Tue | Oct 26, 2021 | 12:53 PM PDT

Earlier this week, SecureWorld reported on the takedown of the infamous REvil ransomware gang's "Happy Blog," which it uses to publish stolen information.

The FBI and other global law enforcement teams worked together on this case, compromising backups that were later restored by the gang, giving authorities access to internal systems, a tactic often deployed by the gang itself.

And following the successful bust, other ransomware operators expressed their displeasure with the "bandit-mugging behavior of the United States in world affairs."

On Dark Web posts, they pointed out what they believe to be a hypocritical situation, calling the United States federal government "the biggest ransomware group of all time."

Unfortunately for the U.S. government and companies based in the U.S., many other cybercriminals have similar feelings.

Groove ransomware calls for attacks on U.S. interests

Following the REvil shutdown, the Groove ransomware group posted on a Russian forum, pleading to other ransomware operators to turn their attention to the U.S., according to Bleeping Computer.

Here is the translated and censored message:

"In our difficult and troubled time when the US government is trying to fight us, I call on all partner programs to stop competing,
unite and start **cking up the US public sector, show this old man who is the boss here, who is the boss and will be on the Internet.

While our boys were dying on honeypots, the nets from rude aibi squeezed their own... but he was rewarded with higher and now he will go to jail for treason, so let's help our state fight against such ghouls as cybersecurity firms that are sold to amers, like US government agencies."

The group also seems to be preparing a backup plan, should their home state of Russia choose to condemn these actions for political purposes:

"I urge not to attack Chinese companies, because where do we pinch if our homeland suddenly turns away from us, only to our good neighbors - the Chinese! I BELIEVE THAT ALL ZONES IN THE USA WILL BE OPENED, ALL **OES WILL COME OUT AND **CK THIS **CKING BIDEN IN ALL THE CRACKS, I myself will personally make efforts to do this." 

With REvil offline, other known ransomware operators began ranting on the Dark Web. NBC News did a search and found this comment from the Conti ransomware gang:

"First, an attack against some servers, which the U.S. security attributes to REvil, is another reminder of what we all know: the unilateral, extraterritorial, and bandit-mugging behavior of the United States in world affairs.

With all the endless talks in your media about 'ransomware-is-bad,' we would like to point out the biggest ransomware group of all time: your Federal Government."

And they questioned the recent U.S. involvement in this type of cyber action:

"Is there a law, even an American one, even a local one in any county of any of the 50 states, that legitimize such indiscriminate offensive action?" the author wrote.

NBC News says another group wrote the following:

"Only time will tell who the real bad guys are here."

If these malicious threat actors do begin attacking U.S. targets at an unprecedented rate, is your organization prepared?

U.S. organizations need to prepare for ransomware

With the looming threat of ransomware hanging over organizations in the U.S. and around the world, now is the time to take a fresh look at your ransomware mitigation strategy.

Though some cyberattacks can be the result of a sophisticated threat actor, more often than not an incident arises as the result of some internal challenge, or lack of cyber hygiene, by the organization. 

Paul Caiazzo, the CISO at Avertium, discussed this problem on a recent SecureWorld Remote Sessions webcast:

"What we see a lot is attackers in this space are typically not using novel, Zero-Day type approaches to break into networks; they're using lack of hygiene. So, when people fail to simply patch their systems, or even really just understand what their attack surface looks like, it yields opportunities for bad guys to get in. And then ultimately use legitimate tools against victim.

So using things like sys-internal tools, or legitimate systems, administrators tools, to then proliferate ransomware across an environment for executing it. And it ultimately is a fairly easy process for these guys when a victim is unprepared, which is really what we see happening over and over and over again.

If there's one thing anybody can take away from this is that preparedness is paramount. And it starts with incident response planning, and going through tabletop exercises, and things like that are really important to be able to do that."

8 steps organizations can take to reduce ransomware risk

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently published a document, titled Ransomware: What It Is and What to Do About It , which looks into how you can better protect your organization.

It notes that a commitment to cyber hygiene and best practices is critical to protecting your networks, echoing the words of Caiazzo.

Here are eight questions CISA recommends you ask about your organization:

  1. "Backups: Do we backup all critical information? Are the backups stored offline? Have we tested our ability to revert to backups during an incident?"
  2. "Risk Analysis: Have we conducted a cybersecurity risk analysis of the organization?"
  3. "Staff Training: Have we trained staff on cybersecurity best practices?"
  4. "Vulnerability Patching: Have we implemented appropriate patching of known system vulnerabilities?"
  5. "Application Whitelisting: Do we allow only approved programs to run on our networks?"
  6. "Incident Response: Do we have an incident response plan and have we exercised it?"
  7. "Business Continuity: Are we able to sustain business operations without access to certain systems? For how long? Have we tested this?"
  8. "Penetration Testing: Have we attempted to hack into our own systems to test the security of our systems and our ability to defend against attacks?"

[REALTED] Don't miss the upcoming SecureWorld webcast, 5 Things You Should Know About Ransomware Before It's Too Late, featuring KnowBe4's Data-Driven Defense Analyst, Roger Grimes. Register today!

Comments