Over the last few years, there has been an ongoing debate surrounding the topic of hacking back. While this is a mixed field of emotions and opinions, it has become clear that current strategies have not been able to prevent the growth of the threat landscape. In the last year alone, Ransomware attacks have surged, and we have already seen more DDoS attacks at this point in the year than all of 2020. This rise in cybercrime has left many wondering if taskforces, sanctions, and other political approaches accomplish anything.
Let me be clear, while I’m not advocating for companies or vigilantes to hack back, I am suggesting that our offense needs to stop riding the bench on this one and become more active. We need real and meaningful actions. We need to ask ourselves, can offensive cyber campaigns have a significant impact on the threat landscape? And if not, what other options do we have to deter and undermine cybercriminals.
Notifications in the Netherlands
Last month the Dutch Police sent letters to 29 Dutch residences warning that they had been identified as users of a DDoS-for-Hire service, Minesearch.rip.
We have registered you in our system and you will now receive a final warning. If new similar facts arise in the future, we will proceed to prosecution. In that case, take into account a conviction, criminal record and the loss of your computer and / or laptop.
— Dutch Police
These letters should come as no surprise to the customers, given that the Dutch Police raided and seized devices from the homes of the two men suspected of operating the DDoS-for-Hire site in July 2020. The case was initially picked up at the beginning of 2020 after a gaming company filed a complaint against the booter service. Several other victims were identified due to the inquiry, and an investigation was launched against the two suspects.
But this is not the first time Law Enforcement has gone after users of DDoS services. In 2019, Europol and the Joint Cybercrime Action Taskforce (J-CAT), with the support of the Dutch Police and the British Nation Crime Agency, targeted the users of the largest stresser service at the time, Webstresser.org. Europol reported that in the United Kingdom, several DDoS service users were visited by the police and had their devices seized. They also noted that the UK Police were engaged in ‘live operations’ against other DDoS users, with another 250 users that would soon face legal action due to the damage they caused using a DDoS-for-Hire service.
Going further back, in 2016, Europol working with Law Enforcement Agencies around the world carried out a coordinated action against users of DDoS-for-Hire services that resulted in 34 arrests and 101 suspect interviews.
So, have notifications, enforcement campaigns, and offensive operations had a meaningful impact on the DDoS threat landscape? The harsh truth, no. Enforcement and offensive campaign have had minimal impact on the DDoS threat landscape. Recently Radware reported stopping 75% more DDoS attacks in the first nine months of 2021 versus 2020. In addition to this increase, our researchers also noted a rise in DDoS services in 2020 during the pandemic, signaling the problem is only getting worse despite numerous attempts to prevent the growth of the DDoS threat landscape.
Enforcement in Ukraine
Last month, the Secret Service of Ukraine (SSU) arrested a man for creating and running a botnet with over 100,000 infected nodes. The operator allegedly leveraged the botnet to send spam and conduct DDoS attacks as a DDoS-for-Hire service. The botnet also possessed the capability to propagate by scanning for vulnerable devices and exploiting them. The suspect is also accused of engaging in email-based brute force attacks and advertised his DDoS service on closed forums and Telegram.
Additionally, two months ago, the Cyber Police of Ukraine arrested two men suspected of spreading ransomware payloads. In total, seven properties were searched during the raid. The police also seized $375,000 in cash, two cars, and $1.3 million in Cryptocurrency. The two are accused of launching more than 100 attacks, resulting in over $150 million in damages since April 2020, leading some experts to believe the suspects may be associated with REvil.
So, we have to ask ourselves again, have enforcement campaigns, and offensive operations had a meaningful impact on the threat landscape in Ukraine? Once again, the harsh trust, no. Enforcement and offensive campaign have had minimal impact on the Ukrainian threat landscape. And this should come as somewhat of a surprise given that law enforcement agencies in Ukraine are very aggressive toward cybercriminals. Almost every month, there is news about a raid in Ukraine related to cybercrime, yet threat actors are still very active in the region.
