Just days after President Joe Biden demanded that President Vladimir Putin of Russia shut down ransomware groups attacking American targets, the most aggressive of the groups suddenly went offline early Tuesday.<\/p>\n
The mystery is who made it happen.<\/p>\n
The group, called REvil, short for \u201cRansomware evil,\u201d has been identified by U.S. intelligence agencies as responsible for the attack on one of America\u2019s largest beef producers, JBS. Two weeks after Biden and Putin met in Geneva last month, REvil took credit for a hack that affected thousands of businesses around the world over the July 4 holiday.<\/p>\n
That latest attack led to Biden\u2019s ultimatum in a phone call Friday to the Russian president. Later, Biden said that \u201cwe expect them to act,\u201d and when asked by a reporter later if he would take down the group\u2019s servers if Putin did not, the president simply said, \u201cYes.\u201d<\/p>\n
He may have done exactly that.<\/p>\n
But that is only one possible explanation for what happened around 1 a.m. Eastern time Tuesday, when the group\u2019s sites on the dark web suddenly disappeared.<\/p>\n
Gone was the publicly available \u201chappy blog\u201d the group maintained, listing some of its victims and the group\u2019s earnings from its digital extortion schemes. Internet security groups said the custom-made sites \u2014 think of them as virtual conference rooms \u2014 where victims negotiated with REvil over how much ransom they would pay to get their data unlocked also disappeared. So did the infrastructure for making payments.<\/p>\n
While the disappearance of the hackers\u2019 online presence was celebrated by many who see ransomware as a new scourge \u2014 one Biden has called a critical national security threat \u2014 it left some of the group\u2019s targets in the lurch, unable to pay the ransom to get their data back and get their businesses running again.<\/p>\n
\u201cWhat\u2019s the plan for the victims?\u201d asked Kurtis Minder, CEO of GroupSense, a digital risk protection company that was negotiating with the extortionists on behalf of a law firm whose data was locked up.<\/p>\n
There were three main theories about why REvil \u2014 which seemed to revel in the publicity and reaped huge ransoms, including $11 million from JBS \u2014 suddenly disappeared.<\/p>\n
One is that Biden ordered the U.S. Cyber Command, working with domestic law enforcement agencies, including the FBI, to bring the group\u2019s sites down. Cyber Command proved last year that it could do just that, paralyzing a ransomware group it feared might turn its skills to freezing up voter registrations or other election data in the 2020 election.<\/p>\n
The second theory is that Putin ordered the group\u2019s sites taken down. If so, that would be a gesture toward heeding Biden\u2019s warning, which he had also conveyed, in more general terms, when the two leaders met June 16 in Geneva. And it would come just a day or two before a U.S.-Russia working group on the issue, set up during the Geneva meeting, is supposed to hold a virtual meeting.<\/p>\n
A third theory is that REvil decided that the heat was too intense, and took the sites down itself to avoid becoming caught in the crossfire between the U.S. and Russian presidents. That is what another Russian-based group, DarkSide, did after the ransomware attack on Colonial Pipeline, the U.S. company that in May had to shut down the pipeline that provides gasoline and jet fuel to much of the East Coast after its computer network was breached.<\/p>\n
But many experts think that DarkSide\u2019s going-out-of-business move was nothing but digital theater, and that all of the group\u2019s key ransomware talent will reassemble under a different name. If so, the same could happen with REvil, which Recorded Future, a Massachusetts cybersecurity firm, estimates has been responsible for roughly one-quarter of all the sophisticated ransomware attacks on Western targets.<\/p>\n
Allan Liska, a senior intelligence analyst at Recorded Future, said that if REvil has disappeared, he doubted it was voluntary. \u201cIf anything, these guys are braggadocios,\u201d Lisca said. \u201cAnd we didn\u2019t see any notes, any bragging. It sure feels like they abandoned everything under pressure.\u201d<\/p>\n
There were suggestions that the pressure may have come from Russia. The commander of U.S. Cyber Command and director of the National Security Agency, Gen. Paul Nakasone, was not expected to get the full options for U.S. action against ransomware actors until later this week, several officials said. And there was no evidence that REvil\u2019s sites had been \u201cseized\u201d by a court order, which the Justice Department frequently posts.<\/p>\n
Cyber Command declined to comment.<\/p>\n
While shutting REvil for now would give Putin and Biden a chance to show they were confronting the problem, it could also give the ransomware actors an opportunity to walk away with their winnings. The big losers would be the companies and towns that do not get their encryption keys, and are locked out of their data, perhaps forever. (Often when ransomware groups disband, they publish their decryption keys. That did not happen Tuesday.)<\/p>\n
