Canada is again one of more than two dozen countries meeting in Washington to discuss international co-operation on fighting ransomware.
Dubbed the Counter Ransomware Initiative, it is the second closed-door two-day summit on ransomware convened by the United States, but this time representatives of IT companies will be there as well. They include Microsoft, Crowdstrike, Mandiant, Palo Alto Networks, SAP and Siemens.
According to CNN, FBI Director Christopher Wray, Deputy Secretary of State Wendy Sherman and Deputy Treasury Secretary Wally Adeyemo, will brief the visiting delegations on ransomware issues.
Politico says the Biden administration plans to announce a slate of new efforts to jump-start the initiative, including a platform where members would be able to upload, identify, and share tips on ransomware payloads they spot within their borders. The administration will also issue a statement outlining new ways the countries can apply diplomatic pressure to countries harboring ransomware groups.
Last year the participants issued a statement agreeing to recognize ransomware as an escalating global security threat with serious economic and security consequences, and committed themselves to “urgent action.”
“Efforts will include improving network resilience to prevent incidents when possible and respond effectively when incidents do occur; addressing the abuse of financial mechanisms to launder ransom payments or conduct other activities that make ransomware profitable; and disrupting the ransomware ecosystem via law enforcement collaboration to investigate and prosecute ransomware actors, addressing safe havens for ransomware criminals, and continued diplomatic engagement.” the joint statement said.
The statement didn’t say precisely how the countries will act.
No one should have expected that an international government crackdown on ransomware would produce immediate results because gangs can, and do, re-emerge after seemingly suffering a setback. For example, the Conti ransomware gang’s online infrastructure related to negotiations, data uploads, and hosting of stolen data was shut down. However, researchers say, the gang has dispersed and is operating under a number of smaller brands.
There have been other notable successes:
–by coincidence, shortly after last year’s summit the REvil group was hacked and forced offline by a multi-country operation. In January, Russia arrested people who were allegedly part of the gang. However, there are reports that REvil’s core developers are back in business;
–In July, U.S. law enforcement authorities said they seized nearly half a million dollars in cryptocurrency that was paid as ransom to alleged North Korean hackers and their accomplices by two U.S. hospitals and other victims;
However, covering the 12-month period ending in April (which would include six months of efforts by the governments at the first White House ransomware summit), the industry-led Ransomware Task Force noted in its first annual report that the full impact of actions taken by governments and companies has not yet been seen, “and there is more to be done.
“Adoption of preparation best [cybersecurity] practices continues to be slow, particularly among small-to-medium businesses (SMBs),” it noted. “Opportunities for attackers abound, and high ransoms that created headlines in the first half of 2021 continue to draw criminals to participate in the ransomware market. Business is booming, with indications of evolving
tactics, techniques, and procedures (collectively, TTPs) being observed.”
Related content: Latest cyber attack data, including ransomware, from Statistics Canada
Some researchers at security firms have noted the number of ransomware victims listed by threat groups on their publicly-available sites has dropped compared to last year. But that isn’t necessarily an accurate indicator of the number of attacks. Groups may have decided not to be so public unless a victim refuses to pay. Other researchers see evidence of a drop in the number of attempted attacks.
According to an August report by Malwarebytes, the Lockbit ransomware strain was by far the most common version encountered by its researchers. Between March and August, LockBit racked up 430 known attacks in 61 different countries, including 128 in the U.S. In that period it was responsible for one in three known successful ransomware attacks
Last week researchers at Dragos said several new ransomware groups only targeting industrial entities emerged in the third quarter, including Sparta, Blog, Bianlian, Donuts, Onyx, and Yanluowang. These may have sprung from dissolved ransomware teams, it added.
Dragos is monitoring the activities of 48 different ransomware groups that target industrial organizations and infrastructures. Of them, 25 were active during Q3. The company’s researchers are aware of 128 ransomware incidents in the third quarter of 2022, compared to 125 in the previous quarter.
Also last week, researchers at Stairwell and Cyderes drew attention to a new exfiltration tool that includes data destruction capabilities created by an affiliate of the BlackCat/AlphV ransomware gang. “The use of data destruction by affiliate-level actors in lieu of [ransomware] deployment would mark a large shift in the data extortion landscape and would signal the balkanization of financially-motivated intrusion actors currently working under the banners of RaaS [ransomware-as-a-service] affiliate programs,” the report says.
Meanwhile, earlier this month the NCC Group reported that a new ransomware group dubbed Sparta was spotted, initially targeting organizations in Spain.
And there’s no shortage of victims. They include CommonSpirit, which operates a number of hospitals in the U.S.. According to a news report some facilities had to take patient portals and EHR systems offline as a precautionary measure, causing appointment cancellations. At the beginning of this month a Montreal-area defence supplier was hit. A ransomware attack on WordFly, a digital communications and marketing platform used by arts, entertainment, culture and sports firms, resulted in many of its subscribers being victimized, including the Toronto Symphony and the Smithsonian Institute.