REvil has re-branded and committed to spare critical infrastructure from its attacks, but will this be enough to set back the rising tide of government action against ransomware hackers?
The summer of 2021 could turn out to be pivotal for ransomware. High-profile attacks against critical infrastructure and healthcare organisations, like Colonial in the US or HSE in Europe, drove the issue to the top of everyone’s agendas – including those in the corridors of power. Both the Whitehouse and the European Commission responded, which could be the start of a concerted global effort to address the ransomware blight.
These early overtures might have been enough to send waves through certain sectors of the hacking community. Within weeks, REvil appeared to have packed up, marking the end of one of the most successful ransomware operations in the world.
But, was it really the end or was this just a marketing stunt? Rising from the ashes of REvil is Black Matter, a collective bearing a startling resemblance to REvil but committing to refrain from attacking the kind of organisation that caused legislative attention to turn on its predecessor. Is a pledge only to steal from the rich enough to put the genie back in the bottle though? Or will global authorities maintain their crusade against ransomware?
At first blush, it’s hard to imagine a climb down. Attacks on national critical infrastructure brought public sentiment into alignment with the long-held desire of big business for governments to act. That’s a heady combination. And, having spoken out in defense of victims, how can officials roll back that stance?
Similarly, people at large have realised how vulnerable they are, and governments are on record recognising the risk. For them to now do nothing could reflect very badly in the event that a truly life-threatening attack takes place in the future.
On the other hand, many official bodies may be looking for an easy way out of a situation that’s harder to deal with than they may have first thought. No one yet has really come up with a workable plan to control ransomware through legislation.
Banning payment isn’t the easy solution it may seem. Outlawing the payment of ransoms could force hackers to focus in on those organisations that would have to pay, even in defiance of the law. For example, hospitals who are forced to choose between payment or letting people die for lack of access to their records or medical apparatus.
Equally, banning payment wrongly criminalises the victim. It’s akin to making it illegal to surrender your cash if someone mugs you. You can’t send someone to jail for someone else’s criminal attack.
And the alliance of public and business goals is likely to be short lived if Black Matter is able to position itself as a kind of “cyber Robin Hood” – albeit one that robs from the rich without actually giving anything to the poor. Public outcry is likely to wane without the queues trailing to the petrol stations or the empty supermarket shelves.
Realistically though, can Black Matter live up to the brand that it wants to create for itself? With the best will in the world, once you’ve created a monster, you can’t expect to be able to control it. So, even if Black Matter doesn’t intend to attack critical infrastructure, it can’t guarantee that its malware won’t end up taking down a power station.
And the promise to release the encryption code for free to any accidental victims of this nature isn’t exactly the silver bullet they might make it out to be. How quickly could a hospital expect to be up and running again, even with the decryption code? It’s unlikely to fast enough to avoid any harmful consequences.
For this reason alone, it seems like it’s going to be impossible for Black Matter to put the genie back in the bottle altogether. A future attack on critical infrastructure is almost inevitable and the international community has to act to protect against that.
What Black Matter may have done though, is buy itself – and the hacking community at large – more time. Taking the edge off of the urgency of action gives policy makers time to breathe and think through their options.
And that time is all that the hackers need in order to keep their scams going with businesses that drive their income. Organisations should be prepared to continue to take responsibility for their own protection for a good while yet, which means doubling down on security and data protection.