Biden is expected to roll out a ransomware strategy in coming weeks, making the case that Colonial Pipeline and other recent attacks show how crippling critical infrastructure constitutes a major national security threat.<\/p>\n
\u201cAnd it\u2019s also why we\u2019re elevating ransomware in our engagements with Russia,\u201d said Secretary of State Antony Blinken. \u201cOur message is clear: Countries that harbor cybercriminals have a responsibility to take action. If they don\u2019t, we will.\u201d<\/p>\n
The plan is expected to be full of incentives for companies and local governments to improve their basic defenses. For example, insurance companies that write cyberinsurance policies, which pay victims of attacks, could insist that customers meet higher security standards before the policies are issued.<\/p>\n
But Biden, having repeatedly warned that he will strike back at Russian \u201cbad actors\u201d who threaten American security, may also soon have to demonstrate that he plans on enforcing his red line \u2014 if not against REvil, then against its successors and competitors.<\/p>\n
\u201cThis is a problem for Biden because in cyber, there\u2019s a temptation to be stealthy and send your message in a very quiet, targeted way, but now, having made the threat, he has to say to the American public and the world, \u2018This is what we did,\u2019 \u201d said Paul Rosenzweig, a scholar at the free market advocacy group R Street Institute and a member of the American Bar Association\u2019s Cybersecurity Legal Task Force.<\/p>\n
\u201cAnd some of the most important effects are very hard to do in public,\u201d he added, because they can risk revealing American capabilities.<\/p>\n
In an article in Lawfare published just before REvil\u2019s unexplained disappearance, Jack Goldsmith, a Harvard law professor who writes frequently on cybersecurity issues, got at a central problem: While the United States has threatened Russia with \u201cconsequences\u201d for both state-sponsored attacks and criminal ransomware, the penalties have been light.<\/p>\n
\u201cThis talk has persisted even as adverse cyberoperations have grown more frequent and damaging,\u201d he wrote. \u201cIt is ineffective and, in the aggregate, self-defeating.\u201d<\/p>\n
So it was unsurprising that just as REvil closed down, or at least took a holiday, SolarWinds, the company at the center of a highly sophisticated hack that became public during Biden\u2019s presidential transition, announced that it had been hacked anew.<\/p>\n
The new incident did not appear anywhere near as far-reaching as the original SolarWinds intrusion, which U.S. intelligence says was the work of the SVR, Russia\u2019s most savvy spying agency. It was unclear if Russia was part of the second hack, too.<\/p>\n
But it was only a few months ago that Biden placed sanctions on Russian officials and agencies for the damage done by the first SolarWinds hack, which got into network management software that the company sells to government agencies and most major companies in the United States. Once inside the updates to that software, the SVR had access to vast troves of government and corporate data. It chose only about 150 targets out of nearly 18,000 that downloaded the software.<\/p>\n","protected":false},"excerpt":{"rendered":"
Just days after President Joe Biden demanded that President Vladimir Putin of Russia shut down ransomware groups attacking American targets, the most aggressive of the groups suddenly went offline early Tuesday. The mystery is who made it happen. The group, called REvil, short for \u201cRansomware evil,\u201d has been identified by U.S. intelligence agencies as responsible for the attack on one of America\u2019s largest beef producers, JBS. Two weeks after Biden and Putin met in Geneva last month, REvil took credit for a hack that affected thousands of businesses around the world over the July 4 holiday. That latest attack led […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[7],"tags":[],"class_list":["post-798744","post","type-post","status-publish","format-standard","hentry","category-it-2"],"acf":[],"_links":{"self":[{"href":"https:\/\/telecomlive.in\/web\/wp-json\/wp\/v2\/posts\/798744","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/telecomlive.in\/web\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/telecomlive.in\/web\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/telecomlive.in\/web\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/telecomlive.in\/web\/wp-json\/wp\/v2\/comments?post=798744"}],"version-history":[{"count":0,"href":"https:\/\/telecomlive.in\/web\/wp-json\/wp\/v2\/posts\/798744\/revisions"}],"wp:attachment":[{"href":"https:\/\/telecomlive.in\/web\/wp-json\/wp\/v2\/media?parent=798744"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/telecomlive.in\/web\/wp-json\/wp\/v2\/categories?post=798744"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/telecomlive.in\/web\/wp-json\/wp\/v2\/tags?post=798744"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}