The wheels of justice may grind slowly but when it comes to ransomware the pace at which cybercriminals are being arrested appears to be picking up.
The U.S Department of Justice (DoJ) unsealed an indictment of Yaroslav Vasinskyi, a Ukrainian national arrested while in Poland, that charges him with participating in multiple ransomware attacks, including the infamous attack made against Kaseya, using Sodinokibi/REvil ransomware.
The DoJ also announced it seized $6.1 million traced alleged ransom payments received by Yevgeniy Polyanin, a Russian national, who is also charged with conducting Sodinokibi/REvil ransomware attacks against multiple victims, including businesses and government entities in Texas.
Separately, the U.S. is seeking the extradition of Denis Dubnikov, a Russian accused of laundering money in connection with ransomware attacks against multiple U.S. hospitals. He is being detained in the Netherlands at the request of the FBI, according to his lawyer, after being accused of receiving more than $400,000 in cryptocurrency tied to ransom payments.
These moves come on the heels of a series of arrests that have been made in recent weeks. The U.S. Treasury Department is also continuing to increase its efforts to convince allies to step up enforcement of laws designed to limit usage of cryptocurrency to make ransomware payments as U.S. Deputy Treasury Secretary Wally Adeyemo visits the Middle East.
It’s not clear to what degree these actions will reduce the volume of ransomware attacks being made. Europol has published its annual Internet Organised Crime Threat Assessment (IOCTA) 2021 report that among other things notes that not only have the size of ransomware payments increased in the last year they are also becoming more sophisticated. Cybercriminals are spending more time inside networks researching targets and escalating their privileges using exploits such as Metasploit, Cobalt Strike and Mimikatz to spread malware laterally, the report noted.
The report also warns cybercriminals now also starting to use fileless malware to avoid common detection methods that scan for malicious file attachments or the creation of new files. Fileless ransomware attacks use native scripting languages to write malicious code directly into system memory or they employ tools residing on the system such as PowerShell to encrypt files.
A separate report published by Ivanti, Cyber Security Works and Cyware finds there has been a 4.5% increase in the number of common vulnerabilities and exposure (CVEs) associated with ransomware and a similar 4.5% increase in actively exploited and trending vulnerabilities in the third quarter alone. There was also a 3.4% increase in ransomware families discovered and a 1.2% increase in older vulnerabilities now being used in ransomware attacks.
As pressure from law enforcement agencies around the world continues to increase it’s probable more cybercriminal gangs will go further underground. That doesn’t mean the number of ransomware attacks will decline. It just means cybercriminals won’t be visiting countries where they can be easily apprehended. In fact, the ransomware wars may only be entering a new phase where the attacks themselves may be simultaneously less brazen but, nevertheless, more lethal than ever.
Mike Vizard has covered IT for more than 25 years and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb, and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.