The Year the Tide Turned on Ransomware

A Year Marked by Escalating Ransomware Attacks

The past year experienced a significant surge in ransomware incidents. Notably, the attack on Kaseya, a software firm, impacted approximately 1,500 organizations, causing widespread disruption. Furthermore, CD Projekt Red suffered a breach resulting in the theft of source code for popular titles like Cyberpunk 2077 and The Witcher 3.

Critical Infrastructure Targeted

Hackers broadened their scope to include vital infrastructure in 2021. The Colonial Pipeline, a major American oil pipeline, and JBS, a large meat-processing company, were both targeted. Iowa New Cooperative, a farmer's alliance dealing with corn and soybeans, also fell victim to these attacks.

Government Response and Initial Successes

These attacks prompted a response from the U.S. government, which, after years of limited action, began to achieve some initial successes in combating the ransomware epidemic.

Formation of the Ransomware and Digital Extortion Task Force

In April, the Department of Justice established the Ransomware and Digital Extortion Task Force. This initiative followed what the DOJ termed the “worst year” for ransomware attacks and aimed to prioritize the disruption, investigation, and prosecution of related criminal activity.

Key Arrests and Bitcoin Seizures

The task force secured its first victory in May with the arrest of Alla Witte, a 55-year-old Latvian national, and subsequent charges related to her involvement in a transnational cybercrime organization responsible for TrickBot, a widely used banking trojan and ransomware tool.

Days later, the DOJ announced the seizure of $2.3 million in Bitcoin paid by Colonial Pipeline to the DarkSide ransomware gang for data recovery. A reward of up to $10 million was subsequently offered for information leading to the identification of DarkSide’s leaders.

Sanctions and Further Disruptions

The Treasury Department imposed sanctions on the Chatex cryptocurrency exchange for facilitating ransom payments, building on similar actions taken against Suex crypto exchange weeks prior.

Disruption of the REvil Ransomware Gang

A significant win occurred in October with the disruption of the REvil ransomware gang. Prosecutors charged a 22-year-old Ukrainian national linked to the Kaseya attack and seized over $6 million in ransom funds associated with the group.

Following the Money: A Successful Tactic

The U.S. government’s focus on tracing financial transactions was praised by cybersecurity experts. Chainalysis, a blockchain analysis firm, highlighted the Treasury’s action against Suex as a “big win,” emphasizing the importance of dismantling the mechanisms used by ransomware operators to convert cryptocurrency into cash.

Morgan Wright, chief security advisor at SentinelOne, stated that removing the financial incentive is crucial to curbing ransomware activity.

Rewards and Incentives for Information

The government’s offer of substantial rewards, such as the $10 million bounty for information on DarkSide and REvil, was seen as a way to encourage internal conflicts within ransomware groups. Jake Williams, CTO at BreachQuest, suggested this could undermine trust within the ransomware-as-a-service model.

Skepticism Regarding Long-Term Impact

Despite these efforts, some experts remain skeptical about the long-term effectiveness of these actions. Jonathan Trull at Qualys argued that the potential for apprehension and imprisonment doesn’t outweigh the substantial profits generated by these criminal enterprises.

An Asymmetric Battle

Trull further noted that the battle against ransomware is inherently asymmetric, with limited law enforcement resources available to address the sheer volume and complexity of investigations globally.

Limited Victories and Political Statements

Wright echoed this sentiment, characterizing the arrests and recovered funds as a “political statement” rather than a decisive victory, noting that $2.3 million represents a negligible amount compared to the billions lost to ransomware attacks.

The Rise of Ransomware-as-a-Service (RaaS)

Experts anticipate that the Ransomware-as-a-Service (RaaS) model will continue to thrive in 2022, making it more challenging for law enforcement to identify and prosecute operators.

Evolving Attack Chains

Multi-staged attack chains, beginning with phishing and culminating in data theft and ransomware deployment, are expected to become more common, potentially compromising even highly secure networks.

Increased Collaboration Between Public and Private Sectors

Trull predicted increased collaboration between the U.S. government and the private sector in 2022, emphasizing the need for a combined approach involving enforcement actions, system hardening, data backup strategies, and effective incident response.

Impact on Cybercrime Forums

Government actions have had a noticeable impact on the cybercrime landscape, leading to ransomware groups being ostracized from some popular hacking forums. One group even resorted to creating a fake company to recruit unsuspecting IT professionals.

A Changing Landscape

Brett Callow, a ransomware expert at Emsisoft, observed that ransomware gangs are facing less acceptance on certain cybercrime forums than in the past.