Earlier this month, reports began to surface of a large-scale ransomware campaign targeting the MOVEit file transfer software. Among the victims are high-profile companies, government entities, and healthcare services holding sensitive data. This attack can be viewed within the context of a global rise in ransomware, which demonstrates the limitations of government institutions and law enforcement agencies in combating this cyber threat.
The group behind this campaign is the Russian CL0P ransomware group, also known as the Lace Tempest Group, TA505, or FIN11. They primarily operate as a RaaS (Ransomware-as-a-Service) organization, which provides other cyber attackers (or pretty much anyone, for that matter) the ability to purchase the malicious software and infrastructure necessary for running a ransomware campaign. They partner with IABs (Initial Access Brokers) such as the Silence Group, whose job is to gain a foothold in the target’s system. The CL0P group runs an extortion website (“CL0P^_-LEAKS” on Tor) and is currently one of the most dangerous and prolific ransomware groups. In March, they exploited the ‘GoAnywhere MFT’ file transfer software using a zero-day vulnerability, successfully breaching over 100 organizations.
A contact from within the CL0P group assured Reuters that they had no plans to target militaries, governments, police, or children’s hospitals with this attack. Despite these promises, multiple US and Canadian federal and state institutions have been targeted; however, it is unclear whether they kept or deleted the extorted data. Other victims include the American Board of Internal Medicine, the University of Rochester, and Zellis, a payroll company for the BBC and Ireland’s national health service.
Another CL0P contact revealed to BleepingComputer that their attacks began on May 27th, during memorial day weekend in the US. Long weekends and holidays are commonly chosen for attacks, since there is often a smaller staff available to detect intrusions and defend the network.
Since June 14th, over thirty organizations have had their names posted to the CL0P extortion website to increase pressure to pay the ransom. Many companies have decided not to pay, instead publicly disclosing the breach and warning impacted customers. A patch for the exploited vulnerability was released on June 9th. All companies with Internet-facing MOVEit systems should move quickly to install this patch after checking for intrusions and removing untrusted administrator accounts.
Cyberattacks are recognized as an increasingly dire threat to national security; ransomware attacks in particular consistently cause damage to the US economy. CL0P is not the only ransomware group with recent successes. According to the FBI, the LockBit group has conducted about 1,700 attacks in the US since 2020, making over $90 million. The leaders of this group have evaded prosecution for years despite continued targeting of US businesses. In a show of confidence, this group has even promised a $1 million reward to anyone who can provide information on their leader, LockBitSupp.
Hospitals and critical infrastructure are increasingly common targets for ransomware attacks due to the critical nature of their data and functions. Not only are businesses going under, but US economic and physical security are damaged by these attacks– ransomware poses a “gray zone” warfare threat, as it is often used by nation-state actors (APTs) to conduct offensive covert actions against the US while maintaining plausible deniability.
This begs the question: what makes it so difficult for law enforcement agencies to prevent attacks, attribute blame, and punish the culprits? The next section will cover some struggles and successes of American and international law enforcement in combating and attributing ransomware attacks.
Since the onset of this most recent attack, the FBI and CISA are working together to mitigate the damage to American businesses and are most likely attempting to track down the perpetrators. While law enforcement against digital crime tends to be difficult, US law enforcement agencies have had some success in shutting down the malicious activities of various groups in recent years. Occasionally, leading perpetrators are arrested by authorities abroad, their efforts often augmented by US intelligence and cooperation. In 2021, the combined effort of Europol, seven European police departments, the FBI, and the US Secret Service resulted in the arrest of 12 high-profile criminals involved in over 1,800 ransomware attacks.
This year, the FBI was able to infiltrate the Hive ransomware group and recover decryption keys, saving victims $130 million. A few months later, the FBI worked with foreign governments to seize Hive servers and shut down their website, possibly after their intrusion was detected. While this operation is largely regarded as a success, it is important to note that no arrests were made, and servers and websites are replaceable. Maintaining a presence in their network to gather intelligence is much more valuable to law enforcement than destruction of infrastructure, but monitoring does not always lead to arrests.
Even when the FBI manages to identify cyber criminals, many reside in countries which do not extradite to the US. Russia, for example, tends to protect hackers as long as they agree not to attack Russian infrastructure and are willing to do favors for the government. Threat actors in these countries are often sanctioned or have their identities exposed on the FBI’s “Cyber’s Most Wanted” list, neither of which have much effect on the criminal’s ability to conduct cyber attacks. International cooperation would be necessary to achieve international enforcement measures against ransomware (such as cryptocurrency regulation and requirements for extraditing cybercriminals), but this is difficult for policymakers to achieve in an increasingly divided world.
The ransomware threat continues to grow despite law enforcement efforts and successes. As more companies and critical infrastructure connect to the internet to store sensitive information or control remote functionality, attack surfaces are growing and becoming more profitable (and dangerous) to exploit. Cryptocurrency’s rise, businesses without cybersecurity teams forced to move online during COVID, and global economic strain have all created an environment ripe for ransomware attacks. Attackers have no shortage of targets who are willing to pay millions of dollars to recover or conceal sensitive data. Not only is money lost due to company downtime and permanent data encryption, but exposure of customers’ personal data can warrant costly fines if cybersecurity measures are found lacking.
Despite the significant efforts and substantial resources dedicated by law enforcement to combat ransomware, the threat remains highly prevalent, constantly identifying and attacking new victims. However, companies are not defenseless, and are capable of augmenting their efforts toward cybercrime prevention. Here are some general pointers for improving security against ransomware attacks:
Building on these security-conscious practices, ThreatSTOP’s network enforcement solutions make it impossible for your machine to reach known malicious sites, such as ransomware download sites or C2 servers, by blocking their domain and IP address. By pulling together hundreds of threat intelligence sources, alongside predictive analysis of future threats, ThreatSTOP provides comprehensive, dynamic, and customizable blocklist policies that will keep your network and data secure. ThreatSTOP constantly monitors new attacks, and adds their domains and IPs to the blocklists within minutes (including the IOCs from the MOVEit attack).
If you would like to try our demo, click the link below to get started!
Sources: RiskIQ, CISA, Malwarebytes, BleepingComputer, Tenable, MITRE, Kroll, Exploding Topics