Articles

SEC filings show hidden ransomware costs and losses

A review of 2021 8-K filings with the U.S. Securities and Exchange Commission reveals a more complete picture of the financial damage from ransomware.

The ransomware scourge reached unprecedented levels in 2021, with ransomware threat actors demanding, and in many cases receiving, ransom payments in the millions of dollars. The world’s largest meat processor, JBS, confirmed in June 2021 that it paid the equivalent of $11 million in ransom to respond to the criminal hack against its operations.

Colonial Pipeline paid $4.43 million to its ransomware attackers in May 2021, although in a subsequent operation, the U.S Department of Justice (DOJ) seized $2.3 million of that amount. In May, backup appliance supplier ExaGrid paid a $2.6 million ransom to cybercriminals that targeted the company with Conti ransomware.

The actual costs of ransomware attacks, including lost revenue, can far eclipse the simple dollar amount of any ransom paid. For most private companies, the costs of ransomware attacks, and even the attacks themselves, can be hidden from view, which is one reason why mandatory ransom payment reports for all organizations became law last week.

This article appeared in CSO Online. To read the rest of the article please visit here.

 

 

Articles

U.S. Cyber Command’s actions against ransomware draw support and…

The actions, which temporarily took down REvil, raise questions about using the military to combat ransomware.

Over the weekend, Gen. Paul M. Nakasone, the head of U.S. Cyber Command and the National Security Agency (NSA), confirmed what most cybersecurity specialists already knew: The U.S. military has engaged in offensive measures against ransomware groups. These actions were undertaken to stem the alarming and growing tide of ransomware attacks that have hit U.S. industry, notably Colonial Pipeline in May, and have afflicted hundreds of healthcare and educational institutions.

In October, Cyber Command, in conjunction with the Secret Service, FBI, and allied nations, diverted traffic around servers used by the Russia-based REvil ransomware group, forcing the group to disband, at least temporarily. Among other attacks, REvil targeted the world’s largest meat processor, JBS, in late-May, disrupting meat production for days. Cyber Command and NSA also helped the FBI and the Justice Department seize and recover 75 bitcoins worth more than $4 million that were part of the cryptocurrency ransom Colonial Pipeline paid.

Nakasone said the attacks on Colonial Pipeline and JBS impacted critical infrastructure. “Before, during and since, with a number of elements of our government, we have taken actions and we have imposed costs,” Nakasone said. Cyber Command’s first anti-ransomware effort occurred in 2020 when the military arm worked in parallel, but not in a coordinated fashion, with Microsoft to take down the Trickbot network.

This article appeared in CSO Online. To read the rest of the article please visit here.

Articles

US cryptocurrency exchange sanctions over ransomware likely not the…

The sanctions against Suex, aimed to cut ransomware gangs off from their revenue, sends a signal to other exchanges that support criminal activity.

Days after the Russia-linked BlackMatter ransomware gang hit an Iowa grain cooperative with a ransomware attack, the Biden administration unveiled its latest effort to address the ongoing ransomware crisis. In a move designed to cut off ransomware gangs from their financial rewards, the Treasury Department announced that its Office of Foreign Asset Control (OFAC) placed Czech Republic-registered but Russian national-owned and -operated cryptocurrency exchange Suex on its sanctioned entity list, formally called the Specially Designated Nationals and Blocked Persons (SDN) List.

Suex facilitates “financial transactions for ransomware actors, involving illicit proceeds from at least eight ransomware variants,” according to the announcement. Treasury says that over 40% of Suex’s known transaction history is associated with illicit actors, representing $370 million in illicit trading.

OFAC included on the SDN list a total of 25 bitcoin, ethereum, and tether addresses known to be controlled by Suex. These addresses received more than $934 million in various crypto assets overall. In addition, blockchain transactions tracking company Chainanalysis said that the Suex addresses have received more than $160 million in bitcoin alone from “ransomware actors, scammers, and dark net market operators” since the exchange was founded in 2018.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Jon Tyson on Unsplash

Articles

Biden Administration announces flurry of new anti-ransomware efforts

The defensive initiatives include a reward for information on nation-state actors and the formation of a new interagency ransomware task force.

Under pressure to halt ongoing and highly damaging ransomware attacks from Russian criminal groups, the Biden administration yesterday announced a flurry of defensive initiatives to deal with the crisis. These announcements come one week after President Biden issued a stark warning to Russian President Vladimir Putin to deal with the ransomware threat groups in his country or else the US will take action to dismantle the threat.

