Bearing down on international cybercrime: how the FBI is working with agencies around the world to combat the rise of ransomware
It is all too easy to think the war against hackers and ransomware gangs is unwinnable. We have been accustomed to – inured, even – to the threat posed by prolific serious and organised cybercriminals stalking our companies, institutions, way of life.
Often protected – and sometimes even directed by – hostile nation states, most notably Russia, ransomware gangs have been able to operate with relative impunity in what has become a commonplace and industrialised criminal activity targeting businesses for financial gain.
In a typical attack, ransomware – a form of computer malware – enters a vulnerable system through a security flaw or human error clicking on a malicious link or attachment in email; files are then encrypted, users locked out, and payment demanded – in untraceable cryptocurrency such as Bitcoin – in return for a decryption key. The gangs then mercilessly apply pressure on the victims using a ‘double extort’ method, threatening to release their stolen data on the dark web. Sadly, many decide to pay to regain access to their networks, calculating that the existential risk to their business outweighs the risk of dealing with criminals.
The Scottish Environment Protection Agency – Sepa – was hit in exactly this way, and more recently Arnold Clark, the car dealership, among others in Scotland. Neither paid in these instances, but the corporate data theft and disruption to their organisations was considerable, costing millions of pounds to repair or replace systems, not to mention many thousands of lost working hours spent on recovery. The reputational damage and legal implications of having personal and often sensitive data spilled onto the dark web only adds to the injury and stress of responding to these complex computer network penetrations.
The rise of cybercrime – and ransomware especially – has been such that Britain recently elevated it to a “tier one national security threat” alongside international terrorism and environmental disasters. Cybersecurity Ventures estimates that the damage caused by ransomware could exceed $265bn by 2031, with a new attack on a consumer or business every two seconds, many of which go unreported.
The more or less untouchable status of cybercriminals in certain jurisdictions – including China, Iran and North Korea – and the sheer number of ransomware incidents has caused law enforcement and security agencies to develop more collaborative approaches at a global level in response to their activities, which are constantly evolving. A recent trend has seen ransomware gangs increasingly offer their cyber skills, tools and techniques to one another ‘as a service’. This is essentially a business model, whereby ‘operators’, ‘affiliates’ and ‘initial access brokers’ (IABs) work together to execute the attacks, with each taking a cut from whatever is earned in the process. Although these are complex networks to unpick, some significant law enforcement wins in recent months perhaps shows that the fitting way to respond is when agencies themselves are part of extensive and joined-up global networks.
One such disruption to hackers’ activities came to public attention in January. In the US, the Department of Justice announced that it had – in collaboration with fellow security and justice agencies around the world – managed to penetrate and interdict the IT infrastructure of the Hive ransomware gang, which had targeted more than 1,500 victims in over 80 countries, including hospitals, school districts, financial firms, and critical infrastructure. Another operation, again coordinated at a global level and involving the UK and the US, led this month to seven Russian men linked to the notorious Conti ransomware group being financially sanctioned and made subjects of international travel bans.
Going after the networks of the cybercriminals in this way – and pursuing them individually through sanctions and bans – is turning the dial up a notch where previous attempts at political and judicial cooperation between the likes of Russia and the west have failed. Untangling the relationships between the hackers and the state is also a complicated task. Many are common or garden hackers motivated by financial gain, of course. But many are also thought to be loosely or even directly connected to regimes, working under the instruction of state security agencies. This is certainly thought to be the case in the context of Russia. For those without a direct affiliation, it allows law enforcement to exert perhaps more pressure on those individuals than if they were state officials, as they are afforded fewer protections and are perhaps not as ideologically driven. As effective sole traders, financial sanctions (which in real terms means having their assets frozen and being excluded from the international banking system) and travel bans may be a more effective deterrence in those scenarios.
