The FBI's Perspective on Ransomware

 

Ransomware: contemporary threats, how to prevent them and how the FBI can help#

Ransomware attacks are a type of cybercrime that have gained significant attention in recent years. These attacks involve the encryption of a victim's computer or network by an attacker, who then demands payment in exchange for the decryption key. The consequences of a ransomware attack can be severe, including the loss of sensitive or personal information, disruption of operations, and financial loss. The FBI, as a federal law enforcement agency, has a vested interest in combating ransomware and other cyber threats. In this article, we will explore the FBI's perspective on ransomware, including how it investigates and responds to these attacks and the measures it takes to prevent them.

The FBI considers ransomware to be a serious and growing threat that affects both individuals and businesses. In response to this threat, the FBI has a number of tools and resources at its disposal. One of these is the Internet Crime Complaint Center (IC3), which is a centralized repository for cybercrime complaints. Through the IC3, individuals and organizations can report a ransomware attack and help the FBI gather intelligence and build cases against those responsible.

In addition to its work through the IC3, the FBI also conducts proactive investigations into ransomware and other cyber threats. This includes working with other government agencies, such as the Department of Homeland Security and the National Cybersecurity and Communications Integration Center, as well as international partners and the private sector. The FBI's National Cyber Investigative Joint Task Force (NCIJTF) brings together more than 20 federal agencies to share information and resources in the fight against cybercrime, while the Cyber Action Team (CAT) is a rapid-response unit that can deploy to the scene of a cyber incident to provide on-the-ground support.

One of the challenges that the FBI faces in combating ransomware is the constantly evolving nature of the threat. Cybercriminals are constantly developing new ways to carry out attacks and evade detection, which can make it difficult for law enforcement and other organizations to keep up. To address this challenge, the FBI has a number of programs and initiatives in place to improve its ability to respond to ransomware and other cyber threats. This includes partnering with industry experts and academics to stay up-to-date on the latest trends and techniques used by attackers.

Prevention is also a key aspect of the FBI's approach to ransomware. While it is not always possible to prevent a ransomware attack, there are steps that individuals and organizations can take to reduce their risk. The FBI recommends a number of best practices, such as keeping software and systems up-to-date, implementing strong passwords and two-factor authentication, and regularly backing up important data. The FBI also works with industry partners to promote the adoption of industry-standard security practices and technologies, such as network segmentation and threat-hunting software.

In conclusion, the FBI views ransomware as a serious and growing threat that requires a multifaceted response. Through its investigations, partnerships, and prevention efforts, the FBI is working to protect individuals and organizations from this type of cybercrime and bring those responsible to justice.

In April 2021, Dutch supermarkets faced a food shortage. The cause wasn't a drought or a sudden surge in the demand for avocados. Rather, the reason was a ransomware attack. In the past years, companies, universities, schools, medical facilities and other organizations have been targeted by ransomware threat actors, turning ransomware into the internet's most severe security crisis.

The Ransomware Landscape#

Ransomware has existed for more than 30 years, but it became a lucrative source of income for cyber actors and gangs in the past decade. Since 2015, ransomware gangs have been targeting organizations instead of individuals. Consequently, ransom sums have increased significantly, reaching millions of dollars.

Ransomware is effective because it pressures victims in two, complementary ways. First, by threatening victims to destroy their data. Second, by threatening to publicize the attack. The second threat has an indirect impact, yet it is just as serious (if not more). Publication could trigger regulatory and compliance issues, as well as negative long-term brand effects.

Here are some examples of real ransomware notes:

Ransomware as a Service (RaaS) has become the most widespread type of ransomware. In RaaS attacks, the ransomware infrastructure is developed by cyber criminals and then licensed out to other attackers for their use. The customer attackers can pay for the use of software or they can split the loot with the creators. Etay maor, Senior Director Security Strategy at Cato Networks commented, "There are other forms of RaaS. After receiving the ransomware payment some Ransomware groups sell all the data about the victim's network to other gangs. This means the next attack is much simpler and can be fully automated as it does not require weeks of discovery and network analysis by the attackers."

