New Threat Research: MalSync Teardown: From DLL Hijacking to PHP Malware for Windows  

Read Threat Research

Search

U.S. Government Response to the Growing Threat of Ransomware

By: Patrick Wallenhorst, Intelligence Operations Team Lead

Ransomware attacks skyrocketed in 2020 and not a single industry was spared. Although healthcare and education organizations seemed to be the primary targets, cyber criminals attacked anyone they thought they could profit from. The trend has not slowed down in the first month of 2021 and experts believe it may only get worse. However, due to the overwhelming increase in ransomware attacks combined with the recent SolarWinds attack, cybersecurity has been on the forefront of the minds of government officials, law enforcement agencies, and policy makers. 2021 will see a massive emphasis on cybersecurity policy, education, and methods of protection.

What Has Already Been Done?

OFAC and FinCEN Advisories

On October 1st, 2020, the US Department of The Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory on the potential sanctions for organizations that facilitate ransomware payments to individuals and entities on the OFAC’s Specially Designated Nationals and Blocked Persons (SDN) list. The advisory stated companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations. The advisory cited the International Emergency Economic Powers Act (IEEPA) and the Trading with the Enemy Act (TWEA) as authorities that prohibit American citizens from engaging in transactions, directly or indirectly with entities on the SDN list. OFAC also made it very clear that the timely reporting of a ransomware attack to law enforcement by victim organization would be a large mitigating factor when determining an appropriate outcome in terms of sanctions.

In addition to the OFAC advisory, the Financial Crimes Enforcement Network (FinCEN) also released an advisory on October 1st, 2020. The FinCEN advisory noted that the rise in ransomware attacks has caused an increase in the need for services from organizations such as Digital Forensics and Incident response (DFIR) and Cyber Insurance Companies (CIC). DFIR and CICs are often hired by ransomware victims to facilitate ransomware payments to cybercriminals. The FinCEN advisory states that depending on the circumstances of the payment, DFIR and CICs may need to register as a money services business (MSB) with FinCEN. Additionally, they are subject to the Bank Secrecy Act and a ransomware payment may need to be filed as a Suspicious Activity Report (SAR) with FinCEN.

Following the advisories’ release, Binary Defense analysts monitored several Dark Web forums where threat actors discussed the sanctions and how they would impact the future of ransomware. Several users on these forums felt that this would not affect ransomware payments at all, while others thought this might be the beginning of the end of the success of ransomware. In a panel discussion on the show “Essence of Wonder WWith Gadi Evron,”,

ransomware negotiators discussed the impact of the advisories. Although the negotiators felt it has not slowed the amount of ransomware attacks, it has made payments to threat actors much more difficult and has caused political figures and policy makers to focus more on ransomware.

2021 National Defense Authorization Act

On January 1st, 2021, the National Defense Authorization Act (NDAA) for fiscal year 2021 officially became law. The legislation, which provides $740 billion for defense spending, includes 77 cybersecurity provisions. Several of the provisions seek to bolster the nation’s cybersecurity framework and improve both offensive and defensive cybersecurity abilities. The legislation will further strengthen federal networks and will authorize the Cybersecurity and Infrastructure Security Agency (CISA) to conduct threat hunting on federal networks unilaterally. Additionally, the legislation provides qualifications for the CISA director.

The NDAA also calls several new cyber positions such as Principal Cyber Advisor, National Cyber Director (NCD), Cybersecurity State Coordinators for every state, and a Cybersecurity Advisory Committee to advise, consult and report to the Cyber Director. The NDAA also equips the CISA Director and the NCD with subpoena authority. This means if a system connected to the Internet with a specific security vulnerability is believed to relate to critical infrastructure and the Director is unable to identify the entity at risk that owns or operates thew device, the Director may issue a subpoena for the production of information necessary to identify and notify such entity at risk.

Along with new positions, the NDAA establishes a Joint Cyber Planning Office within the Department of Homeland Security. The goal of the new office is to develop plans for cyber defense operations to protect and recover from cybersecurity incidents. Also, to defend against malicious cyber operations that pose a threat to critical infrastructure for both the private and public sector.

The NDAA also requires the Secretary of Defense to conduct a review and assessment of ongoing public-private collaborative initiatives involving the Department of Defense and the private sector related to cybersecurity. The review must take place within 120 days of the NDAA being enacted. This is not the only new reporting criteria as the Secretaries of the military branches must now submit a monthly report to Congress that documents any cross-domain incident within the Department of Defense. Cross-domain incident is defined by the NDAA as “any unauthorized connection of any duration between software, hardware, or both that is either used on, or designed for use on a network or system built for classified data, and systems not accredited or authorized at the same or higher classification level, including systems on the public internet, regardless of whether the unauthorized connection is later determined to have resulted in the exfiltration, exposure, or spillage of data across the cross domain connection.”[1]

This blog post does not serve as an all-inclusive review of all 77 cybersecurity provisions included in the NDAA. The bill in its entirety can be found at https://www.congress.gov/bill/116th-congress/house-bill/6395.

Law Enforcement Action Against Cybercrime

Law enforcement agencies at every level have been challenged with the threat of ransomware attacks. Several federal law enforcement agencies warned the public about cybercrimes throughout 2020 and they reacted appropriately according to the evolving threats that surfaced. In September of 2020, FBI director Christopher Wray announced the FBI’s new cyber strategy. Director Wray recognized that cyber threats can’t be combatted by a single agency or government, and that the FBI would be an indispensable partner to federal counterparts, foreign law enforcement and private sector partners.

