Information Technology

Researchers have provided a deep dive into Toddler, a new Android banking Trojan that is surging across Europe. 

In a report shared with ZDNet, the PRODAFT Threat Intelligence (PTI) team said that the malware, also known as TeaBot/Anatsa, is part of a rising trend of mobile banking malware attacking countries, including Spain, Germany, Switzerland, and the Netherlands. Toddler was first disclosed by Cleafy following its discovery in January. While still under active development, the mobile Trojan has been used in attacks against the customers of 60 European banks.   In June, Bitdefender said that Spain and Italy were infection hotspots, although the UK, France, Belgium, Australia, and the Netherlands were also being targeted. According to PTI, in an analysis of the malware this year, Spain has secured the top spot for cyberattacks. So far, at least 7 632 mobile devices have been infected. After infiltrating a command-and-control (C2) server used by the Trojan’s operators, the researchers also found over 1000 sets of stolen banking credentials.  Although researchers from multiple organizations have tracked Toddler to malicious .APK files and Android apps, infection vectors vary. While the Trojan has not — as of now — been found on Google Play, numerous legitimate websites have been compromised to host and serve the malware.  

While Toddler is pre-configured to target the users of “dozens” of banks across Europe, the company has found that 100% of infections detected, so far, relate to only 18 financial organizations. In total, five of the companies accounted for close to 90% of attacks — which the team believes may indicate a successful SMS-based phishing campaign.  Toddler is run-of-the-mill Trojan software in many ways. It contains the functions you would typically expect: the ability to steal data, including banking details, keylogging, taking screenshots, intercepting two-factor authentication (2FA) codes, SMS interception, and connecting to a C2 to transfer information, accept commands, and link the infected device to a botnet.  The Trojan will use overlay attacks to dupe victims into submitting their EU bank credentials by displaying fake login screens. Upon installation, the malware monitors what legitimate apps are being opened — and once target software is launched, the overlay attack begins. “Toddler downloads the specially-crafted login page for the opened target application from its C2,” PRODAFT noted. “The downloaded webview phishing page is then laid over the target application. The user suspects nothing because this event happens almost instantaneously when the legitimate application is opened.”The malware will also attempt to steal other account records too, such as those used to access cryptocurrency wallets.  The C2’s command list includes activating an infected device’s screen, prompting permission requests, changing volume levels, attempting to grab codes from Google Authenticator via Accessibility, and uninstalling apps.  The level of persistence this Trojan is able to maintain is unusual. Toddler contains multiple persistence mechanisms — the most notable of which is preventing an infected device from being rebooted by abusing Accessibility functions. Toddler can also prevent a handset from being used in safe mode. “Toddler sets a new precedent for persistence module implementation,” the researchers say. “Removal of the malware from the device requires huge technical expertise, and it looks like the process will not get easier in the future.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A Chinese advanced persistent threat (APT) group is spreading fake Zoom software to spy on targets in South East Asia. 

The group, dubbed LuminousMoth by Kaspersky, is focused on cyberespionage and the theft of information from high-profile targets. Dating back to at least October 2020, roughly 100 victims have been detected in Myanmar, and close to 1,400 have been recorded in the Philippines. However, these infection rates may not tell the whole story, as the researchers believe that only a small subset of these numbers was of interest to the APT and were exploited further.  LuminousMoth’s true targets, in particular, are government agencies in both of these countries and abroad. According to the researchers, the preliminary rate of infection may be due to LuminousMoth’s initial attack vector and spreading mechanisms, deemed “noisy” and unusual for an APT to adopt.  The APT begins by sending spear phishing emails that contain Dropbox download links to a .RAR archive, named with political or COVID-19 themes. This file contains two malicious .DLL files which are able to then pull and deploy malicious executables on an infected system.  Once this stage of infection has been completed, LuminousMoth will download a Cobalt Strike beacon and side-load two malicious libraries designed to establish persistence and to copy the malware onto any removable storage drives connected to a victim system.

