Dan is a 20 year veteran of the ICT industry working for global and local vendors in bringing new and innovative technologies to market in the ANZ region. During his career, Dan has been passionate about bringing a local voice and insights to global technology challenges. As the Editor of GetCyberResilient.com Dan casts a keen eye across the hot topics, trends and pulse of local security practitioners to curate stories from near and far that are most impactful in addressing our evolving risks.
It’s easy to pigeonhole hackers as high-tech criminals who, like the highway robbers of the past, are predatory opportunists who will target anyone and everyone they can for the money. But the reality is a bit more nuanced.
Hackers are a very diverse group of people who have very different motivations, and while making ill-gained profit is often the goal, there seems to be an emerging trend of hackers that are drawing the line at how far they’re willing to go.
As a case in point is the story of a hacker group that attempted to target a university in Germany with ransomware last year. Local reports at the time suggested that the attack was intended for the Heinrich Heine University rather than the hospital itself.
Even if that was the case, the attack severely limited the hospital’s capacity to admit and treat emergency patients. In a tragic sequence of events, an ambulance carrying a 78-year-old woman suffering from an aortic aneurysm had to be turned away and redirected to another hospital. But the delay in treatment ended up costing that woman her life. She died soon after. This incident was possibly the world’s first fatality caused by ransomware.
Police in Düsseldorf contacted attackers through their ransom note to explain that the hospital, not the university, had been impacted and that they were endangering patients’ lives. The hackers paused their attack and quickly turned over the encryption key to unlock the data — a development that also appears to be the first of its kind — before disappearing.
On the face of it, it appears the hackers had a change of heart and didn’t want to drag innocent patients into their attack. However, it’s just as likely that they wanted to avoid adding murder or manslaughter charges to their list of crimes.
Don’t do the crime if you can’t do the time
Hackers tend to be very savvy, and are keenly aware that the lucrative ‘ransomware industry’ will only stay viable if they avoid attracting too much attention from law enforcement. Like any criminal enterprise, ransomware is a game of risk vs reward. Hackers want to make sure it's cheaper for their targets to just pay the ransom than to pursue investigation and litigation. If their activities start endangering human lives, it greatly amplifies the risk of indictments and arrests, as well as inviting even more heavy-handed government intervention in hacker activities.
An example of this involves the hacker group Avaddon, a prolific ransomware-as-a-service (RaaS) provider. The group was behind DDoS attacks against Australian-based telecom provider Schepisi Communication, as well as two healthcare providers in the US. In the wake of increasing global crackdowns from law enforcement agencies, Avaddon released its decryption keys — 2,934 in total — each key corresponding to a specific victim. Law enforcement agencies noted that the average ransom demanded by the group was about $40,000 per target, meaning they just walked away from literally millions of dollars in potential ransom money.
How the growing reach of cyber law enforcement is discouraging hackers
As the cyber capabilities and reach of law enforcement agencies grow, other ransomware groups are disappearing quickly. A recent example was the globally coordinated takedown of Emotet, the infamous ransomware delivery botnet. As news of cyber wins from law enforcement agencies become more frequent, groups like TeslaCrypt and Fonix getting out of the ransomware business altogether. One ransomware group, named Ziggy not only quit, but went as far as to apologise, offering refunds and asking for help in getting legitimate jobs in the cybersecurity industry.
Even DarkSide, the group behind the Colonial Pipeline ransomware attack, said they were closing down their ransomware affliate program "due to pressure from the US". In winding up its ransomware-as-a-service (RaaS) program, DarkSide said it would provide affliates with decryption tools for all the companies that haven't paid their ransoms yet.
Their fellow criminal gang REvil also introduced significant new restrictions for cybercriminals who wanted to use their ransomware-as-a-service offering:
1. Work in the social sector (healthcare, educational institutions) is prohibited
2. It is forbidden to work on the gov-sector (state) of any country;
3. Before the spacer, the target is agreed with the PP administration: Write the description of the target, its website, zoom info, etc.,
REvil implied that they would give out decryptors for free if these terms were violated.
But relying on the goodwill of criminals is not a strategy
Law enforcement agencies are rapidly scaling up their cyber capabilities and are collaborating globally to take down big cyber threat actors. Government and international cyber laws are also catching up, putting pressure of threat actors to stay under the radar or risk getting caught.
However, that in no way means actual ransomware activity is decreasing. On the contrary, the trend is still on the rise. All this means is that ransomware attacks will undergo a shift, where cybercriminals self-regulate to make sure their risk of getting caught remains comparatively small.
But we can’t rely on the altruism of criminals to protect ourselves and our organisations. Despite the best efforts of law enforcement, the onus is still on individual organisations to prevent themselves from becoming targets in the first place. And the best place to start isn’t with the technology, but with the people who will be using it.