Ed.
note:
This
is
the
latest
in
a
new
article
series,
Cybersecurity:
Tips
From
the
Trenches,
by
our
friends
at
Sensei
Enterprises,
a
boutique
provider
of
IT,
cybersecurity,
and
digital
forensics
services.
Going
on
the
Offensive:
A
New
Development
in
Combatting
Ransomware
For
as
long
as
ransomware
gangs
have
been
around,
we’ve
been
rocked
back
on
our
heels
in
defensive
mode.
No
longer.
Following
the
old
adage
about
taking
the
fight
to
the
enemy,
we
have
set
out
to
make
it
painful
to
be
in
a
ransomware
gang.
We
have
taken
the
gloves
off
in
our
quest
to
disrupt
the
cyber
criminals.
Who
is
Fighting
Ransomware?
Everyone
knew
that,
under
the
Biden
administration,
cybersecurity
was
a
priority
–
one
of
the
few
things
that
both
political
parties
could
agree
upon.
Notable
has
been
the
elevation
of
the
Cybersecurity
and
Infrastructure
Security
Agency
(CISA),
which
is
part
of
the
Department
of
Homeland
Security.
CISA
has
risen
to
great
prominence
producing
all
sorts
of
resources,
one
of
them
noteworthy
for
this
article.
The
resource
is
Stop
Ransomware,
a
site
full
of
helpful
advice
in
plain
English
found
here.
But
what
we
didn’t
know
until
December
of
2021
was
that
the
U.S.
military
is
taking
on
ransomware
as
well,
particularly
worried
about
attacks
on
critical
infrastructure.
Mind
you,
the
military
doesn’t
want
to
tell
us
exactly
what
it
is
doing
which
is
unsurprising.
General
Paul
M.
Nakasone,
the
head
of
the
US
Cyber
Command
and
director
of
the
National
Security
Agency,
has
said
that
one
of
the
goals
of
the
current
operations
is
to
“impose
costs”
for
ransomware
groups.
We
have
also
added
private
companies
to
the
fight,
including
Amazon,
Google
and
Microsoft.
CISA
is
teaming
with
private
companies
in
the
Joint
Cyber
Defense
Collaborative,
which
will
focus
first
on
combatting
ransomware
and
attacks
on
cloud
providers
–
concurrently
working
on
information
sharing
between
the
government
and
the
private
sector.
The
Department
of
Justice
Had
a
Very
Good
Month
in
November
2021
In
a
series
of
moves,
the
DOJ
sent
ransomware
gangs
a
strong
message.
It
arrested
an
affiliate
of
the
ransomware
gang
REvil
in
Poland
to
be
extradited
to
the
U.S.
It
seized
$6.1
million
in
cryptocurrency
from
another
REvil
associate.
Finally,
it
offered
a
bounty
of
$10
million
for
the
name
or
location
of
any
key
REvil
leader
and
up
to
$5
million
for
information
about
REvil
affiliates.
That’s
some
serious
money!
January
2022:
The
Russians
Say
They
Shut
Down
REvil
with
Information
Provided
by
the
U.S.
Eyebrows
no
doubt
went
up
everywhere
when
that
news
was
reported.
The
Federal
Security
Service
(FSB)
of
the
Russian
Federation
announced
that
REvil
was
now
shut
down
and
“the
information
infrastructures
used
for
criminal
purposes
was
neutralized.”
Fourteen
REvil
members
were
arrested,
apparently
based
on
information
provided
by
the
U.S.
Russian
authorities
confiscated
cryptocurrency
and
fiat
money,
including
more
than
426
million
rubles
(approximately
$5.5
million),
600
thousand
U.S.
dollars
and
500
thousand
euros
(approximately
$570,000).
They
also
confiscated
20
luxury
cars
purchased
with
money
obtained
from
cyberattacks,
computer
equipment
and
cryptocurrency
wallets
used
to
develop
and
maintain
the
ransomware
operation.