In cases noted by Kaspersky, the threat actors have then deployed a fake Zoom app, software that has become a lifeline — alongside Microsoft Teams, and others — for many businesses forced to go remote during the COVID-19 pandemic.  The software, signed by an organization in Shanghai, is actually used to exfiltrate files of interest to LuminousMoth. Any file found with pre-defined extensions is copied and transferred to a command-and-control (C2) server.   LuminousMoth will also look for cookies and credentials, including those used for Gmail accounts.  “During our test, we set up a Gmail account and were able to duplicate our Gmail session by using the stolen cookies,” Kaspersky says. “We can therefore conclude this post-exploitation tool is dedicated to hijacking and impersonating the Gmail sessions of the targets.” The APT’s activities also appear to overlap with HoneyMyte/Mustang Panda, another Chinese-speaking group, linked to an attack against the office of Myanmar’s president (1,2).  LuminousMoth and HoneyMyte have adopted similar tactics during campaigns including C2 overlaps, .DLL side-loading, the deployment of Cobalt Strike beacons, and similar cookie-stealing functionality. “Both groups, whether related or not, have conducted activity of the same nature — large-scale attacks that affect a wide perimeter of targets with the aim of hitting a few that are of interest,” the researchers say.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Microsoft’s war against private exploit and offensive security sellers continues with a strike against Sourgum. 

On July 15, the Microsoft Threat Intelligence Center (MSTIC) said that the Redmond giant has been quietly tackling the threat posed to Windows operating systems by the organization, dubbed a “private-sector offensive actor” (PSOA).  A tip provided by human rights outfit Citizen Lab led Microsoft to the PSOA, dubbed Sourgum, a company said to sell cyberweapons including the DevilsTongue malware. “The weapons disabled were being used in precision attacks targeting more than 100 victims around the world including politicians, human rights activists, journalists, academics, embassy workers, and political dissidents,” Microsoft says.  Approximately half of DevilsTongue victims are located in Palestine, but a handful has also been traced back to countries including Israel, Iran, Spain/Catalonia, and the United Kingdom. According to the Citizen Lab, Sourgum is based in Israel and counts government agencies across the globe among its customers.  With the assistance of Citizen Lab, Microsoft has examined the unique malware family developed by Sourgum and has now pushed protections against it in Windows security products. This includes patching previously unknown vulnerabilities, CVE-2021-31979 and CVE-2021-33771. 

