Cyber_Bytes - Issue 50
Welcome to Cyber_Bytes, our regular round-up of key developments in cyber, tech and evolving risks.
HM Treasury Office of Financial Sanctions Implementation (OFSI) releases fresh guidance on ransomware and sanctions
The OFSI has reiterated that payment of ransomware demands could constitute a breach of financial sanctions, carrying heavy penalties. Nevertheless, new guidance published by OFSI provides some comfort for organisations who feel to be in a position where paying the ransom is the only choice available. Several mitigating factors will be taken into account when assessing a ransom payment in a ransomware situation which is discovered after the event to have been in breach of financial sanctions. Those measures include the following:
- Early reporting and cooperation with law enforcement (including Action Fraud and the NCSC) and regulatory bodies (such as the ICO).
- Early self-reporting if it becomes suspected that a payment was made to a designated individual or organisation.
- Carrying out appropriate checks at the time of payment to ensure the transfer is not made to a sanctioned entity as far as it is possible to check.
This new guidance should be welcomed by organisations faced with the undesirable option of having to pay a ransom demand. While enforcement is still a possibility in those situations if the payment turns out to have been made to a designated individual or organisation, the guidance from OFSI indicates that fines or criminal sanctions are less likely if the mitigating steps set out in the guidance have been followed.
Click here to read the OFSI guidance post.
LockBit releases entire negotiation history with Royal Mail
High profile ransomware organisation Lockbit recently leaked the entire negotiation history between it and Royal Mail International, revealing a ransom demand of $80 million.
This rare release sheds light on key negotiation tactics from the National Cyber Security Centre (NCSC) and the National Crime Agency (NCA) when dealing with threat actors.
LockBit set the ransom at £65.7 million, a sum it calculated to be 0.5% of Royal Mail International's annual revenue. They also went on to say that this was eight times less than the cost of a regulatory fine in the UK.
Royal Mail International's negotiator relayed the message that "under no circumstances will we pay you the absurd amount of money you have demanded". Royal Mail has never publicly confirmed that the cyber incident it suffered was ransomware in nature, or even an ‘attack’, despite sources speaking to multiple news outlets indicating that to be the case. The NCSC and the NCA have both confirmed their involvement in assisting with the attack. LockBit initially distanced itself from the incident but has admitted that one of its affiliates carried out the attack.
Click here to read the full IT Pro article.
UK cracks down on ransomware actors
On 9 February the UK, in collaboration with the US Government, sanctioned a group of seven Russian criminals in the first wave of new coordinated action against international cybercrime. UK Foreign Secretary James Cleverly said: "By sanctioning these cyber criminals, we are sending a clear signal to them and others involved in ransomware that they will be held to account". The NCA assessed that the sanctioned group was responsible for extorting at least £27 million from 149 UK victims, including hospitals, schools, businesses and local authorities, although their full impact is believed to be much higher.
National Crime Agency Director-General Graeme Biggar called the crackdown a hugely significant moment for the UK and collaborative efforts with the US to disrupt international cyber criminals. It is highly likely that the recently sanctioned individuals evolved from previous cyber organised crime groups and likely have extensive links to other cyber criminals, notably EvilCorp and those responsible for Ryuk ransomware. NCA's CEO Lindy Cameron confirmed that, “ransomware is the most acute cyber threat facing the UK, and attacks by criminal groups show just how devastating its impact can be". By working with key partners, the NCSC is helping to "improve collective resilience".
Click here to read the NCA article.
NCA takes down HIVE ransomware organisation
In association with the FBI and German law enforcement, the NCA has taken down servers used by the HIVE ransomware group. Anyone attempting to access HIVE infrastructure will now be met with a law enforcement splash page, explaining that the network has been seized and is no longer available for use.
HIVE resources were previously available on the dark web, allowing users to deploy ransomware attacks on their targets. From June 2021, the HIVE ransomware group had targeted over 1,300 victims, receiving more than $100m in ransom payments. The FBI developed the capability to avoid HIVE encryption and NCA investigators supported a number of victims in the UK to remove the impact of the ransomware from their systems. Paul Foster, Deputy Director of the NCA’s National Cyber Crime Unit commented that, while HIVE was a service which enabled cyber criminals to steal millions from businesses across the globe, with several UK organisations suffering significant disruption and financial losses, the combined might of international law enforcement, is "a tremendous example of action to take down illegal IT infrastructure".
Click here to read the NCA article.