Some of the major RaaS players, who are notorious for turning the RaaS landscape into what it is today, are CryptoLocker, who infected over a quarter million systems in the 2000s and profited more than $3 million in less than four months, CryptoWall, who made over $18 million and prompted an FBI advisory, and finally Petya, NotPetya and WannaCry who used various types of exploits, ransomware included.

How the FBI Helps Combat Ransomware#

An organization under attack is bound to experience frustration and confusion. One of the first recommended courses of action is to contact an Incident Response team. The IR team can assist with investigation, recuperation and negotiations. Then, the FBI can also help.

Part of the FBI's mission is to raise awareness about ransomware. Thanks to a wide local and global network, they have access to valuable intelligence. This information can help victims with negotiations and with operationalization. For example, the FBI might be able to provide profiler information about a threat actor based on its Bitcoin wallet.

To help ransomware victims and to prevent ransomware, the FBI has set up 56 Cyber Task Forces across its field offices. These Task Forces work closely with the IRS, the Department of Education, the Office of Inspector General, the Federal Protective Service and the State Police. They're also in close contact with the Secret Service and have access to regional forensics labs. For National Security cyber crimes, the FBI has a designated Squad.

Alongside the Cyber Task Force, the FBI operates a 24/7 CyWatch, which is a Watch Center for coordinating the field offices, the private sector and other federal and intelligence agencies. There is also an Internet Crime Complaint Center, ic3.gov, for registering complaints and identifying trends.

Preventing Ransomware Attacks On Time#

Many ransomware attacks don't have to reach the point where the FBI is needed. Rather, they can be avoided beforehand. Ransomware is not a single-shot attack. Instead, a series of tactics and techniques all contribute to its execution. By identifying the network and security vulnerabilities in advance that enables the attack, organizations can block or limit threat actors' ability to perform ransomware. Etay Maor added "We need to rethink the concept that "the attackers need to be right just once, the defenders need to be right all the time". A cyber attack is a combination of multiple tactics and techniques. As such, it can only be countered with a holistic approach, with multiple converged security systems that all share context in real time. This is exactly what a SASE architecture, and no other, offers the defenders".

For example, here are all the steps in a REvil attack on a well-known manufacturer, mapped out to the MITRE ATT&CK framework. As you can see, there are numerous phases that took place before the actual ransom and were essential to its "success". By mitigating those risks, the attack might have been prevented.

Here is a similar mapping of a Sodinokobi attack:

Maze attack mapping to the MITRE framework:

Another way to map ransomware attacks is through heat maps, which show how often different tactics and techniques are used. Here is a heat map of Maze attacks:

One way to use these mappings is for network analysis and systems testing. By testing a system's resilience to these tactics and techniques and implementing controls that can mitigate any risks, organizations reduce the risk of a ransomware attack by a certain actor on their critical resources.

How to Avoid Attacks - From the Horse's Mouth#

But don't take our word for it. Some ransomware attackers are "kind" enough to provide organizations with best practices for securing themselves from future ransomware attacks. Recommendations include:

• Turning off local passwords
• Using secure passwords
• Forcing the end of admin sessions
• Configuring group policies
• Checking privileged users' access
• Ensuring only necessary applications are running
• Limiting the reliance of Anti-Virus
• Installing EDRs
• 24 hour system admins
• Securing vulnerable ports
• Watching for misconfigured firewalls
• And more

Etay Maor of Cato Networks highlights "Nothing in what several Ransomware groups say organizations need to do is new. These best practices have been discussed for years. The reason they still work is that we try to apply them using disjoint, point solutions. That didn't work and will not work. A SASE, cloud native, architecture, where all security solutions share context and have the capability to see every networks flow and get a holistic view of the attack lifecycle can level the playing field against cyber attacks".

Ransomware Prevention: An Ongoing Activity#

Just like brushing your teeth or exercising, security hygiene is an ongoing, methodical practice. Ransomware attackers have been known to revisit the crime scene and demand a second ransom, if issues haven't been resolved. By employing security controls that can effectively mitigate security threats and having a proper incident response plan in place, the risks can be minimized, as well as the attackers' pay day. The FBI is here to help and provide information that can assist, let's hope that assistance won't be needed.