These two vulnerabilities were listed as actively exploited in Microsoft’s latest security update, known as Patch Tuesday, which is issued on a monthly basis. They are both described as Windows Kernel privilege escalation security flaws.  Microsoft says that the exploits are “key” elements of wider attack chains used by Sourgum to target Windows PCs and browsers in order to deliver DevilsTongue. Browser exploits appear to be used in one of the initial attack stages, where they are served through malicious URLs and sent via messaging services including WhatsApp.  The modular malware is described as “complex” with “novel capabilities.” While analysis is ongoing, Microsoft says that DevilsTongue’s main functionality is stored in encrypted .DLL files, only decrypted when loaded into memory, and both configuration and tasking data are separate from the main payload.  DevilsTongue can be used in both user and kernel modes and is capable of .DLL hijacking, COM hijacking, shellcode deployment, file collection, registry tampering, cookie theft, and the extraction of credentials from browsers. A feature of note is a module dedicated to decrypting and extracting conversations taking place over Signal. The malicious code also contains sophisticated obfuscation and persistence mechanisms.  “With these hacking packages, usually the government agencies choose the targets and run the actual operations themselves,” Microsoft says. “The tools, tactics, and procedures used by these companies only add to the complexity, scale, and sophistication of attacks. We take these threats seriously and have moved swiftly alongside our partners to build in the latest protections for our customers.” Detection data has also been shared with the wider security community.  “We’re providing this guidance with the expectation that Sourgum will likely change the characteristics we identify for detection in their next iteration of the malware,” the company added. “Given the actor’s level of sophistication, however, we believe that outcome would likely occur irrespective of our public guidance.” In related news this week, Microsoft disclosed a third vulnerability impacting the Windows Print Spooler service, joining the duo of security flaws known as PrintNightmare. Tracked as CVE-2021-34481, the bug can be exploited to obtain system-level privileges locally. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Getty Images
The threat of ransomware dominates the cyber news right now, and rightly so. But this week Rachael Falk, chief executive officer of Australia’s Cyber Security Cooperative Research Centre, made a very good point. Ransomware is “totally foreseeable and preventable because it’s a known problem”, Falk told a panel discussion at the Australian Strategy Policy Institute (ASPI) on Tuesday. “It’s known that ransomware is out there. And it’s known that, invariably, the cyber criminals get into organisations through stealing credentials that they get on the dark web [or a user] clicking on a link and a vulnerability,” she said. “We’re not talking about some sort of nation-state really funky sort of zero day that’s happening. This is going on the world over, so it’s entirely foreseeable.” There are “four or five steps you could take that could significantly mitigate this risk,” Falk said. These are patching, multi-factor authentication, and all the stuff in the Australian Signals Directorate’s Essential Eight baseline mitigation strategies. The latest Essential Eight Maturity Model even comes with detailed checklists for Windows-based networks. “Companies are on notice that this is a risk for them,” Falk said. “There’s a known problem often, and a known fix, but people haven’t done it.”

So given this laziness, given that cyber wake-up calls have been ignored since the 1970s, and given that organisations continue to willfully fail to follow the advice they’re given, your correspondent has a question. Has the time come to let Darwinism loose? Should we let all these lazy organisations get hacked, and just let God sort them out? “I love that approach,” Falk said. “It is glacial-like movement, and I think the only change now that might accelerate it is legislation, which obviously government is potentially seeking to introduce at the moment,” she said, referring to proposed changes to critical infrastructure laws. Maybe we’ll only start paying attention when there’s more 5G, more device-to-device communication, and more personal dependence on the network. “I kind of wonder, though, in a macabre kind of way, will the test be when people just can’t use their phones for half an hour,” Falk said. “That’s when you’ll get people going, oh, we just have to have law about this because we can’t cope with [no] iPhones, internet, fridge, streaming, Netflix, you name it.” OK, we’re joking. Probably. In cybersecurity as in public health, blaming the victim is counterproductive. And in many cases it’s the customers and citizens who’d really suffer from ransomware and other cyber attacks that take out an organisation. “It could really, really impact life, and be a threat and risk to life. So I think people have to start thinking about this as not some sort of a joke,” Falk said. “The fact that we joke about, oh, the internet being down for 30 minutes, it could be the matter of a medical procedure is stopped and someone dies halfway through.” In Germany last year, for example, a patient died following a ransomware attack on a hospital in Duesseldorf, which caused her to be re-routed to a hospital more than 30 kilometres away. A police investigation found that she probably would have died anyway, but next time we may not be so lucky. ASPI’s ransomware policy recommendations Fortunately, a global consensus on how to tackle ransomware does seem to be emerging. Just one example is a new report from ASPI’s International Cyber Policy Centre, Exfiltrate, encrypt, extort: The global rise of ransomware and Australia’s policy options, of which Falk is co-author. On the vexed question of whether organisations should pay a ransom or not, the report recommends that paying them should not be criminalised. Instead, there should be a “mandatory reporting regime … without fear of legal repercussions”. This would be a major step in transparency. Out of all the major ransomware incidents in Australia — Toll Holdings, BlueScope Steel, Lion Dairy and Drinks, legal document-management services firm Law in Order, Nine Entertainment, Eastern Health in Victoria, Uniting Care Qld, and JBS Foods — only JBS has admitted to paying a ransom of $11 million. Such a scheme has already been proposed by Labor in its Ransomware Payments Bill 2021 introduced onto parliament last month as part of its national ransomware strategy. The ASPI report recommends expanding the role of the ASD’s Australian Cyber Security Centre (ACSC) to include the real-time distribution of publicly available alerts. ACSC should also publish a list of ransomware threat actors and aliases, giving details of their modus operandi and key target sectors, along with suggested mitigation methods. The ASD is already known to be using its classified capabilities to warn of impending ransomware attacks. The report also recommends tackling the “low-hanging fruit” of incentivisation and education. This includes incentives such as tax breaks for cyber investment, grants, or subsidy programs; a “concerted nationwide public ransomware education campaign, led by the ACSC, across all media”; and a “business-focused multi-media public education campaign”, also led by the ACSC. “[This campaign should] educate organisations of all sizes and their people about basic cybersecurity and cyber hygiene. It should focus on the key areas of patching, multifactor authentication, legacy technology, and human error.” Finally, the report recommends creating a “dedicated cross-departmental ransomware taskforce”, including state and territory representatives, to share threat intelligence and develop policy proposals. Your correspondent finds none of these recommendations unreasonable, though there are perhaps questions about whether ACSC is currently well-equipped to run an effective and engaging major public information campaign. Nevertheless, given how slowly Australian organisations have adapted to cyber risks over the last couple of decades, maybe we need a little less carrot and a bit more stick. Related Coverage More

