Ransomware Whack-a-Mole

Pretty much everyone is familiar with the carnival game Whack-a-Mole. No matter how many moles you bash with the mallet, it seems like two more pop up in its place. It’s commonly used to describe cybersecurity and the ransomware news this week illustrates why Whack-a-Mole is an appropriate metaphor.

Bashing Ransomware

One of the biggest cybersecurity headlines this week was the news that the United States arrested and charged two hackers alleged to be part of the REvil ransomware gang. The Justice Department also recovered more than $6 million in ransom money. 

There are a couple of reasons this is a very big deal. First, it is an example of coordination of multiple agencies across the Biden Administration, as well as cooperation with international allies. I appreciate and support the “Win-as-One” collaborative nature of this approach. It is essential that defenders work together. 

The second is that these arrests, combined with the announcement from the US Treasury Department of a $10 million bounty for information leading to the identification of key REvil members, let cybercriminals know they will always have to keep looking over their shoulder. The US is determined to bring these people to justice, and it is willing to devote the resources necessary to make that happen.

More Ransomware Pops Up

As encouraging as that news was, new attacks also made headlines this week. Just like the moles in Whack-a-Mole, the threat actors pop up faster than we can bash them.

Robinhood, the popular mobile investment and trading platform, revealed that it had been hit by a ransomware attack. Threat actors were able to exfiltrate names and email addresses of about 7 million people, but only retrieved more sensitive personal information on about 500 individuals. 

That attack is peanuts, though, compared with the ransomware attack suffered by European retailer MediaMarkt. The Hive ransomware group encrypted servers and workstation and forced the company to shut down its IT systems to prevent further damage. The attackers initially demanded an astounding $240 million ransom.

You Need a Better Strategy than Whack-a-Mole

It’s been a busy week for ransomware. We’ve had some good news, and we’ve had some bad news. My main takeaway, though, is that Whack-a-Mole is not a viable strategy for fighting ransomware. 

International efforts to bring threat actors to justice only work with nations that cooperate and agree to take part. As long as there are nations like Russia—which ignores or even condones the criminal activity—ransomware gangs have a “safe haven” and will continue to wreak havoc around the world. 

Arresting threat actors months after the fact also doesn’t help protect you from being the next ransomware victim. Once your data is encrypted with ransomware and attackers demand a ransom, it’s too late. Many organizations end up paying the ransom for expedience, but our ransomware study earlier this year found that 80 percent of companies who paid a ransom were hit a second time. And in many instances by the same ransomware gang.

Are you prepared to defend against ransomware this holiday season? Your strategy needs to focus on the ability to recognize threat actor behavior and identify and stop malicious activity before your data is exfiltrated or encrypted. Let the US government and its international allies worry about whacking the moles. 

Lior Div
About the Author

Lior Div

Lior Div, CEO and co-founder of Cybereason, began his career and later served as a Commander in the famed Unit 8200. His team conducted nation-state offensive operations with a 100% success rate for penetration of targets. He is a renowned expert in hacking operations, forensics, reverse engineering, malware analysis, cryptography and evasion. Lior has a very unique perspective on the most advanced attack techniques and how to leverage that knowledge to gain an advantage over the adversary. This perspective was key to developing an operation-centric approach to defending against the most advanced attacks and represents the direction security operations must take to ensure a future-ready defense posture.

All Posts by Lior Div