Can police put a dent in cybercrime ransom figures as they ‘hack back’?
Cybercrime can seem faceless with the perpetrators being almost invisible and acting with impunity. That is a dispiriting thought, but the situation isn’t quite as dismal as that, as evidenced by law enforcement hobbling several high profile digital crime gangs in recent months.
On the more traditional malware side, the final chapter in the disruption (as the police and cyber spooks like to call it) of the Trickbot Trojan Horse gang which started in 2020 may have been written.
In January this year, Russian Trickbot developer Vladimir Dunaev copped a five-year and four-month prison sentence in the United States, having been extradited from South Korea in 2021.
Another Trickbot developer, Latvian Alle Witte, was handed a twoyear eight-month sentence in June last year. That matters as Trickbot was a real threat, and used to deploy the
Ryuk ransomware. It was serious enough that the US Department of Defence felt the need to tackle it.
Patience is required when it comes to dealing with cyber criminals. One of the most wanted criminals by the US Federal Bureau of Investigation, Ukrainian Vyacheslav Penchukov pleaded guilty to deploying the Zeus malware in February.
Zeus has caused millions of dollars in damages and has been around since 2007, with the authorities trying to stamp out its use since 2014.
Going through the US Department of Justice announcements since December 2023 on cybercrime takedowns, you can’t help noticing that a large number of cryptocurrency cases are mentioned.
Like the alleged US$1.9 billion (NZ$3.1b) HyperFund/HyperVerse fraud case in which charges were laid against Australian Sam Lee along with two Americans, “Bitcoin Rodney” Burton and Brenda “Bitcoin Beautee” Chunga, who promoted the scheme. Chunga has pleaded guilty already.
It’s possibly not related, but given how prominent cryptocurrency is in the ransomware business, it’s not beyond the realm of imagination that what the cops have learnt when tracking fraudsters in that field has been put to good use against other cyber criminals.
Two big ransomware gangs look like they got a deserved kicking recently as well. The first one, ALPHV or BlackCat, which was thought to be the second-most prolific ransomware-as-a-service operation currently, active since 2021 and which has brought in millions of dollars in extortion money.
ALPHV/BlackCat hit MGM Resorts, healthcare organisations and government agencies, and the FBI said it had managed to seize some of the gang’s infrastructure in December last year. There’s more to come, as the gang leaders are yet to be identified and charged.
An even bigger win for law enforcement was against the LockBit gang, announced this month. LockBit is another ransomware for rent, with affiliates buying access and being behind the attacks.
It is the most prolific ransomware, responsible for something like 44 per cent of recorded attacks in 2023, bringing in well over $100 million from victims desperate to get access to their data.
This time, UK and European police forces infiltrated the LockBit operation and were able to identify and charge several of the criminals. Three people have been arrested, and two Russians named are still at large.
Better yet, police got hold of the LockBit source fcode along with decryption keys, which could be used to unscramble attack victims’ files.
Plenty of LockBit infrastructure was seized, along with 2200 Bitcoin worth something like NZ$183 million.
As a reminder that paying a ransom guarantees nothing, police discovered that LockBit didn’t delete the data it had exfiltrated with the StealBit application, despite promises to do so.
Apart from patience and diligent intelligence gathering, law enforcement is “hacking back” against criminals through greater collaboration and information sharing which is now becoming formalised.
For example, the US and Australia agreed to provide access for authorities in both countries to “electronic data for the purpose of countering serious crime” in 2021. The agreement came into effect at the end of January this year, and Australia has a mandatory data retention regime for service providers.
Cyber criminals have limits in that respect. There is collaboration, with developers involved in several different ransomware families, security researchers have found, but the saying “no honour among thieves” applies.
Even so, ransomware payments shot up to a record US$1.1b last year, and are trending upwards, cryptocurrency tracking firm Chainalysis said.
We’ll see if the more aggressive approach by the police puts a dent in that figure this year.