Government exposes ransomware gang and threatens action, announces task force and mulls making payment of ransoms to ransomware gangs illegal
November 13, 2022 |
There are two particular frustrations working in the cybersecurity sphere and writing on it; reading about “developments” that have been known about for years and the kabuki, theater, that governments and agencies engage in, such as claiming to hunt down hackers, which detracts from the more relevant but mundane action, getting organisations and governments to develop and maintain proper data security. The vast majority of data breaches can be linked to some form of human error or another.
Both are present in the response to the Medibank data breach.
The Government announced that it had uncovered the name of the cybhackers. That group has been identified as REvil, a group that operates in the Russian Federation with full but deniable knowledge of its government. This is hardly a banner moment in Australian cyber security and law enforcement. Ransomware gangs are often identified and usually within short order. They have their own techniques and have distinctive malware. Much like many criminal gangs their modus operandi is distinctive. REvil is so well known that it has its own wikipedia page. Like many criminal hacker gangs operating in the Russian Federation it operates in a grey area; unofficially tolerated and occasionally used by state authorities in exchange for being left alone. Cyber criminals also operate out of China and the Stans.
The Government has put together a task force to hack the hackers. The Australian Federal Police and the Australian Signals Directorate are combining to identify the hackers and their associates and bring them to justice. While that is an appropriate response a dose of realism needs to be injected into the story lest hopes are raised too high. Cyber hackers are usually phycially beyond reach of Australian authorities and unlikely to be subject to successful extradition applications. The Australian Federal Police is engaging with its Russian counterparts about the cyber crimninals. That is unlikely to go anywhere. Engaging in cyber warfare with hackers is difficult. Hackers change tactics. For example Ransomware gangs are increasingly using their own or stolen computer code and moving away from a leasing model that made their activities easier to monitor. Until recently hackers leased their malicious software and computing infrastructure to others in what is known as ransomware-as-a-service. That was used by gangs such as such as Conti, which shuttered Irish health systems, and REvil. Senator Paterson has called for hackers to be sanctioned. It is another form of political theater. Magnitsky sanctions are meaningless when dealing with hackers. If proceeds of crimecan be located, and they are in a country which has apolitical police force and independent judiciary, such as Canada, the USA and most European states, they can be seized without the need for Magnitsky sanctions.
The payment of a ransom is not illegal. The government is considering making such payments illegal. Discouraging the payment of ransom is one thing. Criminalising it is another. Sometimes it is the only practical solution in the time available so criminalising the conduct puts a business into a terrible bind. It is a crime that may be difficult to detect but also used by hackers to further extort those who have paid ransoms.
That is not to say that successful action can’t be taken. A Russian national linked to the LockBit ransomware gang was arrested in Ontario in October. What needs to be remembered is that ransomware is an international problem as Bleeping Computer makes clear in The Week in Ransomware – November 11th 2022 – LockBit feeling the heat. It relevantly provides:
The big news is the arrest of a Russian LockBit member in Canada, who is said to be responsible for making ransom demands between €5 to €70 million.
Over the past few weeks, a threat actor has been trolling victims by distributing the Azov Ransomware and blaming its creation on cybersecurity researchers and journalists.
Unfortunately, this ransomware was later confirmed to be a data wiper that overwrites alternating ‘666’ bytes of data with garbage, making it impossible to recover data.
Other reports have linked the Black Basta ransomware to FIN7 (Carbanak), warned that Venus ransomware is targeting healthcare, linked the Russian Sandworm hackers with Ukrainian ransomware attacks, and detailed how a threat actor is distributing LockBit through the Amdey botnet.
Finally, we learned more about ransomware attacks this week, with a REvil-linked gang claiming responsibility for Medibank, LockBit hitting the Continental automotive giant, and Black Basta behind Sobeys’ business disruptions.
October 30th 2022
New Azov data wiper tries to frame researchers and BleepingComputer
A new and destructive ‘Azov Ransomware’ data wiper is being heavily distributed through pirated software, key generators, and adware bundles, trying to frame well-known security researchers by claiming they are behind the attack.
November 3rd 2022
Black Basta ransomware gang linked to the FIN7 hacking group
Security researchers at Sentinel Labs have uncovered evidence that links the Black Basta ransomware gang to the financially motivated hacking group FIN7, also known as “Carbanak.”
LockBit ransomware claims attack on Continental automotive giant
The LockBit ransomware gang has claimed responsibility for a cyberattack against the German multinational automotive group Continental.
New STOP ransomware variants
PCrisk found new STOP ransomware variants that append the .bozq and .bowd extensions.
New Anon ransomware
PCrisk found a new ‘Anon_by Ransomware’ that appends the .anon_by and drops a ransom note named anon_by.txt.
November 4th 2022
New inlock ransomware
PCrisk found a new ransomware that appends the .inlock extension and drops a ransom note named READ_IT.txt.
