The U.S. government has launched a series of initiatives aimed at disrupting the operations of cybercriminals that launch ransomware attacks.
U.S. Cyber Command head and director of the National Security Agency Gen. Paul Nakasone disclosed this week that the military has “conducted a surge” over the past three months to help deter ransomware attacks on U.S. interests.
Nakasone declined to elaborate on the specifics of any of those operations, but they occurred as other branches of the U.S. government also stepped up their efforts. The U.S. Department of Justice (DoJ) extradited a Russian man from South Korea accused of being part of a cybercrime ring that infected millions of computers worldwide. Arraigned in a federal court in Ohio, prosecutors alleged Vladimir Dunaev is part of a criminal group that since 2015 has tried to steal millions of dollars from victims around the globe using tools such as malicious Trickbot software that captures both credential and banking information.
The South Korean Ministry of Justice originally arrested Dunaev last June at Incheon International Airport, but it’s not clear why the Russian national was in South Korea. The U.S. does not have an extradition treaty with Russia, which makes arrests of Russian nationals engaged in cybercrime rare.
The U.S. State Department, however, is ratcheting up the pressure on cybercriminals. A $10 million reward for information leading to the identification or location of key leaders of the group that launched a ransomware attack against Colonial Pipeline last May is now being offered.
Collectively, these efforts appear to be having an impact. The BlackMatter ransomware operation has announced it shut down due to “pressure from the authorities.” The BlackMatter group, which emerged last July, is thought to be responsible for numerous attacks against U.S. companies, including the recent attack on NEW Cooperative, an Iowa-based farm service provider that was hit with a $5.9 million ransom demand to unlock their systems. BlackMatter also hit Olympus in September, forcing the shutdown of the Japanese conglomerate’s European, Middle East, and Africa network.
An advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) issued last month warned that the group was targeting multiple organizations responsible for critical infrastructure. Emsisoft, a provider of anti-virus software, claims to have prevented “tens of millions of dollars” in ransom payments by uncovering a flaw in the encryption process used by the Blackmatter group. This has enabled ransomware victims to recover encrypted files without having to pay the ransom.
It’s not clear to what degree that decision is permanent or rather simply a ruse through which the operators of the ransomware-as-a-service (RaaS) platform will simply reconstitute themselves under another moniker. However, there are reports that Russia and the U.S. have generally agreed to seek a common set of “rules of the road” to prevent malicious cyberattacks as part of a newfound shared commitment to cybersecurity, so a substantive change may be occurring.
All these efforts naturally bring some sense of relief to cybersecurity professionals. The war against cybersecurity gangs is far from over. However, for the first time ever governments around the world are starting to put in place the mechanisms required to at least curb a ransomware crime spree that has become a global scourge.
Mike Vizard has covered IT for more than 25 years and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb, and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.