'Releasing the Hounds?' Disruption of the Ransomware Ecosystem Through Offensive Cyber Operations

Kód výsledku v IS VaVaI

<a href="https://www.isvavai.cz/riv?ss=detail&h=RIV%2F00216224%3A14220%2F22%3A00125964" target="_blank" >RIV/00216224:14220/22:00125964 - isvavai.cz</a>

Výsledek na webu

<a href="https://ccdcoe.org/uploads/2022/06/CyCon_2022_book.pdf" target="_blank" >https://ccdcoe.org/uploads/2022/06/CyCon_2022_book.pdf</a>

DOI - Digital Object Identifier

<a href="http://dx.doi.org/10.23919/CyCon55549.2022.9811074" target="_blank" >10.23919/CyCon55549.2022.9811074</a>

Jazyk výsledku

angličtina

Název v původním jazyce

'Releasing the Hounds?' Disruption of the Ransomware Ecosystem Through Offensive Cyber Operations

Popis výsledku v původním jazyce

Ransomware groups represent a significant cyber threat to Western states. Most high-end ransomware actors reside in territorial safe-haven jurisdictions and prove to be resistant to traditional law enforcement activities. This has prompted public sector and cybersecurity industry leaders to perceive ransomware as a national security threat requiring a whole-of-government approach, including cyber operations. In this paper, we investigate whether cyber operations or the threat of cyber operations influence the ransomware ecosystem. Subsequently, we assess the vectors of influence and characteristics of past operations that have disrupted the ecosystem. We describe the specifics of the ransomware-as-a-service system and provide three case studies (DarkSide/BlackMatter, REvil, Conti) highly representative of the current ecosystem and the effect cyber operations have on it. Additionally, we present initial observations about the influence of cyber operations on the system, including best practices from cyber operations against non-state groups. We conclude that even professional, highly skilled, and top-performing ransomware groups can be disrupted through cyber operations. In fact, cyber operations can even bypass some limits imposed on law enforcement operations. Even when ransomware groups rebrand or resurface after a hiatus, we suggest their infrastructure (both technical, human, and reputational) will still suffer mid- to long-term disruption. Although cyber operations are unlikely to be a silver bullet, they are an essential tool in the whole-of-government and multinational efforts and may even grow in importance in the next several years.

Název v anglickém jazyce

'Releasing the Hounds?' Disruption of the Ransomware Ecosystem Through Offensive Cyber Operations

Popis výsledku anglicky

Ransomware groups represent a significant cyber threat to Western states. Most high-end ransomware actors reside in territorial safe-haven jurisdictions and prove to be resistant to traditional law enforcement activities. This has prompted public sector and cybersecurity industry leaders to perceive ransomware as a national security threat requiring a whole-of-government approach, including cyber operations. In this paper, we investigate whether cyber operations or the threat of cyber operations influence the ransomware ecosystem. Subsequently, we assess the vectors of influence and characteristics of past operations that have disrupted the ecosystem. We describe the specifics of the ransomware-as-a-service system and provide three case studies (DarkSide/BlackMatter, REvil, Conti) highly representative of the current ecosystem and the effect cyber operations have on it. Additionally, we present initial observations about the influence of cyber operations on the system, including best practices from cyber operations against non-state groups. We conclude that even professional, highly skilled, and top-performing ransomware groups can be disrupted through cyber operations. In fact, cyber operations can even bypass some limits imposed on law enforcement operations. Even when ransomware groups rebrand or resurface after a hiatus, we suggest their infrastructure (both technical, human, and reputational) will still suffer mid- to long-term disruption. Although cyber operations are unlikely to be a silver bullet, they are an essential tool in the whole-of-government and multinational efforts and may even grow in importance in the next several years.

Druh

D - Stať ve sborníku

CEP obor

—

OECD FORD obor

50501 - Law

Projekt

<a href="/cs/project/EF16_019%2F0000822" target="_blank" >EF16_019/0000822: Centrum excelence pro kyberkriminalitu, kyberbezpečnost a ochranu kritických informačních infrastruktur</a><br>

Návaznosti

P - Projekt vyzkumu a vyvoje financovany z verejnych zdroju (s odkazem do CEP)

Rok uplatnění

2022

Kód důvěrnosti údajů

S - Úplné a pravdivé údaje o projektu nepodléhají ochraně podle zvláštních právních předpisů

Název statě ve sborníku

2022 14th International Conference on Cyber Conflict: Keep Moving

ISBN

9789916978900

ISSN

2325-5366

e-ISSN

—

Počet stran výsledku

23

Strana od-do

93-115

Název nakladatele

NATO CCDCOE Publications

Místo vydání

Tallinn

Místo konání akce

Tallinn

Datum konání akce

31. 5. 2022

Typ akce podle státní příslušnosti

WRD - Celosvětová akce

Kód UT WoS článku

000853652000006