First, the State Department announced that its Rewards for Justice program, which the Diplomatic Security Service administers, will give a $10 million reward to anyone offering information that leads to identifying state-sponsored threat actors. Specifically, rewards will be given to those who supply information that leads to the “identification or location of any person who, while acting at the direction or under the control of a foreign government, participates in malicious cyber activities against US critical infrastructure in violation of the Computer Fraud and Abuse Act (CFAA).”

The Rewards for Justice (RFJ) program has set up a Tor-based dark web reporting site to protect the safety and security of potential sources. Additionally, the RFJ program works with interagency partners to enable the rapid processing of information and the possible relocation of and payment to sources.

Second, the Treasury Department’s Financial Crimes Enforcement Network (FinCEN) announced it would convene a FinCEN Exchange in August 2021 focused on ransomware concerns. The Exchange will be composed of financial institutions, other key industry stakeholders, and federal government agencies. The goal of the meeting is to inform FinCEN’s next steps in addressing ransomware payments.

This article appeared in CSO Online. To read the rest of the article please visit here.

 

Articles

Ransomware talks: How Biden could push Putin to the…

Under pressure to end the ransomware scourge, the White House faces strong headwinds. The problem: Putin has no motivation to change the status quo.

As the United States comes out of yet another major attack by a Russian ransomware gang, this one leveled at Florida-based software provider Kaseya by the REvil threat group, the administration is ramping up its rhetoric about holding Russia responsible for the criminal actions taking place within its borders. During a recent press briefing White House press secretary Jen Psaki said that a “high level” of U.S. national security has been in touch with top Russian officials about the Kaseya attack. She also said that another ransomware-focused meeting between the two countries is scheduled for next week.

Psaki also passed on a warning to Russia. “As the president made clear to President Putin , if the Russian government cannot or will not take action against criminal actors residing in Russia, we will reserve the right to take action on our own.”

The next day, Biden called together his top advisors, including key players from the Department of Justice and the Department of Homeland Security, for a ransomware strategy session in the White House Situation Room. It’s not clear yet what the brainstorming produced, but the pressure is on the administration to end the ransomware scourge.

Crowdstrike co-founder and former CTO Dmitri Alperovitch and Russia expert and Director of the Wilson Center’s Kennan Institute Matthew Rojansky penned an op-ed urging Biden to give Russian President Vladimir Putin an ultimatum on ransomware. “If Putin chose to take the problem seriously, as Biden demands, Russian security officials could quickly identify and interdict the attackers and force them to unlock the data to stop the damage to businesses worldwide, including in the United States,” they wrote.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Artem Beliaikin on Unsplash

 

Articles

TSA’s pipeline cybersecurity directive is just a first step…

The new, hastily announced security directive requires US pipeline companies to appoint a cybersecurity coordinator and report possible breaches within 12 hours.

The Transportation Safety Administration (TSA), an arm of the US Department of Homeland Security (DHS), released a Security Directive on Enhancing Pipeline Cybersecurity. TSA released the document two days after the Biden administration leaked the details of the regulations and less than a month after the ransomware attack on Colonial Pipeline created a significant gas shortage in the Southeast US.

As a result of post-9/11 government maneuvering, the TSA gained statutory authority to secure surface transportation and ensure pipeline safety. The directive follows largely ineffective, voluntary pipeline security guidelines established by the TSA in 2010 and updated in 2018.

This new regulation requires that designated pipeline security companies report cybersecurity incidents to the DHS’s Cybersecurity and Infrastructure Security Agency (CISA) no later than 12 hours after a cybersecurity incident is identified. The TSA estimates that about 100 companies in the US would fall under the directive’s mandates.

This article appeared in CSO Online. To read the rest of the article please visit here.

 

Articles

SolarWinds, Exchange attacks revive calls for mandatory breach notification,…

Strong two-way communication between government and the private sector combined with a clear national breach notification policy will put a dent in cybercrime, experts say.

On the heels of three major cybersecurity incidents over the past six months—the SolarWinds and Microsoft Exchange supply chain attacks and the Colonial Pipeline ransomware attack—government officials and some in the private sector are reviving calls for better information sharing and national breach notification requirements.

“We seem to talk endlessly about information-sharing,” Michael Daniel, president and CEO of the Cyber Threat Alliance, a nonprofit that enables cybersecurity providers to share threat intelligence, said during a presentation at the RSA Conference last week. “Virtually every cybersecurity panel study or review for the last half-century seems to have an information-sharing recommendation in it. No one is really against information sharing in theory. Yet, information sharing never seems to quite work.”

