Why it is so difficult to bring ransomware attackers to justice
An incident takes place. The police are investigating. A culprit is identified, apprehended and prosecuted.
This is generally the way we think about dealing with a crime. But as some ransomware victims may now discover, this process is much more complicated when the criminal is on another continent and the crime is taking place virtually.
A wave of ransomware attacks in recent months has compromised critical infrastructure and disrupted daily life in the United States and around the world, with a massive attack last week on potentially software vendor Kaseya impacting more than 1,000 companies around the world. Cyber researchers claim attack was carried out by REvil, a group suspected of Russian ties that also hit meat processing company JBS Foods last month, Apple Quanta Computer supplier in April and electronics maker Acer in March.
And it’s not just REvil. It is believed that hackers with ties to Russia are behind the Solar winds and Colonial pipeline attacks. In addition, recent ransomware attacks on Microsoft and PulseSecure VPN Company have been linked to hackers in China.
Ransomware gangs have been extracting payments worth millions of dollars in recent months and REvil is now demand 70 million dollars for a decryption tool following his attack on Kaseya. US authorities generally discourage companies from paying ransoms, on the grounds that this only emboldens cybercriminals.
Bringing them to justice, however, is a more complex process involving a network of local, federal and even international authorities. The process can take years with no guarantee of success. And during this time, the number of ransomware attacks continues to grow.
Track them down
Leading hacker groups like REvil are often quick to take public credit for their attacks, but it can be extremely difficult to trace the real individuals behind these groups and their whereabouts.
Cyber security experts recommend that concerned organizations contact local law enforcement and the FBI. Other federal agencies such as the Department of Homeland Security and the United States Computer Emergency Preparedness Team often have get involved early in the process, too much.
In April, the US Department of Justice launched a ransomware task force after what an agency note described as the worst year ever for this type of cyberattack. The goal is to unify efforts across the federal government to prosecute and disrupt ransomware attackers.
“Hacker groups are part of organized criminal networks and often operate remotely and in a decentralized manner,” Beenu Arora, co-founder and CEO of cybersecurity firm Cyble, told CNN Business. “These actors often deploy intermediaries to communicate with each other,” he added.
According to Anup Ghosh, CEO of Fidelis Cybersecurity and former Defense Ministry researcher, the private companies that fall victim to these ransomware attacks most often can be blinded to “who actually attacked them” due to the sophisticated nature of the ransomware attacks. attackers.
“Unlike a physical attack where you can make an identification, in cyberspace it is very difficult to make an attribution with certainty,” he said.
Cross-border pursuit races
If the ransomware attackers are based in a different country, as is often the case, it forces US officials to pursue international cooperation and diplomacy that can slow down and further complicate the prosecution process.
“The main challenges in bringing international hacker groups to justice are having to conduct overseas operations through additional layers of bureaucracy from our international counterparts,” said Bret Fund, head of cybersecurity at the Flatiron School. “This includes less access to resources on the ground to investigate, gather intelligence and support prosecutions across borders.”
If that’s not enough, some countries are also using access to cybercriminals as a diplomatic bargaining chip, according to Bryan Hornung, CEO of cybersecurity firm Xact IT Solutions.
“Russia sees cyber attacks (…) as a way to sow discord and to cast a black eye on the United States and democracy,” Hornung said, pointing the finger at declared will to extradite criminals only if the United States reciprocates.
The code behind the REvil attack was written in such a way as to avoid Russian or related languages, according to a report by cybersecurity firm Trustwave SpiderLabs, which was obtained by NBC News. The company said this was likely designed to avoid clashing with local enforcement in the countries in which it operates.
The Biden administration is intensify its efforts To finalize a government-wide strategy on how to respond to ransomware attacks, the National Security Council has been working to coordinate a plan of action in recent days, according to officials and experts involved in the discussions. Another meeting on the subject is scheduled for next week between US and Russian officials, White House press secretary Jen Psaki said on Wednesday.
President Joe Biden confronted Russian President Vladimir Putin on the scourge of ransomware attacks at a summit in Geneva last month, a meeting he referenced again this weekend shortly after the Kaseya attack.
“[If] it is either with the knowledge and / or the consequence of Russia, so I told Putin that we will respond, “the president said on Saturday.
Once the attackers or hacker groups have been located and prosecuted abroad – often with the help of law enforcement agencies such as Interpol and Europol – the next challenge is to bring them back. before the American judicial system.
The United States has extradition treaties with more than 100 countries, but there are dozens of others, including Russia and China, with which this is not the case. In these cases, US authorities often wait for pirates to travel to a friendlier country to capture and extradite them, as they did with Russian pirates. Alexey Bourkov (from Israel) in 2019 and Yevgeny Nikulin (from the Czech Republic) in 2018. (Burkov pleaded guilty to several charges against him and was sentenced to nine years in prison last June for operating websites that sold stolen data, Nikulin was sentenced to more than seven years in prison months later for hacking companies like LinkedIn and Dropbox.)
These extraditions can often take years, with US authorities having little control over the process and timing. Burkov and Nikulin, for example, were sentenced more than five years after their initial crimes allegedly took place. In Burkov’s case, the extradition process alone took almost four years.]
“The United States is working with foreign authorities to locate the wanted persons and then to request the extradition of the person,” said the Department of Justice. on his website. “However, the extradition case is handled by foreign authorities in foreign courts. Once the extradition request is submitted to the foreign government, the United States does not control the pace of the proceedings.”
While there is greater pressure to cooperate on cybersecurity concerns in the United States as well as other countries, coordinating these responses turns into a race against time as new ransomware attacks continue. to take place every week, if not every day.
“You can think of this as closer to organized crime and the kind of task force you’ve seen in the past against organized crime,” Ghosh said. “It takes a long time to really map these criminal gangs, understand their heads and eliminate them, and requires the cooperation of other countries, so these are longer timescales.”
™ & © 2021 Cable News Network, Inc., a WarnerMedia Company. All rights reserved.