After a pair of PrintNightmare vulnerabilities, the last thing the Windows Print Spooler needed was a third vulnerability, and yet it exists. Microsoft has announced CVE-2021-34481 allows for local privilege escalation to the level of SYSTEM. “An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft said. “An attacker must have the ability to execute code on a victim system to exploit this vulnerability. “The workaround for this vulnerability is stopping and disabling the Print Spooler service.” Microsoft rates the exploitability of the vulnerability as “more likely”. “Microsoft analysis has shown that exploit code could be created in such a way that an attacker could consistently exploit this vulnerability. Moreover, Microsoft is aware of past instances of this type of vulnerability being exploited. This would make it an attractive target for attackers, and therefore more likely that exploits could be created,” Microsoft’s exploitability index explained.

Microsoft said it was creating a patch, and that the vulnerability was not introduced in its July 13 set of updates. The company has been scrambling to properly patch its Print Spooler service recently. Initially, a critical bug that allowed for remote code execution was announced and labelled as CVE-2021-1675. Exploits were publicly available after Microsoft’s patches failed to fix the issue completely and security researchers that had already published their code, said they deleted it, but it was already branched on GitHub. Microsoft then dropped CVE-2021-34527 later in the week, which had much the same description of running code as SYSTEM as CVE-2021-34481. Unlike the new vulnerability, this one can be run remotely. Related Coverage More

Organisations should provide a proper channel through which anyone can report vulnerabilities in their systems. This will ensure potential security holes can be identified and plugged before they are exploited. Establishing a vulnerability disclosure policy (VDP) also would provide assurance to anyone, such as security researchers, acting in good faith that they would not face prosecution in reporting the vulnerability, said Kevin Gallerin, Asia-Pacific managing director of bug bounty platform, YesWeHack. In fact, creating such policies was more important than running bug bounty programmes, Gallerin said in a video interview with ZDNet. He noted that more companies today were embracing the need for a VDP, detailing a “safe and clear framework” through which information about security vulnerabilities could be submitted and how these should be handled within the organisation. 

Without a proper policy in place, security researchers might be less inclined to report a vulnerability or, when they did so, might not receive a response since the organisation’s employees lacked guidance on what they needed to do.”The information [then] gets lost and forgotten until the vulnerability eventually gets exploited,” Gallerin said, adding that a proper VDP would provide a structured channel to report security issues and mitigate the affected organisation’s risks by reducing their time to remediation. “We’re a strong advocate for this.”YesWeHack’s service offerings include helping enterprises establish their VDP, integrating vulnerability management with their internal workflows, as well as review and recommend changes to their existing VDP. The vendor was seeing growing demand for both its bug bounty and VDP services in this region, including China, Indonesia, and Australia, Gallerin said.  

