A cross-border ransomware sting led by Europol saw 12 high-level cybercriminals detained and their assets seized. The dozen are thought to have been involved in attacks that targeted critical infrastructure affecting 1,800 victims in 74 countries. The arrests are the latest in a string of raids which have seen ransomware criminals detained, and show the progress that is possible with private and public sector cooperation across borders, experts say.
More than $52,000 in cash was seized in the raids on properties in Switzerland and Ukraine last week, as well as five luxury vehicles and numerous electronics, which are currently being forensically examined.
The multi-national swoop was made up of 50 foreign investigators and ten national law enforcement entities – including the UK’s National Crime Agency (NCA), the FBI and the European Cybercrime Centre (EC3). The framework for the different agencies to work together was provided by the European Multidisciplinary Platform Against Criminal Threats (EMPACT), a security initiative driven by EU member states.
This year has already seen threat actors from ransomware gangs such as Clop and REvil arrested for their online infringements, according to the 2021 ENISA Threat Landscape Report. The arrests could deter less experienced cybercriminals, who do not have the resources to evade international law enforcement, from mounting attacks, but the cooperation of other nations such as Russia and China is still needed to turn the tide against the ransomware threat.
Cross-border ransomware threat needs cross-border law enforcement
The cross-border cooperation is an indicator that synchronised efforts on the part of governments and the private sector are necessary to deter Ransomware-as-a-Service (RaaS) gangs and the criminals they rent their malware to. Ransomware operators are able to play the system by moving their operations to jurisdictions with lenient or lax legislation on cybercrime, states a report released by the World Economic Forum realised earlier this year. “International data-sharing regulations must support collaboration across global borders,” the authors conclude. “Only through such a coordinated approach can we hope to turn the tide of these attacks.”
Before the international mobilisation seen this year, corporations were often left to defend themselves against the ransomware threat, says Max Heinemeyer, director of threat hunting at cybersecurity company Darktrace. “It has been a one-sided battle that really needed a multi-sided approach,” he says.
Governments and the private sector pooling knowledge and resources make it more likely high-level threat actors can be apprehended, which will interrupt their operations while deterring lower-level cybercriminals with fewer resources, Heinemeyer argues. “This is one of the best ways of deterring adversaries,” he says. “It’s important to show the attackers they can be brought to justice. The ones we hear about are the ‘top-notch’ gangs but there are so many more.”
It’s important to show the attackers they can be brought to justice.
Max Heinemeyer, Darktrace
While high-profile attacks with big ransoms make headlines, less well-known cybercriminals can make as much as $10,000 a time by targeting medium-sized enterprises says Heinemeyer. “This is such an easy game for them,” he adds. “If these big RaaS gangs can be brought to justice, that sends a powerful message to smaller gangs and other opportunistic attackers.” These criminals will have fewer resources and a more limited skill set, and as such may not have the ability to outsmart an internationally coordinated ransomware bust.
More countries must engage to beat ransomware outright
While many countries have engaged in the intercontinental fight against ransomware, some remain uncooperative. Termed “shelter nations”, countries such as Russia and China appear to be failing to penalise ransomware activity on their soil, thereby perpetuating the global ransomware threat. On Russia, FBI Deputy Director Paul Abbate told a summit last month: “Based on what we’ve seen, I would say there is no indication that the Russian government has taken action to crack down on ransomware actors that are operating in the permissive environment that they have created there.”
This issue is geopolitical and must be handled by governments as such, argues Sam Curry, chief security officer at security company Cybereason. “Some of the ‘shelter nations’ need to be brought into the community, which is more about international relations and diplomacy than about the ability to do so,” he says. “We collaborate, for instance, quite effectively on terrorism with some countries like Russia, but then mysteriously not on something like cyber.” Until this situation changes, ransomware operators will continue to have the upper hand as they can play the system by moving their operations to jurisdictions with lenient or lax legislation on cybercrime, Curry adds.
Arrests are not enough to deter the entire ransomware threat
Though the number of ransomware criminals brought to justice is increasing, the number of attacks has gone up too. Figures released by security company Sonic Wall this month show that the third quarter of 2021 saw 190.4million ransomware attempts and a 148% surge in global ransomware attacks (470million) this year to date. Arrests such as the 12 carried out last week may delay or even deter some potential attacks, says Curry. But, he adds: “In the long run, it will drive them deeper underground and to the jurisdictions that enable and shelter this behaviour.”