The worldwide successes of law enforcement against ransomware groups are increasing, and essential to that success is the international collaboration, intelligence gathering and coordinated action of law enforcement agencies across the globe.
The coordinated actions of law enforcement include: (a) arresting key members; (b) imposing sanctions on affiliated individuals; and (c) taking down ransomware groups’ online infrastructure and seizing services they use to operate. Ransomware groups, particularly those such as Conti which operate a RaaS model, are reliant on their dark web sites to facilitate their extortion technique and publish (or threat to publish) their victims’ data. It is also used as a platform to sell its malware and services to its affiliates.
Recent victories
On 6 March 2023, Europol announced the arrests of two “masterminds” behind the ransomware group, DoppelPaymer, as well as seizing devices through simultaneous raids carried out by the German and Ukrainian police. Law enforcement agencies in Denmark and the US assisted in the operation which was coordinated by Europol.[1] German police have also issued warrants for the arrest of three Russian nationals living in the country.
DoppelPaymer was most active between 2019 and 2021, but rebranded to “Grief” in July 2021 in attempt to evade sanctions due to its connections to Russia. It reported to have targeted more than 600 companies worldwide, with a focus on the healthcare, emergency services and education sectors.
This follows a stream of recent law enforcement victories in 2023. The FBI in collaboration with Europol and 13 other law enforcement agencies, secretly infiltrated Hive ransomware gang’s infrastructure in July 2022. After six months of monitoring the gang’s activity, in January 2023 it successfully took down its payment and dark leak sites. The operation prevented an estimated $130million in ransom payments, as the FBI was able to warn Hive’s targets before an attack occurred and obtained and distributed decryption keys.
In February 2023, The UK National Crime Agency (“NCA”), in collaboration with the US Department of the Treasury’s Office of Foreign Assets Control (“OFAC”), exposed and sanctioned seven cyber criminals connected to the ransomware group behind Trickbot malware, as well as Conti and RYUK strains.[2] These individuals are now subject to travel bans and asset freezes, and are severely restricted in their use of the global financial system. This group is known to have been responsible for some of the most damaging ransomware attacks in the UK on schools, businesses and local authorities.
Foreign Secretary, James Cleverly said: “By sanctioning these cyber criminals, we are sending a clear signal to them and others involved in ransomware that they will be held to account."
Most recently, on 9 March 2023, an international law enforcement effort led to the arrest of the suspected administrator of the NetWire remote access trojan (“NetWire RAT”). NetWire RAT is a tool used by threat actors to launch phishing attacks and exfiltrate networks. It allows a threat actor to remotely execute commands, take screenshots and download and upload files. The domain (worldwiredlabs.com) used by NetWire to promote its service was seized by the FBI, and the Swiss police took down the server hosting the website. The FBI said that "by removing the NetWire RAT, the FBI has impacted the criminal cyber ecosystem”.
Who is winning?
The international effort to crack on cybercrime is a key focus of governments across the globe. On 2 March 2023 the Biden Administration announced an updated National Cybersecurity Strategy to “disrupt and dismantle threat actors” and “recognizes that government must use all tools of national power in a coordinated manner to protect our national security, public safety, and economic prosperity”.
The sanctions and obstacles that the law enforcement agencies have put in place have certainly hindered cyber criminals’ ability to operate. Conti, one of the most prolific ransomware groups of 2021 / 2022 disbanded last year (but then rebranded) and there was a notable drop in ransomware attacks in summer 2022 following the invasion of Ukraine. But are the sanctions and international crackdown efforts enough to stop and deter these ransomware groups permanently? Unfortunately, not.
Ransomware groups are driven by peer kudos as well as financial reward. After the temporary lull in mid-late 2022, ransomware attacks are on the rise again. As ransomware groups disengage from the Ukraine conflict, re-organise and develop more sophisticated technology and techniques to overcome the sanctions and infrastructure obstacles created by the law enforcement, trend reports indicate that it is likely to return to levels seen in 2021.
Exfiltration of personal data will be a key extortion tactic, favoured over the encryption-only method. The targets most vulnerable to attack are those organisations who hold high volumes of sensitive personal information, legacy data and have immature cyber security and threat monitoring. Secure offline backups are vital for recovery, but it won’t keep personal data out of the hands of threat actors.
Intelligence gathering and international collaboration between law enforcement agencies appear to be a vital combative tool against ransomware groups. The Government has made a step-by-step guide available on where to report a cyber incident. Our advice to clients has always been to report a cyber incident and name of the threat actor group responsible to the NCA and NCSC via the online reporting tool on Action Fraud’s website.
[1]https://www.europol.europa.eu/media-press/newsroom/news/germany-and-ukraine-hit-two-high-value-ransomware-targets
[2]https://www.nationalcrimeagency.gov.uk/news/ransomware-criminals-sanctioned-in-joint-uk-us-crackdown-on-international-cyber-crime