Busted: Taking Down Ransomware Attackers

Ransomware has been big news this year. In March, the REvil/Sodinokibi ransomware gang infected Acer and demanded $50 million—the highest ransom demand from any ransomware group up to that point. That same gang then turned around a month later and demanded the same ransom from Apple after it failed to coerce Quanta Computer, one of the tech giant’s business partners, into paying up.

A few more weeks went by before we learned that the DarkSide ransomware gang had struck the Colonial Pipeline Company and disrupted the flow of 100 million gallons of fuel across the eastern portion of the United States, driving up gas prices and causing panic buying. About two months after that, the REvil/Sodinokibi operation perpetrated a supply chain attack against Kaseya that affected at least one thousand companies worldwide.

These incidents, among others, have helped to elevate the status of ransomware as an international security issue. This is especially apparent in how U.S. President Joe Biden has ramped up pressure on Russian President Vladimir Putin to bring ransomware groups operating in Russia to justice. As he recounted to Reuters in early July:

“I made it very clear to him that the United States expects, when a ransomware operation is coming from his soil even though it's not sponsored by the state, we expect them to act if we give them enough information to act on who that is.”

He went on to hint that the United States might digitally retaliate if President Putin failed to cooperate and if ransomware attacks emanating from Russia continued unabated.

Historical Examples of Ransomware Arrests

The attention surrounding ransomware might be unprecedented this year. But what President Biden is asking for isn’t unrealistic. Law enforcement has brought ransomware actors to justice in the past. Let’s look at a few examples:

    • CTB-Locker and Cerber Ransomware: Near the end of 2017, Forbes reported that police investigators had raided six properties and arrested five individuals associated with the CTB-Locker ransomware family. The investigators found that two of the individuals were also engaged in distributing Cerber, another major ransomware family at that time.
    • Unknown Ransomware: In September 2020, a Russian citizen by the name of Egor Igorevich Kriuchkov pleaded “not guilty” to charges that he had tried to infect a Tesla plant in Nevada with ransomware. Court documents allege that Kriuchkov attempted to bribe a Tesla employee into infecting the plant in exchange for $1 million, reported ABC News.
    • Netwalker Ransomware: Near the beginning of the year, KrebsonSecurity wrote that U.S. and Bulgarian authorities had seized the data-leaks website used by the NetWalker ransomware gang to doubly extort its victims. A court in Florida also charged a Canadian national suspected of helping to spread NetWalker in connection with this takedown.
    • Egregor Ransomware: ZDNet reported a month later that a joint investigation between French and Ukrainian police had arrested members of the Egregor ransomware cartel. French radio station France Inter noted that those arrested were believed to be affiliates of the Egregor Ransomware-as-a-Service (RaaS) operators, not the ransomware’s developers.
    • Clop Ransomware: Four months after that, Ukrainian law enforcement conducted 21 searches as part of a police operation against the Clop ransomware group. This led authorities to arrest several individuals associated with the operation and to shut down the infrastructure used by those individuals to spread the ransomware, wrote Bleeping Computer.

Ransomware Defense is a Must

Notwithstanding the instances discussed above, arrests and other law enforcement operations haven’t significantly affected the ransomware threat landscape. The issue is that new ransomware operations are springing up all the time. What’s more, even those groups targeted by law enforcement don’t always go away. Such was the case with Clop when it published data from two victims just days after the arrests in Ukraine, per TechCrunch.

Organizations can’t rely on police takedowns to eradicate the ransomware threat for good. Instead, they need to focus on preventing a ransomware attack. They can do this by first understanding that every ransomware attack is unique. As such, security firms might not have detection rules for every ransomware instance.

Defending Against Ransomware

The best strategy for organizations is to prevent a ransomware attack from being successful in the first place. To do that, they need to invest in a multi-layered solution that leverages Indicators of Behavior (IOBs) to detect and prevent a ransomware attack at the earliest stages of initial ingress, prior to the exfiltration of sensitive data for double extortion, and long before the actual ransomware payload is delivered.

The Cybereason Operation-Centric approach provides the ability to detect ransomware attacks earlier based on rare or advantageous chains of malicious behavior. This is why Cybereason is undefeated in the battle against ransomware and delivers the best prevention, detection, and response capabilities on the market.

Cybereason is dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to everywhere - including modern ransomware. Learn more about ransomware defense here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.

Anthony M. Freed
About the Author

Anthony M. Freed

Anthony M. Freed is the Senior Director of Corporate Communications for Cybereason and was formerly a security journalist who authored feature articles, interviews and investigative reports which have been sourced and cited by dozens of major media outlets. Anthony also previously worked as a consultant to senior members of product development, secondary and capital markets from the largest financial institutions in the country, and he had a front row seat to the bursting of the credit bubble.

All Posts by Anthony M. Freed