Ransomware has become the biggest cybersecurity issue facing businesses, governments and the wider world today.
A series of high-profile incidents during the past year – such as the Colonial Pipeline ransomware attack, the Kaseya ransomware attack, a string of attacks against hospitals and healthcare, including the Irish Healthcare Executive, and many others – have caused problems for millions.
Ransomware is effective because, in many cases, the victim will give into the extortion by the cyber criminals and pay the ransom, often millions of dollars, to get a decryption key to restore their network. In other cases, the victims don’t pay, opting to restore the network themselves, a process that can take weeks or months – all the while having an impact on their business or services. Such has been the chaos caused that ransomware has even become part of the discussion between world leaders during international summits.
SEE: A winning strategy for cybersecurity (ZDNet special report)
During the second half of 2021, law enforcement agencies around the world publicised arrests and take downs related to ransomware groups and the dark web services that allow them to operate, with suspects detained in countries including Ukraine, South Korea and Kuwait.
But as welcome as these arrests were for law enforcement agencies, many of the most notorious ransomware crews remained at large. This, in part, is because many of these cyber-criminal operations are run out of Russia – and there’s a consensus among cybersecurity experts that the local authorities are willing to turn a blind eye to criminal hackers who focus their attentions on the West.
So, it was a surprise when, on January 14, Russia’s Federal Security Service (FSB) announced it had detained suspected members of the REvil ransomware gang operating from several regions of the country and had dismantled the group’s operations.
REvil was one of the most disruptive ransomware groups of 2021. One of the high-profile campaigns they carried out included an attack against JBS, which resulted in the food producer paying a ransom of over $10 million.
The ransomware group was also blamed for an attack against Kaseya, the enterprise IT management software provider. The attack resulted in thousands of businesses around the world being disrupted – and in many cases temporarily closed until services were back online, preventing people from being able to buy goods from their local supermarkets in regions ranging from Sweden to New Zealand.
But if one of the biggest, most infamous ransomware groups has suddenly found itself seemingly being taken down by law enforcement, does this mean the game is up for ransomware?
Certainly, members of underground forums have taken note, with some expressing worries that it’s only a matter of time before law enforcement catches up with them. “In fact, one thing is clear, those who expect that the state would protect them will be greatly disappointed,” said a member of one forum. Some forum members even suggested they might move operations to a different jurisdiction, although this is unlikely to be a realistic option for many.
However, while REvil is notorious, the group had been on hiatus for several months prior to the FSB’s action – meaning that while arrests of cyber criminals are welcomed, some doubt if this will have any significant impact on other major ransomware crews. It’s also not clear whether Russia’s sudden interest in pursuing ransomware crime will continue; some industry experts have suggested that Russia’s engagement may be linked to its broader geopolitical agenda
According to the White House, one of the suspects arrested as part of the REvil raids was the person behind the Colonial Pipeline ransomware attack, the incident that led to gas shortages on the US east coast. The attack – which saw Colonial paying a $5 million ransom – wasn’t by REvil, but DarkSide, a separate but closely associated ransomware group.
This situation illustrates one of the issues that complicates disrupting ransomware – the groups that operate them don’t act like regular companies with clear job titles. Instead, the different groups can overlap and individual cyber criminals can move between different outfits.
If one group gets taken down by law enforcement, remaining ransomware developers and other members of the operation can take their skills elsewhere, aiding existing ransomware affiliate schemes or helping to set up a new one.
Ransomware-as-a-service affiliate schemes allow cyber criminals who want to conduct ransomware attacks, without having to build ransomware themselves, to get in on the action – usually with the developers of the product taking a cut of the profits made from ransoms.
Over the years, the people who run the affiliate schemes have come and gone, either after being shut down, taking a temporary hiatus, sometimes returning after a rebrand, or in some cases just retiring from the ransomware business. But for those who want to be part of a ransomware-as-a-service scheme, there still are plenty of options available as new operations continue to appear.
So, while arrests and take downs are effective tools against those developing ransomware, the demand from those lower down the chain, combined with skilled ransomware authors taking their skills to new operations, likely means that new ransomware operations will continue to emerge, even after take downs.
SEE: Ransomware: It’s a ‘golden era’ for cyber criminals – and it could get worse before it gets better
It’s unlikely the latest round of arrests will suddenly stop ransomware for good. But they do show ransomware groups and the cyber criminals around them that they aren’t immune from being tracked down and having their assets obtained and ransom demands seized, particularly as more and more arrests take place.
“It’s still lucrative, so plenty of reasons to do it, it’s still not particularly risky relatively, but in terms of imposing costs, the cost of doing business has gone up,” says Ciaran Martin, professor of practice at the University of Oxford’s Blavatnik School of Government – and former director of the UK’s National Cyber Security Centre.
“Maybe they’re not the major operators, maybe they’re just bit-part players, but that still has an impact, and I think it still chips away a little better the sense of impunity of ransomware,” he adds.
As demonstrated by dark web discussions following the arrests, action against ransomware groups can also sew doubt in the mind of those behind cyberattacks.
Not only might they be more likely to be worried about the idea of law enforcement bashing down their door, but it could plant the idea that individuals in the ransomware ecosystem can’t be trusted – it could be that law enforcement has infiltrated a forum, or a prominent member has suddenly been coerced into helping the authorities with their investigation.
“The trust between the various parts of these networks has probably been eroded,” says Martin.
And if there’s doubt among dark web ransomware communities, that pushes up another barrier that makes campaigns that little bit more difficult to carry out.
Cyber criminals being arrested is welcome, it’s something that chips away at a major cybersecurity issue facing organisations today and shows that there are potential consequences for carrying out cybercrime – but the issue of ransomware isn’t suddenly going to disappear in 2022.
“It’s not over by any means,” says Martin. “Parts of it have got a little bit better, but it’s still the pre-eminent cybersecurity issue of our time.”