An incident occurs. Law enforcement is investigating. A perpetrator is identified, arrested and prosecuted.
This is how we usually think when we tackle a crime. But as some ransomware victims may now discover, this process is much more complicated when the criminal is on another continent and the crime is virtual.
A spate of ransomware attacks over the past few months has compromised critical infrastructure and disrupted daily life in the US and around the world, with a massive attack on software provider Kaseya last week potentially affecting more than 1,000 companies around the world. Cyber ââresearchers say the attack was carried out by REvil, a group suspected of having ties to Russia that also hit meat processing company JBS Foods, Apple supplier Quanta Computer in April and electronics maker Acer in March last month.
And it’s not just REvil. Hackers with connections to Russia are believed to be behind the high-profile attacks on SolarWinds and Colonial Pipeline. In addition, recent ransomware attacks on Microsoft and the VPN company PulseSecure have been linked to hackers in China.
Ransomware gangs have debited millions in payments over the past few months, and REvil is now demanding $ 70 million for a decryption tool after its attack on Kaseya. US authorities generally discourage companies from paying ransom, as doing so only encourages cyber criminals.
Bringing them to justice, however, is a more complex process that involves a network of local, federal and even international authorities. The process can take years without any guarantee of a successful result. And during this time, the number of ransomware attacks continues to increase.
Prominent hacking groups like REvil are often quick to gain public credit for their attacks, but tracing the real people behind these groups and their whereabouts can be incredibly difficult.
Cyber ââsecurity experts recommend that affected organizations contact local law enforcement and the FBI. Other federal agencies such as the Department of Homeland Security and the US Computer Emergency Readiness Team are often involved in the process at an early stage.
In April, the US Department of Justice launched a ransomware task force after an agency memo called it the worst year ever for this type of cyberattack. The aim is to bundle the efforts of the entire federal government to pursue and prevent ransomware attackers.
“The hacking groups are part of organized criminal rings and often work decentralized and decentralized,” Beenu Arora, co-founder and CEO of cybersecurity firm Cyble, told CNN Business. âThese actors often use intermediaries to communicate with each other,â he added.
The private companies most likely to fall victim to these ransomware attacks can be blind to “who actually attacked them,” because of the sophisticated nature of the attackers, according to Anup Ghosh, CEO of Fidelis Cybersecurity and former Department of Defense researcher.
“Unlike a physical attack that can be identified, it’s very difficult to make a secure association in cyberspace,” he said.
If the ransomware attackers are based in another country, as is often the case, US officials have to pursue international cooperation and diplomacy, which can further slow down and complicate the law enforcement process.
“The biggest challenge in bringing international hacking groups to justice is having to conduct overseas operations with additional bureaucracy from our international colleagues,” said Bret Fund, director of cybersecurity at Flatiron School. “This also includes less access to local resources to investigate, gather information and support cross-border law enforcement.”
As if that wasn’t enough, some countries are also using cybercriminal access as a diplomatic negotiation tool, said Bryan Hornung, CEO of cybersecurity company Xact IT Solutions.
“Russia sees cyberattacks … as a way of sowing discord and giving the US and democracy a black eye,” said Hornung, referring to Russia’s declared willingness to only extradite criminals if the US reciprocates.
The code behind the REvil attack was written to avoid Russian or related languages, according to a report from cybersecurity firm Trustwave SpiderLabs, obtained from NBC News. The company said this was likely designed to avoid conflicting local enforcement in the countries it operates in.
The Biden government is stepping up efforts to finalize a government-wide strategy to respond to ransomware attacks, with the National Security Council having been working for the past few days to coordinate a plan of action, officials and experts involved in the discussions said. Another meeting on the matter is expected to take place next week between US and Russian officials, White House press secretary Jen Psaki said on Wednesday.
President Joe Biden confronted Russian President Vladimir Putin with the scourge of ransomware attacks during a summit meeting in Geneva last month, a meeting he referred to again over the weekend shortly after the Kaseya attack.
“[If] it is either with the knowledge of and / or the consequences of Russia, then I told Putin that we will react, “the president said on Saturday.
After the attacker or hacking group has been located abroad and prosecuted – often with the help of law enforcement agencies like Interpol and Europol – the next challenge is to get them back into the US judiciary.
The United States has extradition treaties with more than 100 countries, but there are dozens more, including Russia and China, that don’t. In these cases, the US authorities often wait for the hackers to travel to a friendlier country to capture and extradite them – as was the case with Russian hackers Aleksei Burkov (from Israel) in 2019 and Yevgeniy Nikulin (from the Czech Republic) was the case in 2018. (Burkov pleaded guilty to him on multiple occasions and was sentenced to nine years in prison last June for running websites selling stolen data. Nikulin was sentenced to more than seven years in prison a few months later for joining companies like LinkedIn and Hacked Dropbox.)
These extraditions can often take years, with US authorities having little control over the process and timing. Both Burkov and Nikulin, for example, were convicted more than five years after the alleged first crime. In Burkov’s case, the extradition process alone lasted nearly four years.]
“The United States is working with foreign authorities to locate wanted people and then request extradition,” the Justice Department said on its website. “However, the extradition case is being handled by the foreign authorities in the foreign courts. Once the extradition request is filed with the foreign government, the United States has no control over the process.”
As the United States and other countries push for cooperation on cybersecurity issues, coordinating these responses becomes a race against time as new ransomware attacks continue to happen on a weekly, if not daily, basis.
“Think of this as more organized crime and the kind of task force you’ve seen against organized crime in the past,” Ghosh said. “It takes a long time to really map these criminal gangs, understand their heads and bring them down, and it requires the cooperation of other countries, so these are longer schedules.”