This past week, General Paul Nakasone, who is both head of U.S. Cyber Command and director of the National Security Agency, acknowledged that the United States has gone on offense with respect to targeting cybercriminals who have and who might attempt to attack U.S. businesses with ransomware.
Nakasone, in an interview with the New York Times on December 5, 2021, said the “government is taking a more aggressive, better-coordinated approach against this threat, abandoning its previous hands-off stance.” For those within the cybersecurity world, this is not news. But for those who have previously jousted with cybercriminals, it’s a welcome acknowledgment.
Cyber Command: Take Down the Archer
Cyber Command has been expanding its footprint abroad since 2018, working with allies and partners to find criminals and nation-state hacking groups from Russia, China, Iran and North Korea. Lt. General Charles L. Moore Jr., the deputy head of Cyber Command, said in November 2021, “Since 2018, we have expanded our ‘hunt forward’ operations to all major adversaries.” He explained how U.S. Cyber Command intends to get inside the adversary’s networks and “identify and potentially neutralize attacks on the U.S.”
Max Galka, CEO and founder, Elementus, a blockchain forensics firm, said that Cyber Command’s “hunting forward” offensive action is “the right approach when going after ransomware. The ransomware perpetrators have shown that they do respond to threats, and this certainly escalates the threat and the possibility of consequences. It’s a step in the right direction.”
“We want to find the bad guys in red space, in their own operating environment. We want to take down the archer rather than dodge the arrows,” Moore quipped. Speaking in May 2021, Moore stated, “We recognize and understand the importance of being in constant contact with the enemy in this space, especially below the level of armed conflict, so we can defend ourselves and we can impose costs.”
Galka added that the “U.S. government is tackling this problem from both a law enforcement and military perspective.” He said he believed the next step would be regulation at the intersection of law enforcement and compliance.
Many Hands Make Light Work
On December 8, 2021, Trustwave SpiderLabs shared commentary collected from dark web forums that revealed cybercriminals’ belief that there are “secret negotiations on cybercrime between the Russian Federation and the United States.” In one early-November exchange on the exploit forum, one user asked of the other cybercriminals, “The whole question is, what are you ready for if the hunt begins with you?”
From the perspective of the successful ransomware actor, the lack of regulation is an opportunity to swim within the margins. And Galka added that’s an opportunity to track them down, even if they use anonymous or encrypted cryptocurrencies and blockchain. “For ransomware bad actors to successfully operate, they need to interact with a number of legitimate actors on-chain. They need to pay the various service providers that they use and they need to be able to cash out using cryptocurrency exchanges and other off-ramps.”
The transparency of those blockchain transactions needs to be leveraged, said Galka, and “the funds traced from the ransomware [payment] and screened in real-time as the bad actors receive their funds.” The U.S. government has successfully recovered millions of dollars in paid ransoms twice in recent months. The next step, according to Galka, “lies with the chain services. Will they respond by taking proactive measures to stop these transactions? Or will the government have to come in and enforce that through regulation?”
Poked the Bear
President Biden’s international effort to work collaboratively against the cybercriminal entities, especially those that apparently find safe haven in Russia and elsewhere, requires investment in both diplomatic expertise and technological exchanges and collaboration. The Trustwave blog observed that, in just the past few months, “we have seen some results of geopolitical collaboration efforts. Getting a handle on ransomware and bringing cybercriminals to justice seems to be becoming a global priority.”
Cybercriminals, in their efforts to land a whale in the quest for the perfect ransomware scenario, are finding out that they have, indeed, poked the bear, so to speak. Cyber Command appears to be coming out of hibernation, and this should greatly concern the cybercriminals.