Digital Piracy through Ransomware: A Change in Tides

Due to the tidal wave of ransomware attacks since 2018, the seas are changing, and the attackers are now becoming the attacked. A disparate group of entities have started to fight back against these modern-day pirates in an epic battle which will likely change how ransomware attacks are handled going forward.

Years ago, digital pirates targeted healthcare and relatively vulnerable targets (e.g., educational, and not-for-profit organizations) but they have since moved on to a more diverse victim base. High-profile attacks have impacted critical industries during the first half of 2021, which has led to a significant change in how ransomware attacks are being handle by a variety of entities.

The NetDiligence Cyber Claims Study 2021 identified that ransomware attacks now account for 32% of attacks, leading all other vectors by a significant amount. These attacks have increased at an alarming pace, with an 85% increase in overall average attacks from 2018 through 2020. From a financial perspective, the average cost due to business interruptions has increased almost 300% during this period, and the cost to recover from an attack has increased over 400%.

The U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) issued a report which analyzed the ransomware trends for the period between January 2021 and June 2021. Based on this analysis, FinCEN identified 10 threat actor groups responsible for 73% of the ransomware attacks based on the analysis of cryptocurrency payments analyzed in the first half of 2021. In addition, FinCEN determined that these 10 organizations received $5.2 billion in ransom payments over the preceding two years.

While there is likely no relief from the current persistence of ransomware attacks, the digital pirates are increasing in the sights of those patrolling the digital high seas.

TURNING THE TIDES: ATTACKING THE ATTACKERS
As high-profile attacks have occurred, the U.S. government appears to be making a pronounced effort to target ransomware attackers, whether conducted by criminal organizations or nation-states. This growing emphasis has become a multi-disciplinary effort by the public and private sector, industry organizations and others, to target and disrupt these illicit organizations. Here are some recent examples of how the tide is being turned and the hunter is becoming the hunted:

• Reuters reported that on July 13, 2021 the REvil threat actor group leak site and payment portal unexpectedly went offline. On October 21, 2021 it was disclosed that the REvil group (responsible for the Colonial Pipeline and Kaseya ransomware attacks) was likely attacked and forced offline by the U.S. government and other like-minded countries.

• On November 8, 2021, the U.S. Department of Justice announced the arrest of two foreign nationals and the seizure of assets worth approximately $6.1 million USD.  These individuals were involved in Sodinokibi/REvil ransomware attacks including the Kaseya based attack in July 2021. Based on reports in CPO Magazine and ZDNet, Operation GoldDust (a multi-national law enforcement effort to combat cybercrime) has been targeting individuals allegedly involved in thousands of ransomware attacks around the world.
 
While this will not stop the attacks, it is a clear sign that governments around the world are taking a stand against these digital pirates.

STOPPING THE MONEY TRAIN
In August 2021 the Ransomware-as-a-Service (RaaS) model was publicly exposed when disgruntled affiliates of the Conti ransomware organization disclosed the inner workings of how the criminal organization is perpetrating these attacks. Based on our analysis, several key points came to light highlighting the effort attackers undertake to exploit their victims financially by knowing how much ransom they can demand:

• Attackers are gathering intelligence on the victim to determine their financial capacity to pay a ransom. This may include publicly available information (i.e., financial disclosures), as well as trying to locate financial statements and other relevant information once inside the victim’s network.

• Once inside the environment, the attacker tries to locate the victim’s insurance policy, so they know what the coverage limits are for ransom payment reimbursement.

Due to the cataclysmic growth of ransomware attacks, there is an effort underway by the government to take away some of the ill-gotten gains.

In May 2021 the Washington Post reported that the DarkSide cybercrime organization was responsible for the Colonial Pipeline attack which caused a massive disruption to the oil and gas infrastructure in the eastern half of the United States. Colonial Pipeline paid 75 Bitcoin (roughly $4.3 million USD) in ransom to the DarkSide organization. In early June 2021, the FBI obtained a warrant to seize 63.7 bitcoin (roughly $2.3 million USD) from the DarkSide cryptocurrency wallet. Subsequently bankinfosecurity.com noted that the DarkSide organization ceased to exist, but appears to have risen from the ashes as BlackMatter.

To further demonstrate the effort to stem the flow of ransom payments, the U.S. Department of the Treasury’s Office of Foreign Asset Control (OFAC) announced that they were placing the SUEX OTC, S.R.O. (“SUEX”) virtual currency exchange on its watch list for their involvement in facilitating transactions for ransomware actors. This effectively blocked several ransomware attack organizations from receiving cryptocurrency payment from U.S.-based victims.

THE VICTIM IMPACT
Over the past year, there has been a significant effort by cyber insurance providers to gain an upper hand in relation to the reimbursement costs they are encountering as part of ransomware attacks.

• During May 2021 Insurance Journal reported that Axa S.A. (AXA) insurance would stop writing cyber insurance policies in France that reimburse customers for extortion payments made to ransomware attackers. While this action only applied to France in this announcement, it is becoming an emerging trend within the insurance industry.

• In an August 2021 article, Reuters reported that American International Group (AIG) insurance indicated that they were tightening the terms of their cyber insurance while increasing the premiums that insureds must pay for coverage.

• The most recent, and widest reaching, tightening in the cyber insurance market was reported by Reuters on November 19, 2021.  In this latest salvo by the insurance industry, insurers and syndicates working in the Lloyd’s of London market are being charged substantially higher premium rates for cyber coverage. In addition, Lloyd’s is discouraging a significant number of insurance carriers from taking on cyber business in the coming year.

• Based on feedback from our clients, cyber insurance carriers are requiring them to complete robust cybersecurity assessments to gauge their security posture when applying for new covering or renewing existing coverage.  In reviewing some of the recent requests, the level of cyber security requirements is becoming exponentially higher.

The outlook may be turbulent for companies that fall victim to a ransomware attack. There is an active effort to combat and neutralize organizations perpetrating these attacks; however, it will not keep others from stepping in to fill the void and continue launching attacks. While illicitly gained funds are being seized from the attackers, it is not filtering back to the impacted entities. In addition, cyber insurance coverage will continue to be more difficult to obtain and exponentially more expensive with much less coverage.
So where does that leave you?

DON’T BE A SOFT TARGET
Not all hope is lost. A leading initiative by the government, as well as insurance carriers and industry organizations, is for companies to be better prepared to weather the storm.

• Increase your cybersecurity defenses:
    -Deploy multifactor authentication.
    -Secure remote connection access.
    -Implement a regular update and patch program.
    -Create network segmentation.

• Use a backup strategy that reduces the ability for attackers to destroy or corrupt
backup data.

• Know your data and protect critical and sensitive information.

• Stay informed.

Sean Renshaw leads the digital forensics and incident response (DFIR) practice and oversees global operations for cybercrime and data breach investigations, digital forensics and incident response services at RSM US LLP. For additional information about how RSM can help you prepare for these ongoing threats, please visit warroom.rsmus.com. 

Return to Disruptors Awards Recap Supplement