Headquartered in France, the vendor has an office in Singapore and currently is running bug bounty programmes for Southeast Asian e-commerce operator, Lazada, and Chinese telecoms equipment manufacturer, ZTE. Some 30% of its customer base are in this region, of which half are in Singapore. Gallerin told ZDNet that YesWeHack was targeting for Asia-Pacific to account for half of its global clientele, adding that the bug bounty platform currently works with some 10,000 security researchers in this region. It has a global network of more than 25,000 security researchers. Its triage team comprises full-time employees in Singapore and France, who divide their time between triaging–to assess submissions in bug bounty programmes–and supporting research and development projects for internal deployment as well as tools for the hunter community.It previously ran a private bug bounty programme for Lazada, which saw $150,000 in bounties handed out to bug hunters, he said, but declined to say how many vulnerabilities were identified. The e-commerce operator had started out with smaller, private bug hunting exercises before gradually scaling up and launching its public bug bounty programme last month with YesWeHack, Gallerin said.He noted that most companies in Asia, compared to their US or European counterparts, were less comfortable discussing potential vulnerabilities in their systems and preferred to run private bug bounty programmes. They did, however, realise there likely were security holes their own teams had overlooked and saw bug bounty programmes as a way to identify, and plug, potential vulnerabilities, he said. The main objective here was to prevent potential data breaches, he added, which was a common concern amongst Asian companies, especially as businesses today increasingly were collecting and managing large volumes of personal customer data. According to Gallerin, YesWeHack’s hacker community had been able to find at least one critical vulnerability–which enabled full access to user data or infrastructure–in most bug bounty programmes it ran. RELATED COVERAGE More

Multiple civil rights groups banded together this week to end the use of facial recognition tools by large retailers. According to advocacy group Fight For the Future, companies like Apple, Macy’s, Albertsons, Lowes and Ace Hardware use facial recognition software in their stores to identify shoplifters. The group created a scorecard of retailers that they update based on whether the company is currently using facial recognition, will in the future or never will.  Stores like Walmart, Kroger, Home Depot, Target, Costco, CVS, Dollar Tree and Verizon have all committed to never using facial recognition in their stores in statements to Fight For the Future. Walgreens, McDonald’s, 7-Eleven, Best Buy, Publix, Aldi, Dollar General, Kohl’s, Starbucks, Shoprite and Ross are just a few of the companies that Fight For the Future believes may use facial recognition software in the future.But it isn’t just major retailers deploying facial recognition software. Backlash to private use of facial recognition culminated on Wednesday when Livonia skating rink in Michigan was accused of banning a Black teenager after its facial recognition software mistakenly implicated her in a brawl. Lamya Robinson told Fox2 that after her mom dropped her off at the skating rink last Saturday, security guards refused to let her inside, claiming her face had been scanned and the system indicated she was banned after starting a fight in March.”I was so confused because I’ve never been there,” Lamya told the local news outlet. “I was like, that is not me. who is that?” 

