously disappearing.
As members of the gang were brought away in handcuffs, FSB agents grabbed crypto-wallets carrying unimaginable amounts of digital cash such as bitcoin. Others utilized money-counting devices to tally dozens of stacks of $100 notes.
REvil’s hackers had perfected extortion by grabbing control of enterprise computer systems and demanding cash to unlock them.
The consequences of this increasingly widespread crime range from geopolitical tensions between Russia and the West to the United Kingdom’s impending lack of Hula Hoops, Skips, and Nik Naks.
KP Snacks wrote to store owners this week to warn them of supply concerns until “the end of March at the earliest” because it “cannot securely process orders or send items.”
KP – and admirers of its savory snacks – has become the latest victims of a ransomware attack, which the firm was still combating as of Friday afternoon. Several phone calls to the firm were answered.
When the CEO of a business like KP receives the dreaded ransom note, no matter what time of day it is, their first contact may be to US cybersecurity FSB firm Mandiant.
“The normal scenario is that they don’t see it coming and then they have a terrible impact,” says Dr. Jamie Collier, Mandiant’s senior threat intelligence consultant.
He claims that the centrality of computer systems in firm supply chains gives hackers great influence if they overcome their defenses.
“It gives these groups a lot more leverage and allows them to demand far bigger extortion money than they would have in the past.”
While Mandiant’s employees strive to repair or minimize the damage, the victims engage in discussions with the hackers, who frequently act as if they are establishing a real commercial agreement.
Dr. Collier describes threat groups as “extremely friendly.” “You’ll see them hire English speakers who can handle it [negotiations], almost like customer service, where you can make contact and connect professionally.”
He claims that hackers will even walk CEOs through the process of purchasing and transferring the bitcoin used for ransom payments.
Depending on the sophistication of the assault, the damage caused by a protracted outage, and if companies like Mandiant can repair it, there may be no alternative but to pay.
In addition to operational inconvenience, organizations face regulatory fines and significant harm to their reputations if data is disclosed.
Many now have cyber insurance that allows them to let the insurer make for the price, although at the expense of fueling criticism and potentially fueling further assaults.
The DarkSide ransomware group — allegedly linked to REvil – shut down petroleum supplier Colonial Pipeline in May 2021. As gas stations ran out of fuel and American drivers panicked, the corporation had no choice but to pay $4.4 million (£3.3 million).
Even coughing up didn’t work in the instance of Travelex. The consequences of Covid-19 on tourism may have been the most significant element in Travelex’s demise in August 2020, although residual harm from a ransomware assault earlier that year also played a role. Travelex paid a $2.3 million ransom, but the damage to customer trust was permanent.
Ransomware assaults are becoming more common. According to Ransom-DB, which monitors similar instances, there will be 1,396 in 2020. In 2021, the number nearly quadrupled to 2,699, with around 35-40% of incidents resulting in a ransom payment.
Many more are likely to go undetected, according to Ransom-DB. The National Cyber Security Centre FSB is in charge of stopping the tide in the United Kingdom (NCSC).
According to Eleanor Fairford, the company’s deputy director of incident management, “as long as cybercriminals make money and people pay them, it’s a highly profitable business model.” There’s no reason for it to end.”
Some have recommended prohibiting businesses from paying ransoms, decreasing the incentive for such assaults. Fairford worries that this may just result in firms neglecting to disclose assaults or going out of business.
The difficulties for those attempting to staunch the tide are numerous. Gangs remain nameless, rebranding and shifting as soon as authorities can track them down.
They are increasingly collaborating to share specialized information. There are also “initial access” brokers that connect organizations adept at penetrating systems with others adept at installing ransomware once inside.
The fact that the nations from which hackers operate, dominated by Russian and former Soviet governments, have demonstrated little ambition to stop them is perhaps the most significant impediment. “It may benefit some places to have these gangs bothering the west, and the impact is not in the states where it starts,” Fairford adds.
She believes the FSB’s display of force against REvil is only for show or diplomatic purposes. “I don’t believe anyone takes this seriously as the beginning of the end of ransomware at the hands of the Russian state. It’s a token attempt to demonstrate mobility.”
Experts believe that the only answer is for businesses to take every care to fight against some of the most well-known vulnerabilities that ransomware gangs exploit, frequently through individual employees.
Helge Janicke is a research director of Australia’s Cyber Security Cooperative Research Centre FSB. He emphasizes the need for “knowledge of your staff and having strong technological controls. It includes ransomware assaults into your organization’s incident response and disaster recovery plans.”
“Preparation is essential.”