A cybercrime happens when an attacker uses computer systems to commit fraud, steal data, or engage in any other kind of illegal activity. According to data from Atlas VPN, in Q1 2021, hackers collected over $100 million in blockchain based attacks, and ransomware was largely to blame for 81% of all financially driven attacks in 2020.
The Department of Justice (DOJ), which enforces federal law in the United States, has recently taken a much more aggressive stance against cybercrime. As a result, the DOJ and cybersecurity are becoming closely linked and attackers are having to contend with the force of the U.S. government—in addition to the security measures put in place by the individuals and organizations they are trying to target.
The DOJ has dedicated a specific unit to addressing online crime, called the Cybersecurity Unit. Its goal is to protect the computer networks of organizations, as well as individual users, from malicious actors. The Unit reaches out to private organizations to help ensure they are implementing safe cybersecurity practices.
The DOJ Catches the Kaseya Attacker
One of the DOJ’s recent victories against hackers, the arrest and indictment of an attacker responsible for the ransomware assault against Kaseya, underscores both the potency of ransomware attacks and the effectiveness of the department’s anti-cybercrime initiatives. The DOJ partners closely with the Cybersecurity and Infrastructure Security Agency (CISA), and this was key in bringing the attackers to justice.
Kaseya is an IT management and cybersecurity software provider based in Miami, Florida. Their Kaseya Virtual System Administrator (VSA) is a remote monitoring and management (RMM) solution developed for managed service providers (MSPs).
Twenty-two-year-old hacker Yaroslav Vasinskyi, a Ukrainian national, targeted Kaseya with ransomware on July 2, 2021. Vasinskyi gained access to the internal networks of multiple companies, including Kaseya. He then deployed ransomware by the name of REvil, also known as Sodinokibi. REvil had two core functions—it blocked files on the victim’s computer and automatically sent a ransom request message that instructed the victim to pay in bitcoin. Also, if the ransom wasn’t paid by a specific time, the amount the victim had to pay doubled.
The Kaseya Attack and Resolution, Step by Step
Here’s how events unfolded in the Kaseya attack:
- On July 2, 2021, several managed service providers (MSPs) got hit with ransomware, and it was quickly discovered that the one thing they all had in common was they all used Kaseya VSA.
- Thousands of endpoints associated with a variety of companies were affected, and Kaseya shut down its Software-as-a-Service (SaaS) servers to prevent further damage. CISA issued an alert on the same day. It included a message from Kaseya: “We are experiencing a potential attack against the VSA that has been limited to a small a number of on-premise customers only as of 2:00 PM EDT today.”
- On July 4, 2021, the White House confirmed a joint effort between CISA, the FBI, and Kaseya to investigate the attack. CISA and the FBI also provided guidance for MSPs regarding how to mitigate the attack. Kaseya, on the other hand, released a VSA detection tool that MSPs could use to figure out whether their RMM software had been attacked.
- By the end of July 4, investigators had discovered that the attack had impacted between 50-60 companies across at least 17 countries.
- On July 5, it was revealed that the ransomware group that launched the REvil attack was demanding $70 million worth of bitcoin. In exchange, they would provide a tool that would decrypt any systems that had been impacted.
- By July 10, whistleblowers alleged that Kaseya had been warned of security flaws as many as six years before the attack. Meanwhile, the damage continued to spread, affecting local governments, grocery stores, and many other customers that depended on Kaseya VSA.
- The websites of REvil attackers disappeared, but the FBI and CISA declined to comment on whether or not they played a role in taking down the sites.
- On July 22, 2021, Kaseya revealed that they obtained a universal decryptor key that companies could use to regain control of their systems. On July 26, Kaseya said they did not pay a ransom to get the key, and it was unclear how it was obtained.
- In March 2022, Vasinskyi got extradited and then arraigned in Dallas, Texas.
The Cybersecurity Community Reacts to the Kaseya Attack
Cybersecurity companies, such as DriveLock and Coretelligent, claim the attack could have been avoided. They explain that measures such as a “decent endpoint security solution” or “security scanning (antimalware, antivirus), DNS/web filtering, intrusion detection and prevention (IDS/IPS), and geo-blocking” could have been used to prevent the attackers from gaining a foothold in the systems they penetrated.
