by Paul Ducklin
Just over a week ago, we wrote about the REvil ransomware gang’s latest braggadoccio.
As you probably know, ransomware operators like REvil, Clop and others don’t generally work on the front line themselves by conducting the actual network intrusions that deliver the final ransomware warhead.
Instead, they recruit teams of “attack affiliates” – subcontractors, if you like – who are given their own variants of the ransomware code and let loose on the world.
The affiliates don’t bother, or even need to know how, to program the malware in the first place, or to get involved in the process of negotiating and collecting the final blackmail money from victims who decide to pay up.
The affiliates bring different skills to the operation, such as:
…in return for a big chunk of the ransomware payment, often as much as 70%.
(We have to guess that the core crooks originally set their share at 30% because that’s the number that seems to have worked out well for companies like Apple and Google when licensing products such as music and apps.)
The affiliates get well-rewarded for each individual attack, which motivates them to make their attacks as network-wide and as disruptive as they possibly can.
The core crooks keep away from involvement in the actual network intrusions while nevertheless scooping up 30% of everything.
But in one of REvil’s most high-profile incidents to date, one of the gang’s affiliates pulled off an attack that was even broader and deeper than usual.
By exploiting bugs in code from network management company Kaseya, they were able to penetrate more than 50 MSPs in one go, and from there, apparently, to attack more than 1000 customers.
We’ll probably never know for sure whether the core REvil crew were delighted or dismayed at how the attack went down.
Sometimes, cybercriminals can “succeed” so surprisingly (as happened in the infamous 20-year-old Code Red virus outbreak that we reminisced about yesterday!) that everyone takes notice, and our worldwide cybersecurity vigour improves, at least for a while.
What we do know, however, is that the REvillers disdainfully made what they pitched as a global “offer of salvation” after the Kaseya incident:
If anyone want to negotiate about universal decryptor – our price is [$70 million in Bitcoin] and we will publish publicly decryptor that decrypts all files of all victims, so everyone will be able to recover from attack in less that an hour.
We can only assume that the crooks didn’t seriously expect to get paid out, but instead hoped to stir things up a bit, and perhaps to provoke infighting amongst the cybersecurity community about what to do.
Or maybe the criminals were being truly sarcastic, as though they were saying, “We don’t really expect you to be able to agree on what to do, so we’ve asked for a ludicrous amount just to rattle your collective cages. Also, who cares about the money from this one? We’re rich already. And anyway, to paraphrase a famous actor, ‘We’ll be back’.”
One reaction – and various legislatures seem to be giving this serious thought – might be to criminalise ransomware payments entirely, thus forcing any and all ransomware victims to “go it alone” if the time comes for recovery.
Of course, if your business has ground to a total halt and is almost certain to fold if you don’t pay up, the knock-on effects of a blanket payment ban might affect hundreds or thousands of employees who could suddenly lose their jobs.
Therefore this sort of regulatory payment-based intervention is not popular with everyone.
After the Kaseya incident, which happened over the 2021 Independence Day weekend in the US, we asked you, our readers, what you thought.
Unsurprisingly, some of the more earnest replies weren’t entirely suitable for a family-friendly, community-oriented website, but we did get an idea of how many of you felt:
• A better solution would be to offer up Wanted – Dead or Alive ransoms at that same price point for the criminals. Let’s put a stop to this extortion with actual policy that may stop it.
• I think WE should BLOCK from the Internet countries who do not cooperate with OUR government in punishing the guilty party of such crimes.
• PAY THE RANSOM TO A REVENGE COMPANY TO ELIMINATE COMPLETELY THE CRIMINALS BY BEING INVESTIGATOR, JUDGE, JURY AND ELIMINATOR.
• Compulsory life sentence for any such crooks who break into the internet with a crime of that size and happen to get caught.
• We are finding all these criminals but just not punishing them severely enough.
No jurisdiction that we know of has yet activated any of the proposed solutions listed above…
…but the US Department of State has gone some of the way towards tipping the balance against cash-rich cybercriminals with funds to spare for their next attack.
The US is now officially offering a reward of up to $10 million for help in finding and acting against serious cybercriminals:
The U.S. Department of State’s Rewards for Justice (RFJ) program, which is administered by the Diplomatic Security Service, is offering a reward of up to $10 million for information leading to the identification or location of any person who, while acting at the direction or under the control of a foreign government, participates in malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act (CFAA).
As you can see, this isn’t $10 million for turning over just anyone involved in ransomware attacks.
We’re talking here about so-called “state sponsored actors”, and we’re talking about attacks that specifically touch on “critical infrastructure”, which doesn’t cover every big attack, even if it were to cause the collapse of a huge company with thousands of employees.
On the other hand, it doesn’t apply only to ransomware attacks, but to cybercriminality in general.
That’s a good thing, because even though ransomware may hog the headlines, it is one of only many seriously disruptive and economically damaging side-effects that criminal hackers, malware peddlers and network intruders can cause.
The RFJ program doesn’t pay out terribly often, it seems, but it pays out big when it does.
The Department of State says that the scheme has been operating for nearly 40 years, notably in search of information about terrorists and terrorism, and has paid out “in excess of $200 million to more than 100 people across the globe” over that period.
While that averages out at fewer than three payments a year, informants seem to have trousered an average of about $2 million each time, so the rewards do indeed sound large enough to be tempting.
What do you think?
Will this help, or will the bulk of cybercriminality simply continue unhindered by this sort of reward?