On the Friday before the July 4th holiday, hundreds of small companies were attacked by ransomware. The planned attack was well calculated, and in the process, a demand for $70 million in Bitcoin resulted. As it turned out, one of the Russian-linked ransomware gangs called REvil was responsible. The group targeted specific software made by US firm Kaseya that is based in Miami. As a software provider to dozens of outsource IT management companies, the attack had ripple effects. Ultimately, roughly 1500 small companies were affected. This begs the question: “Can we win the ransomware battle?”
Year after year, ransomware gangs are ramping up the number of attacks on organizations throughout the world. In the Kaseya attack, customers in over 17 countries were involved. Based on the type of software targeted, multiple industries and sectors were affected. This highlights the fact that the ransomware battle is hardly focused on one industry. Likewise, ransomware gangs are highly distributed, and also highly specialized. All of these factors indicate that our ability too easily prevent ransomware attacks may not be likely. But that does not mean we still cannot make progress as the ransomware battle evolves.
“With Colonial Pipeline, a lot of people were like, ‘Oh, they’re coming from the oil.’ But these guys could care less. They just want to find the slowest moving target. So, make sure you’re not the easiest target.” – Christopher Ahlberg, Founder of Recorded Future
Profiling Ransomware Gangs
The term ransomware gangs is often used when describing cyberattacks that use malware to hold companies hostage. The term tends to suggest that ransomware gangs consist of dozens of members at a time. However, in reality, these groups often involve anywhere from one to three people. Talented hackers equipped with high-quality ransomware software and skills, these individuals successfully target vulnerable businesses. And likewise, hundreds of these types of ransomware gangs exist, making it difficult to establish their profiles.
With this in mind, larger cybercriminal networks do exist. In the case of the Kaseya attack, REvil represented a group that offers ransomware-as-a-service to interested hackers. Any of these hackers can access specific software provided by REvil to accomplish their goals. Another well-known hacking collective is Dark Side. It too represents a larger group of hackers who together share an array of skills and talents. Does, the ransomware battle does not involve a few major cyber-crime organizations. Instead, multiple individual agents are the ones who actually pose such threats.
“Make no mistake, the timing and target of this attack are no coincidence. It illustrates what we define as a Big Game Hunting attack, launched against a target to maximize impact and profit through a supply chain during a holiday weekend when business defenses are down.” – Adam Meyers, SVP of Intelligence, CrowdStrike
Timing the Kaseya Cyberattack
As noted, the Kaseya attack was well timed around the holiday weekend. This is potentially a time when business defenses might be less robust. However, the timing was ironically important in another way. Kaseya had recently identified a potential vulnerability in their software days before. They were in the process of developing a patch to prevent ransomware gangs from taking advantage of this weakness. But before the patch could be developed, these cyber event took place. This simply highlights the precision and urgency with which the ransomware battle occurs.
In essence, Kaseya makes software that allows other companies to manage IT networks and devices remotely. Therefore, it’s primary customers are IT management firms. These firms then use Kaseya software to remotely service networks of hundreds of smaller companies. Ransomware gangs, by hacking into this software, effectively infiltrated not only these IT management firms. But they also accessed all of these smaller companies as well. As a result, grocery stores, retailers, schools, and even railways systems were forced to shut down their servers. This demonstrates the broad range of sectors in which the ransomware battle rages.
“There are probably 10, 15, maybe 20 different types of services involved in this. And they’re all very highly specialized, which is very much why these guys have been able to be so successful and also why it’s hard to go at it.” – Christopher Ahlberg
A Non-Military Network Operating with Military Precision
These underground collectives of hackers and ransomware gangs are not simply amateur programmers and designers. Instead, networks like REvil and Dark Side consist of hundreds of professionals who specialize in a number of services. Notably, some have talents and skills in exploiting software and network vulnerabilities. However, others specialize in cryptocurrency transfers and writing specific codes that others can use. In fact, many of these collectives operate like a franchise, providing materials and services to ransomware gangs. All of this makes the ransomware battle more difficult. (Is cryptocurrency truly safe? Read this Bold Business story and find out.)
In regards two intelligence agencies working with these ransomware gangs, the relationships can vary. Both REvil and Dark Side are certainly linked to Russian government entities. However, the ransomware gangs affiliated with these networks tend to operate independently without intelligence agency oversight. As hackers, they are often allowed freedoms that facilitate skill development in a private sector. Once such skills are developed, government intelligence agencies may recruit specific individuals. Alternatively, they may task ransomware gangs with specific missions. Here again, the ransomware battle involves a diverse number of activities.
Is the Ransomware Battle Lost?
Given the complexities and specialization of ransomware gangs and cybercrime networks, there should be concern. However, this does not mean that the ransomware battle is lost or that effective cyber protection doesn’t exist. While ransomware attacks may never be completely eliminated, best practices can markedly diminish their occurrence. This not only involves staying up to date with the latest cyber security technologies. It also requires constant monitoring, updating, and surveillance. For those who wish to survive the ransomware battle, cyber-security protections are non-negotiable.