Law enforcement has made some notable arrests of ransomware perpetrators, but such arrests are only part of an effective response. Marc Rogers — an adjunct senior technical adviser with IST — said that once a ransomware gang’s leader is arrested, another person likely steps in to replace them. Law enforcement must therefore hit a variety of pain points across the ecosystem that currently enables ransomware attacks.
For example, when the FBI and partners disrupted LockBit, law enforcement took time to gather insights from the criminal systems they hacked, subsequently pursuing affiliates and seizing cryptocurrency wallets, Rogers said during the panel.
International efforts to disrupt Qakbot were also impactful and ultimately disrupted ransomware attacks for months, noted Allan Liska, an intelligence analyst with Recorded Future.
This action was notable because it struck an entity early in the chain of a cyber attack, Liska said. LockBit, REvil and other major groups have reportedly used Qakbot to distribute ransomware strains. Hitting groups or tools involved in gaining initial access to a victim’s systems is powerful because it reduces ransomware and also other cyber crimes, like business email compromise, romance scams and pig butchering, said Jason Kikta, an IST adjunct senior technical adviser.
Defenders also need to be aware that many ransomware actors are successful without turning to sophisticated techniques. In some cases, attackers use tools that have been around for decades, such as Mimikatz, said Kikta. Organizations must improve defenses by addressing “low-hanging fruit” issues in their infrastructure and processes, Rogers said.
And youth ransomware perpetrators have now become known for low-tech methods.
The Com is an online community spanning Discord chats and Telegram channels that includes youth hackers. That community includes, among others, the group behind the MGM and Caesars Entertainment hack. Rogers noted that Com members often use highly targeted direct interaction to try to access victim organizations.
“They will hunt down people who advertise on LinkedIn [that] they work in a call center, and then they'll go after them,” Rogers said.
The Com is believed to largely be made up of teenagers who speak English as a first or second language and can conduct convincing social engineering ploys against organizations in western countries, Liska said. But on the flip side, this also creates opportunities for law enforcement. Whereas U.S. authorities have limited ability to pursue perpetrators in countries like Russia, there are more options for responding to domestic actors targeting domestic organizations, Rogers said.
Law enforcement needs to bring arrests and real penalties to bear against teen perpetrators but should be wary about potential prison time cementing someone into a criminal lifestyle, Rogers and Kikta said.
Efforts to intervene early and redirect people away from crime are important. Some members of the Com came to the group by being recruited from online video game communities, Vice reported.
Bug bounty programs have been one useful way to give hackers legitimate avenues for profiting off findings, helping reduce zero-day attacks, Rogers said. Kikta suggested we may need more efforts to connect tech-savvy individuals with non-criminal job opportunities, which would help both them and society writ large.
Panelists' recommendations that governments look to disrupt cyber criminals from many angles aligned with a recent IST Ransomware Task Force report. The report said that before nations can get to the point where ransomware payment bans do more good than harm, they’ll need to shift the landscape. In part, that means better cracking down on bad actors, and the report recommended targeting criminals’ IT infrastructure and cryptocurrency, as well as the criminals themselves.