The FBI has clearly made cybercrime a high priority judging by their actions in early January of this year. On January 27th, 2021, the Department of Justice (DOJ) announced that a coordinated international law enforcement operation successfully took down the NetWalker Ransomware leak site, including the arrest of a Canadian national believed to be affiliated with the NetWalker group. The Bulgarian National Investigation Service assisted the investigation and seized the dark web site used by NetWalker. Following the takedown, acting assistant attorney general Nicholas McQuaid of the DOJ’s criminal division said, “We are striking back against the growing threat of ransomware by not only bringing criminal charges against the responsible actors, but also disrupting criminal online infrastructure and, wherever possible, recovering ransomware payments extorted from victims.”[2]

On January 28th 2021, the DOJ announced that a separate international law enforcement operation was responsible for dismantling the Emotet Botnet. This operation saw cooperation between police in the US, Netherlands, Germany, the UK, France, Ukraine, Canada, and Lithuania. Based on reports from Ukrainian and Netherlands law enforcement, investigators seized upper tier servers for the botnet. Emotet malware infected more than 1.6 million computers and caused millions of dollars in damage worldwide.

On February 9th, it was reported the Ukrainian Cyber-police, in coordination with the FBI and Australian law enforcement, arrested of the author of the world’s largest phishing service: U-Admin, a phishing toolkit responsible for over half of phishing attacks in Australia in 2019 and used to attack financial institutions in multiple countries. The Emotet takedown, paired with this arrest, may signal that Ukraine is no longer the safe haven for cyber criminals as it is believed to be.

Federal agencies aren’t just fighting ransomware through law enforcement action. Agencies have launched education campaigns to ensure the public is aware of current threats. The National Cyber Investigative Joint Task Force (NCIJTF) is comprised of over 30 agencies from law enforcement, the intelligence community and the Department of Defense. On February 5th, the NCIJTF released an educational product designed to inform the public of the growing threat of ransomware. The NCIJTF convened an interagency group of over 15 different government agencies to focus on the prevention of and response to ransomware. The fact sheet can be found at https://www.ic3.gov/Content/PDF/Ransomware_Fact_Sheet.pdf. CISA has also created a dedicated ransomware webpage providing guidance and advice on how to protect against ransomware. The page has several links and infographics meant to inform the public. The site can be accessed at https://www.cisa.gov/ransomware.

The American Rescue Plan details plans to strengthen cybersecurity

The American Rescue Plan, President Biden’s $1.9 trillion Covid-19 plan, includes $9 billion to strengthen the US cybersecurity capabilities as well as CISA. The White House website calls it “the most ambitious effort ever to modernize and secure federal IT and networks.” The plan aims to surge hiring in the cybersecurity and engineering field and provide cyber experts to support the federal Chief Information Security Officer. Additionally, it will provide $690 million to CISA to enhance security monitoring and incident response activities within the federal government. On Friday February 5th, it was announced that the House of Representatives hopes to pass the bill within two weeks. To date, the bill has not been passed.

Take steps to avoid being a ransomware victim

Ransomware will not disappear anytime soon. Cybercriminals are still profiting from the attacks too much for them to quit now. That being said, the recently-enacted and pending legislation shows that government officials are taking the threat seriously. The joint law enforcement relationships being leveraged are promising and will hopefully continue to be successful. To ensure success, individuals and organizations in the private sector need to take action now in order to protect themselves from the threat of ransomware. Security professionals have plenty of resources available to leverage to stay up-to-date on the latest threats. Threat Watch, Binary Defense’s free daily newsletter, is one such resource. Organizations cannot afford to assume employees are educated on the most recent threats, malware, phishing scams, and ransomware techniques—cybersecurity awareness training should be a part of a company’s culture.

Threat actors typically do not deploy the ransomware immediately, but instead take hours or even days to learn the network layout, escalate their privileges to take over administrator accounts, and then use automation scripts to deploy the ransomware on as many computers across the enterprise as possible. The actions taken by the attackers during this phase are detectable through endpoint monitoring, as long as skilled security analysts are watching the security event logs. Many ransomware attacks have been averted or mitigated by quick response from security personnel. Organizations that do not have a strong 24/7 Security Operations Center should consider partnering with a Managed Security Service Provider. Binary Defense offers 24/7 monitoring of SIEM and Managed Detection and Response services through our Security Operations Task Force, which has stopped many attacks in the early stages and thwarted the attackers’ goals before they were able to do damage.

A relatively new technique used by ransomware operators targets executive employee accounts in order to expand their access. The Binary Defense Counterintelligence team conducts deep dive investigations for specific employees to ensure their information has not been compromised on the Dark Web. They can continuously monitor Dark Web markets and forums on behalf of our clients to alert them any time company or employee information appears. In doing so, the company can take proactive defensive steps to prevent damage and financial loss.


[1] National Defense Authorization Act for Fiscal Year 2021 SEC. 1727 Sub SEC. a paragraph 3.

[2] The United States Department of Justice, Department of Justice Launches Global Action Against NetWalker Ransomware, justice.gov, Department of Justice, 27 January 2021, https://www.justice.gov/opa/pr/department-justice-launches-global-action-against-NetWalker-ransomware