The concept of the nation-state hacker has fundamentally changed the conversation about ransomware, digital threat actors, and cybercrime in general. Where once the imagined spectre of the hacker was of a basement-dweller in a black hoodie stealing for their own benefit, now it is of a government funded and trained attacker specifically hacking their nation’s enemies. Cybercrime has become a proxy battlefield for international conflicts—conflicts where damage can be inflicted with minimal if any recourse available to the victim nation-state.
Now every ransomware attack is clouded with the suspicion of a nation-state behind it, seeking to cause disruption. This week in particular saw plenty of headlines with this very theme connecting them. Here are the 2 you need to be most aware of:
White House Announces Russia Behind NotPetya
Yesterday, the Trump Administration confirmed that the NotPetya ransomware epidemic from 2017 came from Russian intelligence agencies. Authorities from the United Kingdom had already made similar allegations. In their statement, the White House claimed Russia’s motivation was to destabilize the Ukraine and that there would be “international consequences.”
The promise of international consequences is of particular note; part of the motivation for nation-state actors taking to the web for their strikes against others is that no country would risk physical confrontation over a ransomware attack. Therefore, it will be interesting if, and how, any consequences would manifest. Possibly it could be in a reactionary cyberattack against Russia in an eye-for-an-eye approach.
The NotPetya episode also shows how diverse ransomware can be in their aims and in kinds of damage it can inflict on nation-states. NotPetya was not as interested in obtaining money as it was in deleting critical data, disrupting businesses, and damaging infrastructure in the Ukraine and around the globe.
North Korean Ransomware Spun Out of Control
Much of the collateral damage from the attacks originating in North Korea—including WannaCry, Faedevour, and JML Virus—was due to the malware spreading out of their creators’ control. Research from SIEM vendor AlienVault, analyzing anonymized data collected from their clients, identified commonalities between the attacks and concluded that they all resulted in more harm than was most likely intended.
This is one of those conundrums we’re going to have to prepare for in cybersecurity: once ransomware is out in the wild, it will continue to change hands and evolve in new and possibly more perilous directions; AlienVault noted in a previous report the recurrence of older ransomware families and exploits. Nation-state threat actors are creating ransomware without thinking of the consequences—they see it as a blank check for proxy wars—but those consequences will be difficult to predict and difficult to properly secure against. Without some kind of international regulation dictating nation-state behavior online, ransomware could spiral out of control and cybersecurity teams could be scrambling to protect against attacks from their own countries…if they aren’t already.
Latest posts by Ben Canner (see all)
- Top 5 Cybersecurity Intelligence Books for Professionals - September 21, 2020
- Top Five SIEM Books for Cybersecurity Professionals - September 17, 2020
- The Staples Data Breach: Why “Low Impact” Breaches Still Cause Serious Damage - September 15, 2020