Chatter
on
the
Dark
Web:
The
Criminals
are
Worried
Not
surprisingly,
members
of
ransomware
gangs
are
worried
about
being
tracked
down
and
arrested.
They
expressed
in
their
dark
web
chatter
that
they
had
no
desire
to
go
to
jail
(imagine
that).
Previously,
jail
had
never
seemed
a
possibility
as
Russia
turned
a
blind
eye
to
the
activities
of
ransomware
gangs.
Some
mentioned
moving
out
of
Russia.
Others
worried
that
criminals
who
are
arrested
will
rat
out
their
comrades.
That
seems
likely.
Suddenly,
there
was
a
ripple
of
fear
pervading
in
the
ransomware
cartels
that
didn’t
exist
before.
Crime
may
indeed
have
consequences.
What
Do
Recent
Developments
Portend
for
the
Longstanding
Battle
of
Law
Firms
Against
Ransomware?
It
is
hard
to
know
this
early
on
how
law
firms
may
be
impacted
by
the
recent
victory
against
REvil.
Bear
in
mind
that
the
Russian
cooperation
may
have
much
to
do
with
diplomacy.
It
may
have
been
a
good
moment
to
give
the
Americans
something
they
wanted
(Russia
doing
something
about
the
many
ransomware
gangs
it
harbors)
while
plans
to
attack
Ukraine
were
clearly
underway.
Also,
a
new
ransomware
group
has
popped
up
called
the
“Ransom
Cartel.”
DataBreachToday
reported
on
January
24
that
“Security
experts
say
the
new
group
has
technical
and
other
crossovers
with
REvil.
But
whether
the
new
group
is
a
spinoff
of
REvil,
bought
the
tools,
or
is
simply
copying
how
they
work,
remains
unclear.”
As
we
have
always
said,
shutting
down
ransomware
gangs
amounts
to
playing
a
game
of
“whack-a-mole.”
Law
firms
are
still
being
attacked
every
day.
We
know
that
because
of
what
we
do
for
a
living.
But
the
actions
we’ve
seen
taken
in
the
U.S.
are
significant
–
and
over
time,
they
may
have
their
intended
effect,
disrupting
the
gangs
through
arrests,
siphoning
their
cryptocurrency,
etc.
The
clear
advice
for
law
firms
is
“don’t
let
your
guard
down.”
Law
firms
are
still,
as
Forbes
once
noted,
a
great
“one
stop
shopping”
way
to
get
the
data
of
many
corporations,
government
entities,
etc.
They
remain
the
crown
jewel
prize
for
ransomware
gangs,
so
while
we
applaud
the
commendable
actions
taken
thus
far,
the
war
against
ransomware
is
far
from
over.
In
many
ways,
it
has
just
begun.
Sharon
D.
Nelson
(snelson@senseient.com)
is
a
practicing
attorney
and
the
president
of
Sensei
Enterprises,
Inc.
She
is
a
past
president
of
the
Virginia
State
Bar,
the
Fairfax
Bar
Association,
and
the
Fairfax
Law
Foundation.
She
is
a
co-author
of
18
books
published
by
the
ABA.
John
W.
Simek
(jsimek@senseient.com)
is
vice
president
of
Sensei
Enterprises,
Inc.
He
is
a
Certified
Information
Systems
Security
Professional
(CISSP),
Certified
Ethical
Hacker
(CEH),
and
a
nationally
known
expert
in
the
area
of
digital
forensics.
He
and
Sharon
provide
legal
technology,
cybersecurity,
and
digital
forensics
services
from
their
Fairfax,
Virginia
firm.
Michael
C.
Maschke
(mmaschke@senseient.com)
is
the
CEO/Director
of
Cybersecurity
and
Digital
Forensics
of
Sensei
Enterprises,
Inc.
He
is
an
EnCase
Certified
Examiner,
a
Certified
Computer
Examiner
(CCE
#744),
a
Certified
Ethical
Hacker,
and
an
AccessData
Certified
Examiner.
He
is
also
a
Certified
Information
Systems
Security
Professional.