Sanctions against Trickbot-Ransomware-Group - Payments now punishable

The US and UK have sanctioned seven Russian nationals allegedly involved in Trickbot - one of the most high-profile cybercrime groups in the world. Companies whose data has been hijacked by Trickbot’s ransomware operations may be losing their last hope – they can no longer pay to decrypt their data because doing so could lead to harsh legal consequences. This is another signal that companies must focus more on cyber resilience.

The Trickbot group is suspected of having carried out the malware attacks known as Conti and Ryuk. The UK Government said at least 149 people and businesses were affected  and had lost around £27m. With the sanctions against the seven leading members of Trickbot, both countries are not only increasing the pressure on ransomware attackers but on those that would otherwise pay to recover their data.

Such sanctions are enforced through the UK government and US Office of Foreign Assets Control (OFAC), the controlling agency of the US Treasury Department. OFAC treats sanctions violations as a serious threat to national security and foreign relations. As a result, offenders face fines - from a few thousand dollars to several millions - and prison terms of up to 30 years.

So far, there is no precedent for ransomware payments and sanctioned individuals. But OFAC's handling of other cases gives some insight into possible consequences. Violators of the International Emergency Economic Powers Act face fines of $308,000 per violation. Violators of the Foreign Narcotics Kingpin Designation Act were fined $1.5 million per violation. Firms penalised included big names such as UniCredit Bank, ZTE Corporation, Standard Chartered, Crédit Agricole, Société Générale and BNP Paribas. In some cases, fines of more than 1 billion US dollars had to be paid.

Cyber resilience instead of ransom

It is to be expected that Western authorities will increase their pressure on other ransomware groups. Companies impacted by ransomware won’t be able to buy their hijacked systems free without additional threats of massive legal action. The part of cyber insurance that covers possible ransomware payment then loses its appeal and value.

So far, most CISOs have focused their budgets on building high walls of defence. According to a global cybersecurity study by Deloitte, 80% of their resources are dedicated to defence, with only 20% going to mitigation. Those responsible should shift their focus more to cyber resilience - that is the ability to maintain the most important elements in operation even during a successful attack and to be able to analyse the attack at the same time. These disciplines are defined in the NIST cybersecurity standard framework and the steps 'Protect; Recognise; React; Restore' summarised.

Modern data security and management solutions can cover these disciplines by regularly storing backups of all production data in snapshots. In the past, companies viewed such backups as their insurance against loss, theft or corruption of data. Cyber attacks changed that view forever, as backup is now the ultimate insurance policy against cyber attacks, helping key security operating processes and security analysts do their job.

The snapshots depict the life cycle of live data and show their status from yesterday, the last week and the last month or even the last year. Security teams can work in tandem with IT infrastructure teams in a cyber vaulting scenario so recovered systems are restored only in a hardened state.

Security teams can also use their forensic analysis to detect artefacts from cyberattacks and track the path of the attackers. This will allow them to detect configuration changes, new fake accounts or malware fragments in the snapshot files.

Evidence of controls and evidence later

Comprehensive cyber insurance policies can help fund critical investments in experts, replacement hardware, and other services in the event of a loss. However, the providers now require interested companies to prove a number of measures and meet criteria in order to qualify for cyber insurance. These requirements concern both technical and Training and Process Issues.

Anyone who exceeds these criteria with technical approaches such as a data security and management concept, for example by being able to isolate data using an air gap, will ideally benefit from low contribution payments. In addition, in the event of a successful attack, companies will be able to prove that they had installed all the necessary control mechanisms. Because the reconstruction via the snapshots will provide the necessary evidence, even if important production data was deleted, manipulated or encrypted during the attack. These technical documents will be important evidence for the injured company in legal questions.

Outlook: State-controlled attacks to be expected

The success of the many ransomware operations over the past 12 months has meant that other attack scenarios such as wiper attacks have been pushed into the background. It will be interesting to see how the leaders of these cybercriminals, for example, will reorient themselves from Russia as their main line of business is progressively shut down.

The number of wiper attacks with political and military motives has increased massively because of the Ukraine war. A total of 17 different variants of wiper attacks have been launched against Ukraine in the past few months. It is quite conceivable that the actors will now become more involved in this field and expand their attacks on targets and critical infrastructure in countries that directly or indirectly support Ukraine.

Against this background in particular, it is all the more important to strengthen cyber resilience on the Internet. So that when an attack occurs, both the IT team and security teams work closely together, keeping critical services alive while security teams can analyze the attack in the background. This is the only way we as an economy and society can survive against cybercriminals and their attacks.