The United States Strikes Back
The ransomware group REvil returned to the threat landscape at the beginning of September after shutting down their service on July 13th following the Kaseya Ransomware attack. The return came as somewhat of a surprise to the security industry for several reasons. First, the departure of REvil was messy at best. The Kaseya Ransomware attack generated a wave of victims that flooded REvil. Second, they also suffered political blowback as a result of the attack. And third, typically, when Ransomware operators come back, they rebrand themselves. REvil operators not only returned using the same moniker, but they also returned using the same infrastructure as before. A very bold move considering REvil left without paying their affiliates, breaking the notion that there is honor among thieves.
Despite the reputation and theft issue, things took a turn for the worse very quickly for REvil. It wasn’t long before the new REvil admin had announced on an underground forum that a third party had compromised their Tor-based portals after the REvil domains were taken offline. On October 21st, Reuters reported that the US government had launched an offensive campaign to knock REvil offline. Previously, US law enforcement had compromised REvil’s backups. When the new admin restored the infrastructure from the previous backups, he restarted internal systems controlled by law enforcement.
So, once again, we have to ask ourselves, did offensive operations against REvil have a meaningful impact on the threat landscape? Yes and no. The threat of Ransomware did not diminish, and the operators can still rebrand and return to the landscape, but it did cause an unusual reaction in the underground Ransomware community.
Ransomware Community Reacts to REvil News
The news of the United States’ offensive operation against REvil resulted in almost an immediate response from several Ransomware groups. These responses showed that the cybercriminals behind these Ranowmare groups were emotionally compromised over the REvil takedown and feared further offensive campaigns.
The Ransomware group known as Conti posted a long rant commenting on the US government’s actions against REvil on their Ransomware PR site. The group, known for encrypting and extorting organizations and government agencies worldwide, used colorful wording such as ‘bandit-mugging behavior’ to describe the US government’s actions against REvil. They even question if the US had a law to prevent government agencies from hacking back.
The Ransomware group is known as Groove, also posted several rambling comments on their PR sites. In their posts, Groove called for extortion gangs to target the US public sectors in response to the REvil takedown. The group also suggested that other gangs avoid targeting China, as the country might serve as a safety net for the criminals if Russia decides to take a stance against Ransomware operators. Groove also posted a $30,000 bounty on TheRecord.media in response to negative coverage by the media outlet.
The most interesting reaction, though, goes to BlackMatter. BlackMatter, previously known as Darkside, moved 107 BTC, 6 hours after the Reuters article was published. Per Omri Segev Moyal, the group moved Bitcoin connected to the Colonial pipeline Ransomware attack. A move that was likely executed to mitigate a total loss if US law enforcement was actively targeting the group with an offensive operation.
Is Hacking Back Gaining Traction?
In my opinion, hacking back is gaining traction but on a limited scale. Countries worldwide appear to be participating in offensive operations to gauge the response and impact on the threat landscape, and in some situations, a deterrent for future aggression. For example, The Dutch Government recently said that it would use its intelligence or military service to counter cyber attacks that threaten national security. Additionally, GCHQ in the United Kingdom said it wants to deploy its National Cyber Force to hunt cyber criminals with offensive cyber campaigns. As for the United States, I think it’s clear they are willing to engage in offensive operations against cyber criminals but is the impact meaningful?
It’s fair to say we are losing the battle and that organized cyber gangs are here to stay. There is too much money on the table for them to walk away. A problem that often leaves cybercriminals with more money and resources than the defenders. To make matters worse, we rarely hear about operations or actions against our aggressors, yet every day, we are bombarded with a news cycle that reminds us that cybercriminals are winning.
While general notifications and enforcement have minimal impact on the threat landscape, I think the same, to an extent, can reasonably be said for offensive operations given the recent examples. But don’t get me wrong, I think offensive operations have a place in future security strategies from a national perspective. While the impacts might not be noticeable, they cause reactions inside the criminal community, resulting in responses that can be leveraged.
You cannot win a game sitting on a bench, and you can’t win with a defense-only strategy. Eventually, you’re going to have to fight back.