David J Scott is deputy assistant director of the FBI’s Cyber Division, and has oversight of the division’s Cyber Operations Branch. He also serves as the director of the National Cyber Investigative Joint Task Force, which in the US is an inter-agency body coordinating efforts against cybercriminals involving 30 partner agencies from across law enforcement, the intelligence community, including the CIA, and the US Department of Defense. He is at the heart of efforts to bear down on cybercriminals, wherever they may be located in the world. He also had a role in the recent Hive case. Although he is unable to divulge much about the investigation, which the FBI led on, he paints the picture of how the operation unfolded. Last July, one of the bureaux’s field offices in Tampa – assisted by division headquarters – was able to gain what Scott describes as ‘covert persistent access to Hive’s control panel’.
“Then, for seven months, we were able to exploit that access and to work behind the scenes to go and help victims proactively while keeping Hive in the dark,” he explains. “And so we identified, you know, we were able to go out and provide decryptors to over 1,300 victims around the world; and it prevented at least $130 million in ransom payments.”
“So obviously that delivered a huge blow to Hive and their financial incentives to continue carrying out these attacks. And then we worked very closely with several of our European partners to move into the next phase and to seize control of Hive’s infrastructure. So, you know, many people around the world woke up to see Hive’s infrastructure redirected. And they saw what we call a splash page that said it had been disrupted. That sends quite a message that, you know, it doesn’t pay to be a cybercriminal.”
Scott proudly refers to such cyber operations as a ‘team sport’, with the takedown of Hive being a good example of agencies working internationally towards a shared goal. His favourite part of the operation was in the aftermath reading the press release listing the FBI’s global counterparts, which includes the likes of the German Reutlingen Police, the National High Tech Crime Unit of the Netherlands and Europol. Substantial assistance and support was also provided by Britain’s own National Crime Agency as well as the French Direction Centrale de la Police Judiciaire and Lithuanian Criminal Police Bureau, as part of a much longer list that Scott describes overall as a “tremendous partnership”.
“If we leverage all of those partnerships and with intelligence and law enforcement tools across the globe, we’re going to continue to have successes just like we did with Hive,” adds Scott, who works out of the FBI’s Washington DC headquarters.
One of the interesting aspects of in the Conti case was how information about their suspected members came to light. On February 27 last year, in the days following the Russian invasion of Ukraine, a purported ‘Ukrainian researcher’ – according to the Israeli threat intelligence firm Kela – leaked internal conversations of the gang members via the Contileaks Twitter profile, in apparent retribution for the Russian aggression. The dialogue, taken from the Jabber chat app, led to further leaks including one that ‘doxxed’ 21 purported members of the Trickbot malware enterprise – closely linked to Conti and Ryuk ransomware – revealing the alleged hackers’ names, dates of birth, passport numbers, mobile phone numbers, email addresses, bank accounts and social media accounts.
Although Kela stressed it could not verify the doxxed information, some of those individuals intriguingly appeared in this month’s sanctions list coordinated by the Foreign Office alongside the US Department of the Treasury’s Office of Foreign Assets Control (OFAC).
So has the invasion of Ukraine and the apparent fallout between ransomware gang members directly helped law enforcement agencies with their investigations?
“I can’t say whether the Ukraine invasion has helped, or harmed,” Scott says. “I will say that anytime you’ve got criminal actors who decide to expose information like that, or if there’s rivalries between cybercriminal groups, that type of thing, we’re certainly going to be watching for that. And so anytime that information is put out there, obviously our team is going to do everything we can to work with our partners to ensure that we exploit it.
“I can’t speak specifically to whether it’s influenced at all or not by the Ukrainian situation. But certainly anytime you have an actor that goes out there and is willing to disclose information, it’s going to be very quickly….our team is going to be all over that. And so we will definitely take advantage of those those types of situations.”
People are also growing tired of the “callous” nature of cyberattacks, he adds, citing numerous examples of hospitals, schools and even critical national infrastructure such as the Colonial Pipeline cyber incident in May 2021, which led to fuel shortages across the US, impacting millions of Americans. Those kind of high-profile and hugely damaging incidents have, he says, further incentivised agencies to work together, and for society to take the threat of cybercrime much more seriously. The FBI, which has 56 field offices in the US, increasingly does outreach and education work with the public around the cybersecurity prevention agenda.
