12.05.2021

Ransomware: hacker pranks or an element of hybrid warfare? GC3 look

Ransomware is a rapidly growing threat that has recently become a global disaster. As a result of using such programs, hackers block computer systems by encrypting the data, and then demand payment to unlock the system. According to US news agencies, these programs have affected everyone in recent years, from banks and hospitals to universities and municipalities. Last year alone, nearly 2,400 organizations in the United States fell victim to such attacks. But experts say attackers are increasingly targeting the industrial sector because those firms are more willing to pay to regain control of their systems.

Ransomware is not just a software product that leads to financial extortion, it is a crime that ignores business, government, academia and geograph boards. The activities of such products also affected the health sector during the COVID-19 pandemic, and became the result of the closure of schools, hospitals, police stations, government organizations, and U.S. military facilities. It is a crime that directs both private and public funds to global criminal organizations. Proceeds from extortion can fund illicit activities, ranging from human trafficking to the development and proliferation of weapons of mass destruction.

Statistics for May 2021:

  • 21 days – the average period of blocking the system as a result of an attack by a ransomware[1].
  • 287 days – the average time that takes for a company to recover from a ransomware attack[2].
  • $ 350 million – paid by victims of attacks on extortionist programs during 2020 (which is 311% more than in 2019) [3].
  • $ 312,493 – the average statistical amount of a one-time payment for unlocking a computer system that was attacked by a ransomware program (which is 171% more than in 2019) [4].

In March this year, Acer was attacked by hackers. Using the REvil extortionist program, the attackers demanded from the Taiwanese manufacturer the largest known ransom to date – $ 50 million.
In the beginning of May, the representatives of the American fuel company Colonial Pipeline, which supplies fuel to the US East Coast, were forced to suspend some systems in order to localize the threats posed by a large-scale cyber attack. Colonial Pipeline transports about 2.5 million barrels of refined fuel daily, accounting for 45% of all fuel consumed on the East Coast of the United States. As a result of the shutdown of the largest fuel operator, Colonial Pipeline, the US government declared a regional emergency in 18 states[1]. According to the subject matter experts and journalists, hackers of the DarkSide group, which allegedly operates from the territory of the Russian Federation, may be involved in this cyberattack.

Despite the published statement, which was made in May 10 by DarkSide as to apolitical approach and non-involvement in any government organization, attacks on critical infrastructure are part of a hybrid war waged under the controlled “non-interference” of intelligence officials.

Prior to that, in February this year, the representatives of the hacker group DarkSide were involved in cyberattacks on Brazilian energy companies[2].

It is noteworthy that the victims of extortion programs are mostly organizations or companies from the United States, Great Britain, Australia and Brazil[3]:

Ransomware: hacker pranks or an element of hybrid warfare? GC3 look

Based on the results of the study of recent events that led to the interference in the operation of computer systems using extortion programs, the Global Cyber Cooperative Center (GC3) has developed the following recommendations:

  • Representatives of public and private companies need to develop a clear algorithm of fast actions in case of blocking of computer systems and networks of a company or an organization.
  • It is obligatory to report to law enforcement and specialized non-governmental organizations all facts of cyberattacks and payments for unlocking computer systems, along with details of the incident.
  • Report as soon as possible the information about the payment made for unlocking computer systems, which can help to block funds to ensure compensation to victims and prevent criminals from receiving money.
  • Public organizations and private companies need to invest in education to identify/ block the causes and conditions of the use of extortionist programs, as well as prepare each company or organization for a computer system blocking incident.
  • Cybercriminals involved in extortion programs thrive on the notion of the anonymity of their crimes. It is necessary to involve private business in the collection of fees for bringing to justice the main hackers involved in the development and implementation of extortionate programs. Such people must be de-anonymized and their coexistence must be made inconvenient with decent citizens.

[1] https://www.coveware.com/blog/ransomware-marketplace-report-q4-2020
[2] https://blog.emsisoft.com/en/37314/the-state-of-ransomware-in-the-us-report-and-statistics-2020
[3] https://blog.chainalysis.com/reports/ransomware-ecosystem-crypto-crime-2021
[4] https://unit42.paloaltonetworks.com/ransomware-threat-assessments
[5] https://www.securitylab.ru/news/519856.php
[6] https://www.securitylab.ru/news/516288.php
[7] https://securityandtechnology.org/wp-content/uploads/2021/04/IST-Ransomware-Task-Force-Report.pdf