Ransomware Threat. PHOTO: Cybercrime Magazine.

Ransomware: Worse Than Cybercrime, It’s Cyber Warfare

A “Hacker’s Almanac” sheds light on the threat to society

David Braue

Melbourne, Australia – Jun. 11, 2021

Many of today’s most damaging cybersecurity attacks are created by nation-state sanctioned actors who are given resources and latitude to cause widespread damage at their whim, according to a new analysis of contemporary cyberwarfare that provides a who’s-who of the increasingly multi-faceted cybercrime underworld.

With military or state intelligence services often recruiting malicious cybercriminals based on their technical skills or propaganda expertise, high-profile attacks are often executed by motley gangs of “incident cybercriminals who are serving a sentence and are easy targets for recruitment,” security firm Radware explains in its newly released 2021 Hacker’s Almanac.

“Some states are in it for economic gain,” the authors note, “while others provide an environment that allows their contractors to continue non-sanctioned operations after hours.”

“When the mission has succeeded or the operation did not result in favorable intelligence, nation-state threat actors are allowed to continue to operate for personal interests. They take advantage of the foothold to extort their victim with ransomware or host frameworks for malicious activities on the victim’s infrastructure.”

In other words: while companies like Colonial Pipeline and JBS are scrambling to recover from a potentially catastrophic cyber strike, hobbyist cybercriminals are not only raking in the proceeds — Colonial paid $4.4 million and meat-processing giant JBS, it was recently revealed, paid $11 million to restore operations — but also using many victims’ networks to launch campaigns to ensnare others.

With reports of ransom payments presumably an order of magnitude greater now than they were a decade ago, it’s a self-feeding free-for-all that is hardly going to dissuade cybercriminals from pursuing new, increasingly vulnerable targets.

The suggestion that the ransoms could effectively be danger pay — a reward for helping further the primary interests of the nation-state campaign — confirms that cyberwarfare is increasingly looking like conventional warfare, with similarly profound consequences.

In this paradigm, nation-state groups are surgical strikes led by stealth bombers flying under the radar.

“While nation-state threat groups are capable of sophisticated attacks, most of their activity is composed of simple attack vectors,” Radware writes, noting that many nation-state groups emulate other groups as part of efforts to obfuscate their real origins or intentions.

“Their primary aim is to run successful missions without being identified,” the almanac notes. “These actors do not perform attacks to demonstrate capabilities; they often try to achieve a specific objective as covertly as possible.”

“Attribution of nation-state incidents is difficult, and has led to the formation of several industry groups that track activities and assign a variety of names to the same attack.”

Documenting the cyber onslaught

The sheer number of different attack groups, and of cybercrime investigators tracing their activities, has complicated the process of monitoring the cyberwarfare as it develops and morphs from one week to the next.

MITRE’s ATT&CK matrix has standardized the vocabulary of threat analysis, attribution and response, with a catalogue of threat actors that includes maps of their associations.

This framework has been complemented by independent indices like CrowdStrike’s eCrime Index (ECX), which the company designed as a way of measuring “the strength, volume and sophistication of the cybercriminal market” based on 18 indicators of criminal activity.

That index has dropped by nearly 20 percent since the index was released in February, but you wouldn’t know it from the headlines — where almost-daily cybercrime activity is feeding a climate of cyberwarfare in which every American business is under cyber attack, and that can only get more significant and damaging over time.

“Whether an indicator of increased activity or related to our collective capability to detect more sophisticated and evasive attack campaigns, the visibility of nation-state activity has grown over the last few years,” the Radware analysis observed in summarizing the cyberwarfare activity of six countries — including the US, UK, China, Iran, North Korea, and Russia.

Online conflicts and posturing have come to mirror that of conventional warfare, it says, noting that nation-state actors “have used technology as a lever of war, often for posturing and influence…. Cyber espionage is the high-tech version of a cold-war craft, infiltrating high-tech research facilities through a global medium with no concept of borders or regulation.”

The potential impact and scope of the new cyberwarfare climate has been exacerbated by suggestions that many of the most aggressive ransomware actors are actually nation-state-sponsored cybercriminals who are, for all intents and purposes, pursuing a personal interest on their lunch breaks.

The lack of clear motivation, and the fluidity of ransomware gangs’ composition, will continue to confound analysts’ efforts to keep up with a financially motivated cybercriminal underworld that has been flexing its muscle with great effect in recent months.

By turning the lens inward, some companies are getting a better idea of how likely they are to be compromised if they fall in cybercriminals’ line of fire: Black Kite, for example, has developed a way to predict with considerable accuracy how likely any company is to fall victim to ransomware.

But with authorities losing the immediacy of a decisive response in the nuanced language of geopolitical exchanges and cautious attribution — and global ransomware damage costs predicted by Cybersecurity Ventures to reach $250 billion annually by 2031 — cyberwarfare’s scorekeepers have their work cut out for them.

“Prevention is nearly impossible in a culture dependent on cyber activity where threat actors are organized,” Radware says, warning that “profits are so significant that it is nearly impossible to eliminate the threat.”

David Braue is an award-winning technology writer based in Melbourne, Australia.

Go here to read all of David’s Cybercrime Magazine articles.