Although incidents like Colonial Pipeline garner headlines worldwide, much of the work the FBI does to prevent cyberattacks on a day-to-day basis goes unpublicised. Comprising cyber agents, intelligence analysts, computer scientists, digital forensics specialists and other roles, the FBI’s ‘cyber action teams’ can be deployed at a moment’s notice in the US or overseas to respond to a cyber incident, supporting victims or even would-be victims to avoid such a fate. A network of 16 cyber assistant legal attachés – which the FBI plans to expand – also helps the bureau work in collaboration with local partners around the globe, including London. CyWatch is the FBI’s 24/7 centralised coordination hub responding to cyber events and joining everything up.
Scott is happy to share details of one case where the FBI worked quickly to help a victim avoid a potentially catastrophic cyberattack.
“I can’t name the specific victim,” says Scott. “But not too long ago, just a few months ago, we had a foreign law enforcement partner that discovered some indicators that a healthcare centre here in the US was going to be the target of a ransomware attack. And so that foreign partner provided that information to our legal attaché in London, who then forwarded that information to CyWatch.
“Within 37 minutes we have receipt of this information because we actually went back and tracked it just to see how effective we were and CyWatch had done all of the database checks through our systems, gathering everything that they could find on this situation. They then sent that intelligence on the health centre to the local FBI field office – the cyber task force in the field – for them to review.
“And then within less than an hour that field office contacted the health centre’s IT manager and provided this threat information.”
As a result of the intervention, the IT manager in question was able to isolate the compromised server and – with the help of a third party incident response company – disconnected it from the rest of the network, mitigating any potential harm to systems and patient care. The quick actions of all involved, from the foreign law enforcement partner, to the legal attaché, to CyWatch and the field office, exemplify the kind of collaboration model Scott says is vital to combating the threat posed by hackers.
Scott is “under no illusion” that just because of recent successes with the likes of the Hive and the Conti gangs, that ransomware is “going anywhere, anytime soon”. The agency is in it for the long haul, much like it always has been for white collar crime, mobsters, the war on drugs and international terrorism. Cyber is a permanent fixture and will only grow more challenging with the advent of new technologies, a generational shift towards more web-based jobs, and increasingly hostile nation states. With China locked in strategic competition with the US, and Iran cracking down on growing internal dissent, the risks of more deniable cyberattacks targeted against western critical infrastructure are becoming more pronounced, not less.
As it invests in its own cyber skills and adopts new innovations, forging ever closer relationships with tech companies, the FBI will continue to press the case for justice. Although there is little cooperation with the likes of Russia on extradition, there have been successes for the agency when individuals have surfaced in other countries. Vladimir Dunaev, a Russian national and member of the Trickbot gang, was extradited to the US in 2021 after he was arrested in Korea. And in December, Mikhail Vasiliev was arrested in Canada as a suspected member of the prolific ransomware gang, Lockbit, and awaits extradition to the US. The famed Cyber Most Wanted list also contains – at the current count – 118 named suspects (some with rewards of $10m) around the world, which Scott insists does have a positive “impact”.
“When these actors do step out of their safe haven and travel, you know, our international partners have shown that they have no tolerance, and they will arrest them..,” says Scott. “And then we will make a request to extradite those individuals. We’ve done that several times recently, and brought them back to the US to face charges for their actions. Obviously, that’s going to have an impact. If cyber actors recognise their actions are going to create an environment where they can’t ever leave their safe havens, that’s going to have a deterrence effect.”
In the meantime the agency continues the fight and tries to share as much intelligence as it can via private industry notifications (PINs), ‘flash reports’ and public service announcements on both general cyber threats and specific vulnerabilities that can be fixed through software updates. Although ransomware is the big financial crime story, Scott does not want people to lose sight of hostile nation states whose goals are more oriented towards industrial espionage or damaging critical national infrastructure. And in some cases it can be a combination of all three, whereby state security services may “moonlight” as everyday cybercriminals, or the latter contracted by organs of the state.
“It’s a tremendous problem,” he concludes. “And what we’re seeing is a lot of blended threats where we can’t really always say, well, the nation state actors are our only concern or the criminal actors are our only concern. It’s something where we have to look across the spectrum at all of the cyber actors, and combat them all.”