November 7th 2022
Azov Ransomware is a wiper, destroying data 666 bytes at a time
The Azov Ransomware continues to be heavily distributed worldwide, now proven to be a data wiper that intentionally destroys victims’ data and infects other programs.
Ransomware gang threatens to release stolen Medibank data
A ransomware gang that some believe is a relaunch of REvil and others track as BlogXX has claimed responsibility for last month’s ransomware attack against Australian health insurance provider Medibank Private Limited.
New Dharma Ransomware variant
PCrisk found a new Dharma ransomware variant that appends the .bDAT extension.
New STOP ransomware variants
PCrisk found new STOP ransomware variants that append the .zate and .zatp extensions.
New Xorist variant
PCrisk found a new Xorist variant that appends the .CrySpheRe extension and drops a ransom note named ??? ???????????? ?????.txt.
November 8th 2022
LockBit affiliate uses Amadey Bot malware to deploy ransomware
A LockBit 3.0 ransomware affiliate is using phishing emails that install the Amadey Bot to take control of a device and encrypt devices.
November 9th 2022
Medibank warns customers their data was leaked by ransomware gang
Australian health insurance giant Medibank has warned customers that the ransomware group behind last month’s breach has started to leak data stolen from its systems.
November 10th 2022
Russian LockBit ransomware operator arrested in Canada
Europol has announced today the arrest of a Russian national linked to LockBit ransomware attacks targeting critical infrastructure organizations and high-profile companies worldwide.
Russian military hackers linked to ransomware attacks in Ukraine
A series of attacks targeting transportation and logistics organizations in Ukraine and Poland with Prestige ransomware since October have been linked to an elite Russian military cyberespionage group.
U.S. Health Dept warns of Venus ransomware targeting healthcare orgs
The U.S. Department of Health and Human Services (HHS) warned today that Venus ransomware attacks also target the country’s healthcare organizations.
Popular UK motor racing circuit investigating a ransomware attack
One of the most popular motor racing circuits in the United Kingdom is investigating a ransomware attack after a gang added it to its list of victims this week.
November 11th 2022
Canadian food retail giant Sobeys hit by Black Basta ransomware
Grocery stores and pharmacies belonging to Canadian food retail giant Sobeys have been experiencing IT systems issues since last weekend.
Further in the last week a ransomware group is offering to sell files stolen from German car parts manufacturer Continental for $50 million, data of school pupils at a Hereford School was leaked after an attack by Vice Society,
The AFP Commissioner made the following statement:
I will make a short statement about the Medibank Private data breach but I will not take any questions because this is a very complex and serious ongoing investigation.
But I do want to address Australians today and give as much information as I can without putting at risk the criminal investigation.
I know Australians are angry, distressed and seeking answers about the highly-sensitive and deeply personal information that is being released by criminals who breached Medibank Private’s data base.
This is a crime that has the potential to impact on millions of Australians and damage a significant Australian business.
This cyber attack is an unacceptable attack on Australia and it deserves a response that matches the malicious and far-reaching consequences that this crime is causing.
The AFP is undertaking covert measures and working around the clock with our domestic agencies and our international networks, including INTERPOL.
This is important because we believe that those responsible for the breach are in Russia.
Our intelligence points to a group of loosely affiliated cyber criminals, who are likely responsible for past significant breaches in countries across the world.
These cyber criminals are operating like a business with affiliates and associates, who are supporting the business.
We also believe some affiliates may be in other countries.
Everyone involved in this attack is a focus of the ongoing investigation through the AFP-led Operation Pallidus.
We believe we know which individuals are responsible but I will not be naming them.
What I will say is that we will be holding talks with Russian law enforcement about these individuals.
The AFP is responsible for the Australian INTERPOL National Central Bureau, which has direct contact with National Central Bureau Moscow.
INTERPOL National Central Bureaus cooperate on cross-border investigations, operations and arrests.
To take investigations beyond national borders, they can seek cooperation from any other National Central Bureau.
It is important to note that Russia benefits from the intelligence-sharing and data shared through INTERPOL, and with that comes responsibilities and accountability.
I have a number of messages today.
To the Australian public: The AFP and our partners are not going to give up in bringing those responsible to justice.
Investigators under Operation Guardian are also scouring the internet and dark web to identify people who are accessing this personal information and trying to profit from it.
To the criminals: We know who you are, and moreover, the AFP has some significant runs on the scoreboard when it comes to bringing overseas offenders back to Australia to face the justice system.
To the media and social media: I know you will do the right thing and continue to assist us in protecting the community by not aiding these criminals by posting or publishing this sensitive information.
This is a time for all Australians – the community, business and law enforcement – to stand together and refuse to give these criminals the notoriety they seek.
Can I make a plea to business: Ensure your systems are protected.
Cybercrime is the break and enter of the 21st Century and personal information is being used as currency.
Finally, I want to reiterate that Australian Government policy does not condone paying ransoms to cyber criminals.
Any ransom payment, small or large, fuels the cybercrime business model, putting other Australians at risk.