Lamya’s mother Juliea Robinson called it “basically racial profiling.””You’re just saying every young Black, brown girl with glasses fits the profile and that’s not right,” Robinson added. The skating rink refused to back down in a statement to the local news outlet, claiming their software had a “97 percent match.” “This is what we looked at, not the thumbnail photos Ms. Robinson took a picture of. If there was a mistake, we apologize for that,” the statement said. Caitlin Seeley George, campaign director at Fight for the Future, told ZDNet that Lamya’s situation was “exactly why we think facial recognition should be banned in public places.” “This girl should not have been singled out, excluded from hanging out with her friends, and kicked out of a public place. It’s also not hard to imagine what could have happened if police were called to the scene and how they might have acted on this false information,” Seeley George said. “We’ve seen time and again how this technology is being used in ways that discriminate against Black and brown people, and it needs to stop. Local lawmakers in Portland enacted an ordinance that bans use of facial recognition in places of public accommodation like restaurants, retail stores, and yes, skating rinks. We’re calling for Congress to enact such a ban at the federal level as well.”The situation occurred after Robert Williams, another Black Michigan resident arrested based on a mistake by facial recognition software, testified in Congress this week. Williams came forward in June 2020 as one of the first people to confirm having been arrested based on faulty facial recognition software in use by police. He filed a lawsuit against the Detroit Police Department with the ACLU after he was arrested on the front yard of his home as his children watched, all based on a facial recognition match that implicated him in a robbery. After 16 hours in holding, he was shown the photo that led to the match and held it up to his face, causing one officer to say “the computer must have gotten it wrong.” Police put a security camera photo into their database and Williams’ driver’s license was listed as a match. “Detroiters know what it feels like to be watched, to be followed around by surveillance cameras using facial recognition,” said Tawana Petty, national organizing director at Data for Black Lives. 

“In Detroit, we suffer under Project Green Light, a mass surveillance program that utilizes more than 2000 flashing green surveillance cameras at over 700 businesses, including medical facilities, public housing and eating establishments,” Petty added, noting that the cameras using facial recognition are monitored at real-time crime centers, police precincts and on officers’ mobile devices 24/7. She said in a statement that it is difficult to explain the psychological toll it takes on a community to know that every move is being monitored “by a racially-biased algorithm with the power to yank your freedom away from you.” “We must ban facial recognition from stores and get this invasive technology out of every aspect of our lives,” Petty said. EFF senior staff attorney Adam Schwartz told ZDNet that facial recognition use is growing among retailers and that the racial implications of stores having databases of “potential” shoplifters was particularly fraught considering the privacy implications. But he disagreed with Fight For The Future’s stance, explaining that instead of banning its use among private organizations, there should be opt-in consent requirements that would stop stores from randomly scanning every face that walks in. He noted the need for innovation and some positive instances of facial recognition being used across society, including the iPhone feature that allows you to open your phone with your face. Ahmer Inam, chief AI officer at Pactera EDGE, said much of the backlash toward retail use of facial recognition is because companies have not been transparent about how they’re using it. “Using a mindful AI approach, a powerful tool like facial recognition can yield tremendous benefits for the consumer — as well as the retailer. But values such as privacy, transparency, and ethical-use have to be top-of-mind during the build. It’s something we’ve seen work effectively for our facial recognition and other AI projects,” Inam said. “The biggest challenge facial recognition ‘faces’ right now is model bias that results in false positives. For retailer’s, it isn’t just about building a facial recognition-based system — but to what purpose and intention.” Inam listed multiple examples of facial recognition being used to improve the retail experience like that of CaliBurger, which rolled out kiosks that use facial recognition to connect orders to customers. But Seeley George said companies are adopting facial recognition in the name of “convenience” and “personalization,” while ignoring how they abuse peoples’ rights and put them in danger. “The stores that are using or are considering using facial recognition should pay attention to this call from dozens of leading civil rights and racial justice organizations who represent millions of people,” Seeley George said.”Retailers should commit to not using facial recognition in their stores so we can champion their decision, or be prepared for an onslaught of opposition.” More

The State Department announced a $10 million reward for any information about hackers working for foreign governments. 

