Ransomware and Foreign Hackers #
TW: discussion of death of a baby
The recent ransomware boom #
Why is ransomware so big now? Cryptocurrency.
- Ransoms have been around for a long time, so has malware
- Historically, ransomware was used to hit small businesses and charge hundreds of dollars to recover data
- However, hackers now routinely extort critical infrastructure providers (gas pipelines, transportation systems, etc) for hundreds of millions of dollars
- Cryptocurrency is easier to obtain, transact, convert to real currency
- Exchanges are less uptight than backs about KYC (Know Your Customer)/AML (Anti Money Laundering) laws
- People generally think cryptocurrency is untraceable
- However: this myth was busted in June 2021 after FBI recovered 63.7 of 75 bitcoins paid to DarkSide after Colonial Pipeline hack
- DarkSide: “ransomware as a service” provider that sell ransomware payloads to other criminal/hacking groups
- Ironically, crypto can be traced by FBI faster than bank transactions
- However: this myth was busted in June 2021 after FBI recovered 63.7 of 75 bitcoins paid to DarkSide after Colonial Pipeline hack
Criminal prosecutions of ransomware attackers #
Prosecution using CFAA #
- CFAA has been repeatedly used by DOJ in ransomware-related incidents
- SamSam ransomware developers (both Iranian): indicted Nov. 2018
- Victims: hospitals, municipalities, public institutions
- 6 counts, including 1030(a)(5)(A), 1030(a)(7)(C)
- Status: nothing has happened since Nov. 2018, presumably still in Iran
- CFAA has little teeth against hackers in non-extradition nations
- Kelihos botnet operator (Russian): indicted 2017, extradited from Spain in early 2018
- Allegedly used botnet to distribute JakeFromMars ransomware
- 8 counts, including 1030(a)(4), 1030(a)(5)(A), 1030(a)(7)(C)
- Status: sentenced August 2021 to time served + 3 years supervised release
- Plead guilty to 4 counts: 1030(a)(5)(A), conspiracy, wire fraud, aggravated ID theft
- Two co-conspirators were convicted and plead guilty to CFAA offenses in summer 2021
- Trickbot ransomware developer (Latvian): indicted 2020, arrested in Miami February 2021, arraigned in Ohio June 2021
- Ransomware-as-a-service provider
- Lived in Suriname, arrested when flying through MIA airport from Suriname
- 47 counts, including conspiracy to violate (among others) 1030(a)(2)(C), 1030(a)(4), 1030(a)(5)(A), 1030(a)(7)(C)
- Status: unknown, because case is under seal
- Other Trickbot gang members still at large in Russia, Belarus, Ukraine, Suriname
Other laws used to prosecute #
- Wire fraud, 18 U.S.C. section 1343
- Very common in hacking cases, along with bank fraud where relevant (Trickbot, APT 38)
- Having a scheme to defraud someone or obtain money by false pretenses + sending a communication via the Internet for purpose of carrying out the scheme
- Communication can be to an intended victim of the fraud scheme
- Kelihos defendant used botnet to send “pump and dump” spam
- Or:
- Doing online research to find potential victims (SamSam, APT 38)
- Using victims’ stolen bank logins to authorize money transfers (Trickbot)
- Online communications among co-conspirators (APT 38) or with customers (Kelihos)
- Communication can be to an intended victim of the fraud scheme
- Aiding and abetting, 18 U.S.C. section 2
- Conspiracy and attempt
- Conspiracy to commit some other federal offense, 18 U.S.C. section 371
- Conspiracy or attempt to violate the CFAA, 18 U.S.C. section 1030(b)
- Conspiracy or attempt to commit wire fraud, 18 U.S.C. section 1349
Civil litigation against victims of ransomware attacks #
Kidd v. Springhill Hospitals (filed June 2020) #
- Alabama wrongful-death lawsuit against hospital (plus doctors, care team, etc.) by mother of infant who was delivered in distress during a ransomware attack and later died
- Distinct from data security and data breach notification laws
- Not about PII being poorly secured, breached, or hacked
- Allegedly improper care resulting in death because cyberattack took down crucial equipment
- Also distinct from CFAA because CFAA penalizes the hacker, not the hacked
- What causes of action are asserted?
