Fake Media; Regional Ransomware Cooperation Framework

New and Noteworthy: Fake Media Will Likely Become a Mainstream Tactic in 2022

Cybercriminals used technology to recreate or clone the voice of the director of a bank in the U.A.E. so that a bank manager would authorize a transfer of $35 million to cybercriminals, under the pretext of a new acquisition (1). Reporting indicates they spoofed both voice and email, which could count as successfully subverting multi-factor authentication. Investigators believe the threat actor group comprised at least 17 people.

The attack represents an evolved form of a classic BEC (Business Email Compromise) scam; only this time voice is the primary medium for the attack. Voice cloning is well suited to this type of attack because it is more convincing and immediate. There is low risk of being caught once the criminals receive the transferred money, so BEC and social engineering scammers are very likely to be early adopters of unproven new attack vectors such as this. EclecticIQ analysts expect cybercriminals will rapidly adapt voice and visual cloning technologies in new attacks first for financially motivated cyber-crimes and next, in highly strategic APT attacks. There are many social engineering opportunities to which this can be applied. Most people are unprepared with prudent training or protocols for recognizing spoofed audio and video.

Policy and Governance: Escalating Threat of Ransomware Will Drive Regional Cooperation to Address Attacks in Lieu of a Global Framework

Data from Checkpoint indicates a current surge in both ransomware infections and botnets able to deliver ransomware since the Covid-19 pandemic began in early 2020, with companies in North America experiencing the highest growth in attack volume (2). EclecticIQ analysts note an annual relative increase in ransomware occurred last year at this time, but was largely aimed at the US education sector (3). The attack increase this year is occurring across a broader set of industries. Another significant sign of ransomware escalation comes from US disclosure of four ransomware attacks against water facilities in the past two years (4). The public disclosure contains the largest number of ransomware attacks against US critical infrastructure announced at one time.

Pressures from ransomware led the US and 30 other countries to meet virtually for an introductory forum on how to better address ransomware (5). The absence of an invitation to China and Russia is a strong signal that regional coalitions to combat ransomware syndicates are likely to form instead of global efforts. New policies resulting from regional coalitions will very likely involve cross-border law enforcement cooperation, reporting of ransomware attacks, and accountability policies aimed at tracking and disincentivizing ransom payment. Cooperation among smaller groups of states in dealing with ransomware is likely to be effective at restricting ransomware attacks because cooperative policy will likely aid law enforcement operations against ransomware threat actors across borders.

Individually, The Netherlands announced it is escalating its response to ransomware against critical infrastructure and national security (6). The government plans to prioritize prevention, attribution, and response to critical ransomware incidents. The announcement is likely aimed at deterrence, in an effort to protect the Netherlands’ tech startups and vulnerable businesses. Ransomware attacks to critical industry could possibly have a greater impact in the Netherlands than they would have on a larger nation with a larger distributed infrastructure and resources. EclecticIQ analysts note it remains extremely difficult to establish firm attribution to State-linked ransomware attacks, making formal military and diplomatic channels nearly impossible to work through. Given this fact it is unclear how the escalated efforts will be directed. The Dutch government stated it is prepared to share further specific intelligence on ransomware with private businesses.

It has been widely observed that many ransomware families specifically avoid targeting Commonwealth of Independent States (CIS) countries via language-based whitelists that prevent malware installation (7). It has been strongly speculated that the Russian government turns a blind eye to attacks that operate outside of the CIS region (8). This intolerance to local ransomware attack has led ransomware syndicates to prevent targeting countries of the CIS region. If other countries express similar intolerance via frameworks that allow prosecution of operators more easily regionally, then overall ransomware operations may become more scarce because law enforcement will be able to more readily disrupt operations.

Regional cooperation against ransomware may force ransomware syndicates to expand similar blanket-style whitelists to their ransomware operations to avoid being targeted and shutdown by law enforcement (as the REvil group has now experienced twice (9)). Ransomware gangs shutdown operations if law enforcement pressure reaches certain thresholds resulting from specific ransomware attacks. The shutdowns greatly affect operations and profit. If Ransomware whitelisting against certain regions expands, it could restrict the growth potential of current operating ransomware families and establish reverse incentives for the development of new ransomware families.

About EclecticIQ Threat Research

EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Threat Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.

We would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com.

Appendix.

1. https://www.forbes.com/sites/thomasbrewster/2021/10/14/huge-bank-fraud-uses-deep-fake-voice-tech-to-steal-millions/
2. https://www.darkreading.com/attacks-breaches/north-american-orgs-experience-497-attacks-per-week-on-average-currently
3. https://securityintelligence.com/posts/ransomware-2020-attack-trends-new-techniques-affecting-organizations-worldwide/
4. https://us-cert.cisa.gov/ncas/alerts/aa21-287a
5. https://therecord.media/u-s-convenes-30-countries-on-ransomware-threat-without-russia-or-china/
6. https://securityaffairs.co/wordpress/123113/security/the-netherlands-war-ransomware-operations.html
7. https://www.trendmicro.com/en_nl/research/21/e/what-we-know-about-darkside-ransomware-and-the-us-pipeline-attac.html 
   https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/
8. https://carnegieendowment.org/2018/02/02/why-russian-government-turns-blind-eye-to-cybercriminals-pub-75499
9. https://www.secureworks.com/blog/revil-ransomware-reemerges-after-shutdown-universal-decryptor-released