US President Biden has launched a ‘rapid strategic review’ to address the global threat of ransomware, following yet another high-profile ransomware attack. Last Sunday, Brazil-owned meat company JBS shut down operations in Australia, Canada and the US following the attack, which the FBI has since attributed to ransomware gang REvil. “Combating ransomware is a priority for the administration,” a White House spokesperson told reporters following the attack.
The strategic review follows mounting pressure on the Biden administration to tackle cybersecurity in general and ransomware in particular, says Esther Naylor, research analyst in the International Security Programme at Chatham House.
The review comprises four “lines of effort”, the spokesperson said. “One, distribution of ransomware infrastructure and actors working closely with the private sector; two, building an international coalition to hold countries who harbour ransom actors accountable; expanding cryptocurrency analysis to find and pursue criminal transaction; and reviewing the [US government’s] ransomware policies.”
Biden’s ransomware crackdown on Russia
With respect to holding countries accountable, the spokesperson made special mention of Russia. The White House is “engaging directly with the Russian government on this matter, and delivering the message that responsible states do not harbour ransomware criminals,” they said.
Although ransomware attacks are typically perpetrated by loosely affiliated groups of hackers and criminals, there is evidence to suggest that many of the most prolific ‘ransomware-as-a-service’ offerings are based in Russia.
The Russian government rarely pursues cybercriminal cases against its own citizens unless a domestic company or citizen is affected. As a result, Russian groups typically ensure their services are not used to attack Russian targets. “Ensuring that no affiliates can produce victims in their own countries is the easiest way for these criminals to stay off the radar of domestic law enforcement agencies,” security analyst Brian Krebs wrote recently.
Analysis by security company Digital Shadows reveals that seven out of the ten most prolific groups have never hit a Russian target.
“It is an increasing problem that cybercriminals are allowed to keep operating within a country like Russia with apparently no significant enforcement and sanctions,” says John Morris, senior fellow at Washington think tank Brookings Institution. “Certainly in the US, our law enforcement is vigorously trying to stop cybercriminals, but the world as a whole needs to have much more of a collective agreement that nations should not be harbouring this type of private cybercriminal.”
The US ransomware policy under review may be the fact that it “does not encourage the payment of ransomware with regards to its own systems, but it does not expressly prohibit it,” says Naylor. There have been calls to ban ransomware payments, as well as ransomware insurance services, including by the former head of the UK’s National Cyber Security Centre.
This rapid strategic review follows an executive order by the president in May. The executive order focused primarily on the US government’s own cybersecurity practices, explains Naylor, and was signed in response to the SolarWinds hack, in which numerous government agencies were compromised.
That US Department of Treasury attributed that hack to the Russian government itself, and imposed new sanctions against Russian intelligence agencies and companies believed to support the cyberattacks. By contrast, the current spate of ransomware attacks is believed to be perpetrated by criminals seeking financial gain, and therefore requires different policy actions.
But the onslaught of attacks cannot be resolved through policy alone, says Morris. “I don’t think there is a simple or reasonably clear policy change that will make this problem go away,” he continues. “I think this problem is going to be one that our entire country and our entire world is struggling with for the next couple of years.”
How did JBS get hacked?
Specific details of the JBS attack have yet to be revealed but the Sodinokibi/REvil malware strain is well documented. According to IBM Security X-Force, it accounted for 22% of ransomware attacks in 2020 and generated revenue of at least $123m. A 2019 article by cybersecurity provider SecureWorks says the malware exploits a vulnerability in the way Windows elevates user privileges. The malware is associated with various delivery methods, including malicious spam campaigns and remote desktop protocol (RDP) attacks.