The Good, the Bad and the Ugly in Cybersecurity – Week 34

The Good

This week, the U.S. Department of Justice has extradited a Russian citizen from the Netherlands to face charges of laundering cryptocurrency-based ransom payments from Ryuk ransomware victims.

According to a statement from the DoJ and court documents, the alleged cryptocurrency launderer, Denis Mihaqlovic Dubnikov, and his accomplices laundered ransom payments from both individuals and organizations targeted by the Ryuk ransomware gang around the world.

After receiving the ransom payments, Dubnikov, his accomplices, and Ryuk operators collaborated to engage in both domestic and international financial transactions to conceal the ransom money’s origins. In one month alone, Dubnikov is accused of laundering more than $400,000 in Ryuk ransoms, and the Department of Justice believes that Dubnikov and his co-conspirators have laundered at least $70 million in ransoms.

First sighted in August 2018, Ryuk is a notorious ransomware family that threat actors have leveraged in several high-profile attacks in recent years, including a 2018 attack on the Los Angeles Times. Ryuk is particularly aggressive in terms of speed-of-encryption, and it is known to deploy additional measures to cripple defenses and recovery options on machines. In October 2020, law enforcement officials specifically identified Ryuk as an imminent and increasing cybercrime threat to hospitals and healthcare providers in the United States.

As Dubnikov goes to trial, the Justice Department’s Ransomware and Digital Extortion Task Force should celebrate the fact that they have successfully disrupted one of the channels for threat actors to retrieve their ransom payments. We can only hope that future investigations will continue to strategically disrupt ransomware criminal ecosystems and identify a path where victims can reclaim the money that they lost.

The Bad

The threat actors behind BlackByte ransomware have re-emerged, with some techniques that other notorious threat actors have leveraged in the past.

The ransomware operators returned after a brief hiatus with “BlackByte version 2.0.” While research into BlackByte’s ransomware encryptor is ongoing, the BlackByte threat actors have launched a new data leak site on Tor that incorporates extortion techniques affiliated with threat actors that deploy LockBit ransomware.

In a new twist in extortion tactics, the BlackByte leaks site now gives victims the option to pay for an extension to their ransom deadline. If a victim pays $5,000 in Bitcoin or Monero, they can push the date that their data is published by 24 hours. They can also pay $200,000 to download a copy of their data, or $300,000 to destroy it entirely. This scheme is designed to help threat actors extort more money from victims, and sell exfiltrated data to fellow cyber criminals. However, security researchers say that BlackByte’s data leak site is not correctly embedding the cryptocurrency wallet addresses, leaving victims unable to pay the threat actors for an extension or deletion.

This re-emergence is a concerning development in today’s threat landscape. BlackByte has already launched several high profile attacks in the past, and they show no signs of slowing down.

The Ugly

Cyber criminals created confusion in the United Kingdom this week, as one major drinking water provider disclosed that they had been impacted by a cyber attack, and a ransomware gang claimed to have compromised another.

In a disclosure published on their website, South Staffordshire Water, which supplies water to 1.6 million customers in the South Staffordshire and West Midlands areas, confirmed that the breach had only impacted their corporate IT network, and that there was no risk of a water or customer service outage for customers. The company also disclosed that they were working closely with the UK authorities to investigate the incident further.

Meanwhile, the Clop (also known as C10p) ransomware gang claimed that they had breached Thames Water, another UK-based water supplier. The threat actors alleged that they had exfiltrated 5 TB of data and successfully accessed SCADA and water treatment systems, which they could hypothetically use to impact 15 million customers. However, Clop pledged that they would not be encrypting Thames’ data, but criticized the water provider for its poor security practices.

In response, Thames Water released a statement denying these claims and claiming their systems are fully operational. When Clop subsequently released evidence they had breached the water provider, the published material contained leaked documents, usernames, and passwords from South Staffordshire Water. As a result, it has been suggested that Clop either misidentified their target or fabricated evidence to target a larger company.

Either way, breaches like these raise concerns for the security practices of organizations in charge of critical infrastructure. It cannot be emphasized enough that critical infrastructure providers must continually re-evaluate their current security measures to account for evolving threats.