- Fraudulent non-disclosure - for not telling mother that ransomware had taken down hospital systems and placed patient care and saftety at risk, or sending her somewhere else to deliver her daughter
- “Wantonness” - hospital had duty to provide appropriate medical care and wantonly failed to do so, in part because cyberattack had forced them to use outdated paper charts etc
- Wrongful death - resulting from wanton failure to provide appropriate medical care
- Negligence - negligently departed from the accepted standard of care, in part because electronic medical equipment and record-keeping systems unavailable due to cyberattack
- Breach of implied contract - to safely provide medical care and nursing
- If ransomware attacker is ever caught, potential CFAA case?
- Offense: 1030(a)(5)(A), 1030(a)(7)(C) - as seen in SamSam indictment involving several hospitals
- Punishment:
- 1030(c)(4)(F): “if the offender…recklessly causes death from conduct in violation of subsection (a)(5)(A)” - fine + up to life in prison
- 1030(c)(3): for (a)(7)(c) - fine/prison (5 years first offense, 10 years otherwise)
- Could Kidd, the mother, assert a civil CFAA claim against the attacker?
- Probably yes, but no court cases say so explicitly
- Cf. Wofse v. Horn, No. 19-cv-12396 (D. Mass. March 2, 2021) - plaintiff alleged that defendants’ cyberattacks adversely affected his health, court allowed civil case, but different CFAA subsection
- Probably yes, but no court cases say so explicitly
- Expect more cases as more ransomware on hospitals cause more harm and deaths
- Hospitals are not always treated as off-limits, some attackers bet hospitals have incentive to pay up
- September 2021 CISA report says ransomware attacks on hospitals, coupled with COVID-19 caseloads, have pushed National Critical Function of providing medical care almost to the breaking point
Potential liability of ransomware victims that pay ransom #
Ransomware: to pay or not to pay? #
- Supply and demand: if crime doesn’t pay (supply): maybe less crime (demand), incentive to punish ransomware payors
- Countervailing concern: if paying is punished, companies would still pay but not tell govt about the hack
- Peters/Portman bill would provide money for recovery costs (ransomware remediation cost ~= $2M)
- Material support statutes: prohibit knowingly provide money to a Foreign Terrorist Organization
- Treasury Department’s Office of Foreign Assets Control (OFAC)
- OFAC sanctions list: individuals and companies owned, controlled by, or acting for/on behalf of, targeted foreign countries and regimes (Cuba, North Korea’s Lazarus Group aka APT 38, terrorist orgs like Al Qaeda, drug traffickers like El Chapo)
- Paying ransom to unknown hackers that end up on the list: OFAC will go after payors
- Per Oct. 2020 advisory, OFAC will also go after those who facilitate payments to hackers on the sanctions list: i.e., cyber insurers, financial institutions, digital forensics and incident recovery firms, payment processors, consultants who help victims broker a deal with ransomware gang, etc
- Nov. 2018: blacklisted two Iranians for exchanging SamSam ransoms from BTC to rial, depositing in Iran banks
- Just blacklisted cryptocurrency exchange Suex for facilitating BTC transactions for ransomware actors
- It makes no difference if facilitators/victims don’t know the anonymous hacker is on the sanctions list
- Hacker’s IP address may be spoofed; also, China lets NK state-affiliated hackers work from China
- In Sept. 2021, OFAC re-emphasized that paying ransoms threatens national security, may violate OFAC regulations
- SolarWinds: attributed to Russian SVR, aka APT 29, aka Nobelium
- Motive: affected Treasury, State, DOJ, other federal agencies
- Microsoft says goal was to obtain information about sanctions and US policy on Russia, plus counter-intelligence matters, methods for catching Russian hackers
Alternative to payment: find a way to unlock the data yourself #
- FBI discourages against paying ransoms but also doesn’t support a ban on paying
- What if you already paid? FBI can help, they got the private key to DarkSide’s BTC wallet
- Maybe can find a flaw in hackers’ code
- April 2021: QLocker ransomware flaw, glitch in payment system made it easy to look like a victim already paid, so the system unlocked the victim’s file
- In October 2021: NZ cybersecurity firm Emsisoft helped victims recover data
- May 2021 Colonial Pipeline attack by DarkSide: group regrouped as new name BlackMatter
- Emsisoft found error in BlackMatter’s code that let it decrypt files and restore access to data
