Ransomware Hackers Are Bypassing US Sanctions With a New Trick: Rebranding

US-sanctioned ransomware hackers have learned to rebrand themselves and change their software, a strategy intended to circumvent the brakes and make victims more likely to pay.

It’s the latest development in what has become a nascent lawsuit between US authorities and cybercriminals who have found ways to evade repression and prop up their multi-billion dollar hacking industry.

A study published Thursday by cybersecurity firm Mandiant discovered that a notorious gang of Russian cybercriminals changed tactics almost immediately after a notice from the Treasury Department. The gang, called Evil Corp, was already under sanctions when the department announced that it was responsible for a strain of ransomware called WastedLocker.

Evil Corp quickly stopped using the WastedLocker software and quickly developed variants of it with different names and graphics, according to Mandiant’s analysis. These new strains of ransomware were among the most prevalent over the past two years, although it was not always clear whether Evil Corp was behind them.

Kimberly Goody, director of cybercrime analytics at Mandiant, said the pivot was clearly designed to keep money flowing from US victims.

“They can kind of hide behind this very well-known public brand in order to receive payments from their victims, most of whom, quite frankly, will have no idea it’s related to a sanctioned actor,” she said. declared.

Criminal hackers use ransomware to extort victims by encrypting their computer networks and demanding payment for a digital key to make them usable again. They also often threaten to publish the files they have pirated if a victim does not pay. The number of ransomware attacks has risen sharply during the pandemic, with hackers extorting estimated at $14 billion in cryptocurrency last year.

Last fall, the White House said Treasury Department sanctions against cybercriminals were a Key element of its fight against ransomware, hoping that if American victims are less likely to pay, hackers will be less likely to attack them.

But ransomware victims rarely have any idea who attacked them other than the nickname of the software that infected their computers. If sanctioned criminals undergo a minor overhaul of their software, they can trick victims into believing that they are not violating the sanctions by paying.

The Treasury Department has only issued a handful of cybercrime penalties, and they can be tricky to navigate. In September he published a advisory that Americans could face civil penalties for sending ransomware payments to a sanctioned hacker, even if the victim didn’t know their attacker was being sanctioned. Some of the penalties against ransomware hackers are geographically broad, including against paid hackers affiliated with the Iranian or North Korean governments, even though victims likely don’t know where their attackers are coming from.

In an emailed statement, a Treasury Department spokesperson said “we encourage victims and related businesses to report incidents and cooperate fully with law enforcement as soon as possible” to minimize the risk of them being subject to civil penalties.

“Treasury continues to strongly discourage the payment of cyber-ransom or extortion demands,” the statement said.

Bill Siegel, CEO of Coveware, a company that helps ransomware victims — including sometimes helping them pay off their attackers if it doesn’t violate penalties — said his company has noticed ransomware hackers changing the design of their programs if they were sanctioned. .

“They know the brand is basically baked, and they either have to find another line, or work, or try to rebrand themselves to mask their identity and hope no one connects the two,” he said.

Siegel said he found himself repeatedly informing victims that their attackers were likely facing sanctions, even though they had changed their names.

“It’s very tough. We had to pay a lot of money to our lawyers to help us set these standards internally,” he said.

“We usually recuse ourselves from these cases because we know we can’t help them, we just say ‘Sorry, you’re in this situation, but there’s nothing we can do,'” he said. “You can make the decision to pay, but we can’t be part of it.”

Margie D. Carlisle