Rising Number of Cybercrimes During the Pandemic
Attackers have been taking advantage of the COVID-19 pandemic situation, actively crafting attack methods specifically designed to leverage the fear of citizens and thwart organizations’ efforts to combat the pandemic or enable remote work environments.
For example, criminals have created malicious domains that include the terms “coronavirus” or “COVID-19” in an attempt to draw in visitors looking for information about the disease or how to get vaccinated. These are then used to distribute malware or spam.
Ransomware attacks have also been on the rise, particularly against hospitals and other healthcare organizations. These assaults lock victims out of their systems, preventing them from serving patients or accessing the resources needed for vaccine research. The Scripps Health cyberattack in May 2021, for instance, resulted in the theft of some patient data, almost four weeks of electronic health record (EHR) downtime, and an estimated $112.7 million in revenue loss and incremental costs.
DOJ Action Against Cybercrime Post-COVID
The DOJ continues to be on the lookout for various forms of cybercrime, particularly ransomware, which has forced many companies to pay thousands—even millions—of dollars to hackers to regain control of their systems. The DOJ has specifically targeted the Netwalker ransomware, a Ransomware-as-a-Service (RaaS) offering in which Netwalker developers split the ransom money with hackers who use Netwalker to target victims.
The department has been using the full force of the law to identify and apprehend the hackers involved in this scheme and has been able to recover funds victims paid to get their systems or data back. A ransomware affiliate who walked away with $28 million has since been charged, and approximately $455 million in cryptocurrency from ransom payments has been seized.
Recovering crypto payments, in this case, was significant. Cryptocurrency has traditionally been very difficult to retrieve due to the anonymity of those who hold, spend, and accept it as payment. Lifting the cloak shrouding crypto-based payment methods represents a powerful step towards disrupting the financial ecosystem of attackers, especially because RaaS providers depend on anonymous payment systems to hide transactions.
Collaboration Between Security Companies, the DOJ, and Government Agencies
There are a few different ways cybersecurity companies are collaborating with the DOJ and other branches of government in the fight against cybercrime, and one way is by ensuring they have the adequate mechanisms in place to protect government systems. Cybersecurity is national security, after all.
For example:
- Cisco has been helping government agencies modernize their cybersecurity defenses through its various security offerings.
- Palo Alto Networks has federal cybersecurity solutions for agency-wide protection of sensitive data.
- Fortinet offers state and local governments advanced solutions for safeguarding their digital assets and critical infrastructure.
Cybersecurity companies also support the DOJ’s efforts by participating in roundtable discussions. The department depends on the expertise and boots-on-the-ground perspective of private security companies to inform its strategies and tools.
Are We Ready for the War on Cybercrime?
To win in the war against cybercrime, organizations need a strategy, and this can involve several tactics, many of which are nearly identical to those used in traditional warfare. However, if organizations presume that all you need is some good antivirus software and a firewall, then criminals still have the advantage.
To gain the upper hand, organizations must:
- Understand the business of cybercrime: Many cybercriminals are focused on financial as opposed to geopolitical payoffs, so the first step in combatting these threats is to understand the motivation behind attacks. Hackers sell sensitive data, exploit companies using various forms of attack, and—as is the case with RaaS—sell hacking tools to other criminals.
- Comprehend the cybercrime supply chain: Similar to the supply chains that provide enemy troops with food, fuel, and weaponry, there are digital chains that supply cybercriminals with zero-code exploits and malware. Disrupting the flow of these cyber weapons thwarts criminal efforts.
- Learn about the different kinds of attacks: The principle of “know thy enemy” applies equally to the physical and cyber battlefields. Investing time in studying the attack vectors and surfaces criminals take advantage of delivers a high ROI in terms of battle intel. While there are many attack methods and technologies, understanding how to prevent what’s there puts you in a powerful position to defeat threats.
The DOJ has powerful allies in the various security companies dedicated to developing, distributing, and maintaining security solutions for organizations all around the world. As these tech companies have already demonstrated, they can help enable the DOJ wage war against actors threatening the security and integrity of its own infrastructure, thus better positioning the department to defend others.