Euro Security Watch with Mathew J. Schwartz

Critical Infrastructure Security , Cybercrime , Cybercrime as-a-service

Forget Hacking Back: Just Waste Ransomware Gangs' Time

Time Is Money for Criminals; Some Profits Susceptible to DDoS and Other Disruptions
Forget Hacking Back: Just Waste Ransomware Gangs' Time
Members of a top Russian cybercrime forum discuss the recent LockBit 2.0 disruption (Source: IntSights; partially redacted)

You know the people who will chat away endlessly to an obvious telephone scammer, trying to spin things out to the point where they've demonstrably wasted the fraudster's time, thus denting their illicit earnings?

See Also: Realities of Choosing a Response Provider

Imagine taking that disruption model and tasking military hacking teams to do the same - only to ransomware gangs, cybercrime markets and other criminals operating online.

After months of discussion over how governments should respond, might this be a strategy now getting wielded by Western governments as they attempt to more directly disrupt ransomware-wielding attackers and other types of cybercrime?

So-called hacking back typically refers to attempting to remotely access systems and crash them, perhaps after having spied on users first to gather intelligence. Doing so has historically been ethically fraught, as well as a legal minefield, especially for private businesses, since they can be charged with computer crime. The risk that attackers might have planted false flags, or that innocent bystanders are affected inadvertently, remains significant (see: Ransomware: Should Governments Hack Cybercrime Cartels?).

But the U.S. government and some allies appear now to have pulled off the gloves. Reuters recently reported that a coalition of Western governments has been actively targeting cybercrime operations. "The FBI, in conjunction with Cyber Command, the Secret Service and like-minded countries, have truly engaged in significant disruptive actions against these groups," Tom Kellermann, head of cybersecurity strategy for VMWare and also a cybercrime investigations adviser to the U.S. Secret Service, told Reuters.

We've seen this before as a response against nation-state election interference, when U.S. Cyber Command was used to disrupt Russia's Internet Research Agency troll farm ahead of the 2018 U.S. midterm elections.

But the Reuters report is light on detail. Just because government hacking teams have been authorized to do this, what exactly have they been doing? Also, does it have anything to do with the recent outage of the notorious REvil, aka Sodinokibi, ransomware operation? And if so, why hasn't the Pentagon or Department of Justice said so?

"Historically, you've always seen a splash screen" announcing a takedown and legal basis for doing so, after governments or law enforcement agencies take down a site, says John Fokker, principal engineer and head of cyber investigations for the Advanced Threat Research team at McAfee Enterprise.

In the case of REvil, furthermore, after the operation's Tor-based sites went offline in July, and before they returned in September, REvil racked up more victims, which got listed after its return. Legally speaking, if police had access to or control of the site, "that is not something that the police can actually allow," Fokker tells me.

Criminals Blame Governments

Regardless, criminals apparently do think governments have been messing with their operations, and they are - wait for it - outraged.

Babuk spinoff Groove, for one, issued a statement calling on all ransomware groups "to stop competing" and to "unite and start to destroy the state sector of the United States."

Conti, meanwhile, pursued Socratic questioning of the amateur attorney variety. "Is there a law, even an American one, even a local one in any county of any of the 50 states, that legitimize such indiscriminate offensive action?" the group asks, while admitting that this is a rhetorical question. "Is server hacking suddenly legal in the United States or in any of the U.S. jurisdictions? If yes, please provide us with a link."

To which the law enforcement response must surely be: Just send us your name and contact details and we'll be in touch.

Disruptions: Bad for Business

Criminal chatter suggests that multiple operations are being disrupted, although it seems impossible yet to say who might be doing the disrupting, at least in many cases.

Others are more clear-cut. New Zealand security firm Emsisoft, for example, says that until recently, it was able to secretly help victims of DarkSide and its spinoff BlackMatter decrypt files without having to pay attackers for a decryptor, thanks to a flaw in the ransomware.

There are other ways to hit attackers where it hurts too. For example, many ransomware operations use so-called double extortion shake down victims, by listing anyone who won't pay a ransom on their dedicated data leak site, and leaking samples of data, all to try and force them to pay. If a victim does want to pay, typically they'll go to the ransomware operation's payment portal to send the funds and download a decryptor.

But if attackers can't list victims, and victims can't pay via a payment portal, this can take a bite out of criminals' profits, at least in some cases.

Outages Hit LockBit and Marketo

Not all ransomware groups use data leak sites or run payment portals. Rather, some leave a ransom note on encrypted PCs or servers with an email address and bitcoin wallet for receiving funds. But for groups that do rely on sites and portals, disruption remains a threat. And threat intelligence company IntSights, which is part of security firm Rapid7, says it's recently seen two different cases of cybercrime groups being disrupted via distributed denial-of-service attacks.

One case involved LockBit 2.0, which hit a large business in the U.S., stole data and then launched a DDoS attack when the victim failed to pay, after which "the LockBit site went offline for several days," says IntSights' Yotam Katz in a blog post. "When it came back online behind basic authentication - a user password - speculation arose in the hacker community that LockBit were themselves under a DDoS attack." Subsequently, he says, the group's data leak site appeared to be unstable and largely inaccessible for at least several more weeks.

The other case involved Marketo, a cybercrime marketplace for stolen information, which listed an auction for military information stolen from a U.S. state, as the vx-underground malware archive and others reported in August.

"As in the LockBit case, the situation quickly changed when Marketo itself came under a DDoS attack," Katz says. "Marketo blamed the government entity for the attack and vowed to publish the critical data on dozens of public, military oriented forums as well as on Reddit."

Blame the Feds

But Fokker, a former member of the Dutch National High Tech Crime Unit, says of course criminals would blame the FBI or National Security Agency for what may have been an easy disruption that took advantage of some misconfiguration they failed to fix. "GandCrab did it in the past as well," he says, referring to REvil's predecessor. "It's always easy to point to the NSA's supercomputer, because - let's face it - you're among thieves," and they're going to want to save face. "That's what all criminals do. That is what everybody does."

Such bluster likely belies ransomware operators facing the unwelcome prospect of having to rethink their approach, as some are already doing by pursuing not big game hunting, but rather mid game hunting, says ransomware incident response firm Coveware.

The new calculus: If attackers hit a large business or government target in the U.S. or other Western countries, will it result in weeks of DDoS disruption for their operation, eating into profits? And if so, how much downtime can they tolerate before it torpedoes their business?

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.