- Secretly helped dozens of victims unlock data
- Eventually BlackMatter caught on and patched the vulnerability, but Emsisoft saved millions of dollars in the meantime
- Controversy: FBI sat on Kaseya ransomware decryption key for 3 weeks instead of sharing it with victims of the REvil ransomware gang, costing them millions
- Goal: not compromise FBI investigation, if nobody was paying up, REvil might get suspicious
- Group shut down anyway first, went quiet for a while (then came back, got taken offline by US and others)
- Unclear what victims should do, FBI says not to pay ransom but is not helpful when victims need it
Foreign state-affiliated ransomware #
Russia #
- Kremlin doesn’t have broad control over private hacking groups, but leaves them alone as long as they don’t hack the Kremlin and goals are broadly aligned with the Kremlin
- Kremlin can send signals for the hacking groups to go underground; this happens if they believe US will retaliate with a cyberattack
North Korea: Lazarus Group (APT 38) - December 2020 indictment #
- Three individuals, members of units of RGB military intelligence agency
- Expansion of 2018 indictment of one of the three individuals
- Motive? “Further strategic and financial interests” of NK and Kim Jong Un
- Wide-ranging scope of acts: monetary gain, retribution, info-gathering, etc
- Sony Pictures hack (2014)
- Creating WannaCry 2.0 ransomware (2017)
- Hacking banks + fraudulent wire transfers in 6 countries; >$1.3B (2015-2019)
- Malicious cryptocurrency trading applications (2018-2020)
- Stealing crypto from wallets of cryptocurrency companies (2017-2020)
- ATM “cash-out”: ATM dispenses cash to co-conspirator (2018)
- Spear-phishing employees of state, DoD, defense contractors, energy utilities, etc
- Charges:
- Conspiracy to violate the CFAA: sections 1030(a)(2)(C), 1030(a)(4), 1030(a)(5)(A), 1030(a)(7)(A)-(C) - similar to earlier ransomware indictments
- Conspiracy to commit wire fraud and bank fraud
- Interesting facts from indictment:
- Hackers sometimes worked from China and Russia
- Some of the theft for state, some for themselves
- Names a Canadian co-conspirator sentenced to >11 years in prison for money laundering conspiracy, including 2 APT 38 heists
China: Hainan MSS (APT 40) - May 2021 indictment #
- 3 officers of Ministry of State Security; 1 hacker for hire
- Created a “security research” front company
- Staffed and managed by local universities
- Another wide-ranging hacking scheme: steal IP and confidential data for competitive advantage of Chinese government, companies, and commercial sectors
- Ebola virus/vaccine research
- Submarine R&D
- AVs
- Chemical research
- Genetic sequencing tech
- Information on pending deals and disputes with governments of other countries (Malaysia, Cambodia)
- Hacked victims in 12 countries worldwide using spear-phishing
- Research facility
- Universities in multiple states
- IT companies
- Defense contractors
- Swiss chemicals company
- Airlines
- Cambodian government ministry
- Malaysian high-speed rail company
- Malaysian political party
- NIH
- etc
- Stored malware and stolen data on GitHub, concealed using steganography, stored other stolen data on Dropbox
- Charges:
- Conspiracy to violate CFAA, sections 1030(a)(2)(B)-(C), 1030(a)(5)(A)
- Conspiracy to commit economic espionage under 18 U.S.C. section 1831
- Same other law used in United States v. Nosal
- Note details: photos of the buildings where they worked, search queries they ran online (e.g., “Dropbox appkey”), passwords to malware and files
- Anonymous research group “IntrusionTruth” reported in January 2020 on links between APT 40, Hainan MSS, and front company
- Overt acts alleged in furtherance of conspiracy occurred 2009-2018
- Even after 2015 Obama-Xi agreement not to hack IP for commercial advantage
- APT 40 and ransomware
- Allegedly, APT 40 engages in ransomware hacks now, not just for espionage
- APT 40 blamed for MS Exchange email server hacking campaign in early 2021
- Over 250,000 email servers compromised
- Microsoft attribution in March 2021
- White House attribution not until July, citing support from EU, UK, NATO
- White House asserts APT 40 behind ransomware attacks
- Alleges Chinese government turns a blind eye when MSS’s current or former contract hackers conduct private ransomware attacks (not on state behalf)
- White House stopped short of issuing sanctions on China
- Why isn’t Exchange/ransomware attacks in indictment?
- Guess: Indicted individuals in APT 40 weren’t behind those attacks
- Possibly more indictments coming