The measure is aimed squarely at those participating in “malicious cyber activities against US critical infrastructure in violation of the Computer Fraud and Abuse Act.” Officials said in a release that this included ransomware attacks targeting “critical infrastructure.” In addition to ransomware, the notice mentions a number of other cyber violations and notes that it applies to government computers as well as “those used in or affecting interstate or foreign commerce or communication.”Ransomware groups have made millions over the last two years attacking pipelines, manufacturers, hospitals, schools and local governments. While attacks on Colonial Pipeline and major meat processor JBS drew the biggest headlines, hundreds of healthcare institutions, universities and grade schools have suffered from damaging attacks. The DHS estimated that about $350 million in ransom was paid to cybercriminals in 2020.The reward program is run through the Diplomatic Security Service and has organized a “Dark Web (Tor-based) tips-reporting channel to protect the safety and security of potential sources.””The RFJ program also is working with interagency partners to enable the rapid processing of information as well as the possible relocation of and payment of rewards to sources. Reward payments may include payments in cryptocurrency,” the State Department said. “More information about this reward offer is located on the Rewards for Justice website at www.rewardsforjustice.net.”

POLITICO reported on Wednesday that the reward was part of a larger rollout of actions the Biden Administration was taking to address ransomware attacks. A multi-agency ransomware task force has been created that will lead both “defensive and offensive measures” against ransomware groups. The White House is also giving the task force the leading role in pushing government agencies and “critical infrastructure companies” to improve their defenses and shore up cybersecurity gaps. The task force will give Biden’s team weekly updates on the effort to beef up the government’s cybersecurity, according to Politico. US Senators met with deputy national security advisor Anne Neuberger on Wednesday afternoon where she explained the White House efforts to address ransomware attacks. CISA executive assistant director for cybersecurity Eric Goldstein was also on the call alongside officials from the FBI, DOJ and Treasury Department. The leaders of the Senate Judiciary also announced this week that they planned to hold a hearing on July 27 about ransomware. An anonymous source told Politico that cybersecurity officials asked for the authority to make some cybersecurity measures mandatory for certain infrastructure organizations. Adam Flatley, director of threat intelligence at cybersecurity company [redacted], worked on the Ransomware Task Force and contributed to a comprehensive guide for battling ransomware in April. He lauded the stopransomware.gov site and said offering a central location with free resources to help prevent, prepare for, report, and respond to ransomware attacks would be helpful for the most vulnerable organizations.”This is especially true for those organizations who have budget constraints that force them to go it alone, which is the case for so many good, hard working folks,” he added. Some experts questioned whether the reward would be an effective mechanism for tips about cyberattackers.Austin Berglas, who previously served as assistant special agent in charge at the FBI’s New York Office Cyber Branch, said there was potential for the reporting mechanism to turn “into a public payphone.””The difficulty is the amount of resources that will be necessary to separate the ‘signal’ from the ‘noise’ and identify the legitimate tips. Other considerations include attribution to, and information provided by the tipster. If there was an arrest made and follow on prosecution (based on an anonymous lead), investigators will have to be able to provide evidence of the crimes alleged by the anonymous party,” Berglas explained.  

ZDNet Recommends

“This may or may not be possible without the cooperation of the anonymous lead source. Also, OFAC has to be considered when making anonymous payments — how is due diligence going to be performed prior to making a payment to a foreign national?”Berglas also noted that rival malicious hacking groups may view this scheme as a way to make money and reduce the amount of competition in the market. He added that the measures could do little to address the elephant in the room — the fact that many ransomware groups are provided safe harbor in Russia. “There are numerous existing cases where warrants are obtained and red notices are disseminated for criminals residing in these countries,” Berglas said. Many cybersecurity experts also took notice of the specific language of the State Department’s notice, focusing in on the phrase “while acting at the direction or under the control of a foreign government.””It appears to be an attempt to short-cut the process of detailed attribution that is necessary to implicate a foreign government in collusion or cooperation with organized crime,” said Mike Hamilton, former DHS vice-chair for the State, Local, Tribal, Territorial Government Coordinating Council.”If the US government can incentivize someone to provide evidence of such, paying out $10M is probably a good deal considering the resources we bring to bear with the intelligence community for the same outcome.” More