The cyber threat landscape in recent months has been monopolized by ransomware attacks on a global scale. Some of these, such as the one against the fuel distribution network Colonial Pipeline and the one against meat supply giant JBS Food, have demonstrated the potential impact such attacks can have on victims. In both cases, the distribution chains were paralyzed with an impact on the respective sectors and even on the prices of consumer products.
Where ever needed, we have learned that a cyber attack on a critical infrastructure, such as a power plant or hospital, could have a devastating impact on the offensive organization, its users, and the whole sector to which it belongs. In particular scenarios, an attack could even lead to the loss of life, as in the case of blocking the services of a hospital or tampering with a service for monitoring the water of a water system in a city.
The targets of the attacks, the potential effects of the attacks, made the United States Department of Justice (DoJ) want to give ransomware investigations the same priority as those on terrorism. The US authorities have created a special task force to coordinate the investigation of ransomware attacks in the country as has been the case for decades for terrorism.
“Internal guidelines sent Thursday to US law offices across the country said information on ransomware investigations in the field should be centrally coordinated with a newly created task force in Washington.” he reported the Reuters news agency.
“It is a process to ensure that all cases of ransomware are tracked regardless of where they may be reported in this country, so that we can make connections between actors and work to break the whole chain,” said John Carlin, attorney. general in the Department of Justice.
The basic idea is correct: a central unit is in charge of collecting and sharing all information relating to ransomware attacks against US companies or companies operating on American soil. This activity is essential to prevent the action of the main ransomware gangs against companies in different sectors, and above all to provide guidance to victims and organizations so that these threats can be prevented or neutralized.
The guide shared by the DOJ explicitly refers to the attack on Colonial Pipeline, it considers it as a case study that demonstrates the “growing threat that ransomware and digital extortion represent to the nation”.
According to the American authorities, ransomware attacks pose a threat to national security and the country’s economy, which is why it is important to step up efforts to increase the resilience of critical infrastructures and dismantle the operations of ransomware gangs.
“To ensure that we can establish the necessary links between national and global cases and investigations, and to enable us to develop a comprehensive picture of the national and economic security threats we face, we need to improve and centralize our internal monitoring,” the lead continues. Department of Justice.
This is the first time that a terrorism investigation model has been proposed to analyze ransomware attacks, evidence of the relative growing threat to national security.
The guide also asks the US Attorney’s Offices to investigate other investigations focusing on the global cybercrime ecosystem, in particular, it requires centralized coordination for cases involving anti-virus services, illicit online forums or marketplaces, exchanges of cryptocurrencies, hosting services that guarantee anonymity and do not respond to requests from competent authorities, botnets and online money laundering services.
You may wonder at this point how many groups are behind the main ransomware attacks and what is an economic estimate of their profits.
It is difficult to provide a precise answer, but some data can help us in the estimation. In the last two years, over 40 groups have been traced, of which a dozen have proved particularly active, and over time they have been responsible for an increasing number of attacks thanks to the establishment of affiliate networks that spread the ransomware.
The following image shows the data relating to the number of victims of the most active gangs in the last month according to the cyber threat intelligence company Dark Tracer. The graph highlights the intense activity of the Avaddon, Conti, REvil and Dark Side groups that have affected hundreds of organizations.
Figure 1 – Source Twitter
Overall, therefore, we can estimate that several hundred companies are affected each month by these groups.
To understand the economic returns of the criminal enterprise we can analyze the earnings of one of the main gangs.
In the past month, researchers from blockchain analytics firm Elliptic estimated that the Darkside ransomware gang, the same one that hit Colonial Pipeline, has earned over $ 90 million from its attacks since October 2020.
The researchers examined the Bitcoin wallets (wallets) used by the ransomware gang to receive ransom payments from victims in recent months.
“In total, just over $ 90 million in Bitcoin ransom payments were made at DarkSide, coming from 47 separate wallets.” we read in relationship published by Elliptic. “Second DarkTracer , 99 organizations were infected with DarkSide malware, suggesting that around 47% of victims paid a ransom and that the average payment was $ 1.9 million. “
Figure 2 – Total ransoms paid by the victims of the DarkSide group (Elliptic Report)
At this point, if we consider that the number of operations similar to DarkSide is several dozen, we can estimate the losses related to ransomware attacks in the order of billions of euros on an annual basis, a very respectable figure that has pushed the US government to a tough response.
In the study there is also the possibility for the US authorities to prevent companies victims of ransomware attacks from paying ransoms, with the aim of dissuading the dreaded extortion practice.
In the meantime, we can only predict a substantial increase in ransomware attacks in the coming months.
.