US and UK officials announced last week that they had imposed sanctions on seven Russian citizens linked to Russian military intelligence. These citizens were involved in the execution of ransom attacks and operated within the notorious TrickBot, Ryuk, and Conti groups.
A couple of weeks ago, the FBI announced that they had managed to penetrate the Hive ransomware group. Hospitals, schools, financial companies, and critical infrastructure were among the victims of this ransomware group, which affected more than 1,500 victims in 80 countries.
Since July 2022, the FBI has operated within the group’s networks and uncovered over 300 encryption keys that they have offered to the group’s victims. In this way, the victims were able to avoid paying a $130 million ransom. Additionally, the FBI gained access to the group’s website servers through cooperation with security agencies in Germany and the Netherlands. As a result, it took control of the group’s ability to attack and blackmail its victims.
Moreover, the FBI shut down the group’s leak site, which published embarrassing information about victims who refused to pay.
The group worked on a Ransomware as a service (RaaS) model where criminals and ransomware developers provide attack services. With this model, more hostile groups can operate in the space and use these services.
Hive members operated in a double-extortion model where they stole the victim’s sensitive information before encrypting it and then demanded ransom – both for not publishing the info and for getting the encryption keys.
As part of its efforts to deal with the threat, the US led an international coalition to combat ransomware attacks. This coalition brought together 36 countries, including Israel, along with the European Union and the private sector. The purpose was to discuss and develop concrete actions to deal with widespread extortion attacks around the world.
Recently, the international task force, which was formed after the meeting, started working. The goal is to share information and intelligence and create ways to deal with the threat together. It is understood that this is a broad threat affecting many countries. The task force does not include Russia, Iran, or China.
Since the ransom attack on the Colonial Pipeline that damaged the supply of oil and gas to the US East Coast, the US government has viewed ransom attacks as a threat relevant to US national and international security, not something the attacked company has to deal with on its own.
A joint effort to impose sanctions, identify the members of the groups, and damage their infrastructure is beginning to bear fruit: in 2022, the number of extortion attacks decreased by about 5% from 2,667 in 2021 to 2,531 in 2022.
While there has been a decrease, it is too early to determine whether this is a trend that will last. As of right now, it seems that the attacker has the advantage (for now), so only time will tell…