“One of the reasons that companies feel uncomfortable talking about cybersecurity incidents or sharing information about cybersecurity incidents…is because they’re worried that somebody’s going to say, ‘Ha! You had terrible cybersecurity.'” Daniel tells CSO. “But the issue is that we actually don’t know what’s good or bad cybersecurity.” He calls for a “standard of care,” some better means of actually measuring what good cybersecurity constitutes.

This article appeared in CSO Online. To read the rest of the article please visit here.

 

Articles

Colonial Pipeline shutdown highlights need for better OT cybersecurity…

Experts weigh in on what the Colonial attack teaches critical infrastructure providers about preparation and incident response.

In one of the most disruptive cybersecurity incidents to take place in the United States, Georgia-based Colonial Pipeline announced late Friday that it was the victim of a cyberattack, later confirmed to be a ransomware attack. The company said it proactively took specific systems offline and halted all pipeline operations.

Colonial called in federal authorities and hired FireEye Mandiant to conduct an incident response investigation. On Sunday, the third day of its shutdown, Colonial said it was developing a system restart plan while keeping its four main oil lines offline. The company said it would bring its “full system back online only when we believe it is safe to do so, and in full compliance with the approval of all federal regulations.”

News of Colonial’s shutdown reverberated all weekend throughout the cybersecurity world, given how critical Colonial’s pipeline business is to the nation’s economic health. Colonial transports 2.5 billion barrels of oil per day to the eastern US and connects to 30 refineries and almost 300 distribution terminals. It carries gas and other fuel from Texas to the Northeast, delivering around 45% of the fuel consumed on the East Coast.

The criticality of Colonial Pipeline to the national infrastructure became clear late Sunday when the Biden administration issued emergency waivers in response to the cyberattack, lifting limits on the transportation of fuels by road as fears of shortages begin to put upward pressure on oil and gas prices. Commerce Secretary Gina Raimondo said that the President had been briefed, and it’s an “all-hands-on-deck” situation to ensure the attack doesn’t disrupt the US oil supply.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by SELİM ARDA ERYILMAZ on Unsplash

 

Articles

Task force proposes framework for combatting ransomware

A diverse coalition of experts from business and the public sector present 48 recommendations for solving the ransomware crisis, including international cooperation and regulating cryptocurrencies.

Ransomware, the “perfect crime” of the internet era, is spreading rapidly, growing according to some accounts by 150% or more in 2020. There are no signs of a slow-down in 2021. The average ransom demanded by attackers jumped 43% from Q4 2020 to Q1 2021 to $220,298 as threat groups target bigger and more vulnerable organizations, from police forces to hospitals to municipal school districts.

Two significant factors aid the inevitability of ransomware. The first is the ease with which cybercriminals can earn money from their ransomware endeavors. The second factor bolstering the ransomware market is the inability of law enforcement or government officials to do much of anything about these kinds of attacks.

Acknowledging that the ransomware problem has gone from bad to worse, the Biden administration’s Justice Department has launched a task force that reportedly targets the entire digital ecosystem that supports ransomware. That task force consists of the Justice Department’s criminal, national security, and civil divisions, the Federal Bureau of Investigation (FBI), and the Executive Office of US Attorneys, which supports the 93 top federal prosecutors across the country.

Now a 60-plus member coalition of volunteer experts from industry, government, law enforcement, insurers, international organizations, and other areas has put forth a comprehensive framework of 48 actions that government and industry can pursue to disrupt the ransomware market. The Ransomware Task Force, primarily organized by the Institute for Security and Technology, is issuing a report today called Combatting Ransomware, A Comprehensive Framework for Action: Key Recommendations from the Ransomware Task Force.

This article appeared in CSO Online. To read the rest of the article please visit here.

 

Articles

Sprite Spider emerging as one of the most destructive…

Having flown under the radar for several years, the Sprite Spider group is using a ransomware code suite that is effective and hard to detect.

At the recent SANS Cyber Threat Intelligence Summit, two CrowdStrike cybersecurity leads, Senior Security Researcher Sergei Frankoff and Senior Intelligence Analyst Eric Loui, offered details on an emerging major ransomware actor they call Sprite Spider. Like many other ransomware attackers, the gang behind Sprite Spider’s attacks has grown rapidly in sophistication and damage capacity since 2015.

Today Sprite Spider is poised to become one of the biggest ransomware threat actors of 2021 and has a threat profile on par with what advanced persistent threat actors were five or ten years ago. Sprite Spider’s rise as a sophisticated threat is not surprising given that it, like many other organized ransomware gangs are filled with hackers who are often gainfully employed by nation-state threat actors.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Dev Leigh on Unsplash