In September, the Department of the Treasury took a series of actions to combat ransomware, including sanctioning a virtual currency exchange for facilitating financial transactions for ransomware actors. Treasury’s actions follow a Transportation Security Administration (TSA) security directive requiring owners and operators of TSA-designated critical pipelines to protect against ransomware attacks, and discussions between President Biden and Russian President Vladimir Putin about ransomware attacks from Russian soil.
These actions and others are a timely backdrop to MeriTV’s interview with Allan Liska, a senior security architect and ransomware expert at threat intelligence firm Recorded Future. In 2020, ransomware payments reached over $400 million, more than four times their level in 2019, according to the Treasury Department, and represent just a fraction of the damage that ransomware has done to critical operations, including financial services, healthcare, and energy.
The recent sanctions “start to put pressure on ransomware actors,” Liska said. “Sanctions against a single exchange isn’t going to stop ransomware attacks, but if that action is repeated over and over again, it makes it harder for ransomware groups to take [the] cryptocurrency they collect and do something with it. You can have all the money in the world. If you can’t spend it, it doesn’t help you.”
Federal agencies face several challenges as they try to combat ransomware, Liska noted. “The biggest one is asset management,” he said. “A lot of Federal agencies don’t know what they even have to defend against [hackers]. You can’t patch something if you don’t know that it’s actually part of your inventory.”
After agencies improve asset management, they can take additional steps to thwart ransomware, including threat hunting.
“Look for things like Cobalt Strike,” Liska advised. “Look for a lot of the red teaming tools that the ransomware actors use. Look for behavior that’s happening at odd hours. … Unusual activity varies from network to network, so you have to know your network before you can figure out what’s baseline and what’s unusual.” Threat hunting helps agencies to identify threats early, even if they missed the initial breach, he noted.
In the interview, Liska discusses:
- How to prioritize resources against risk
- How ransomware actors are expanding the attack surface by targeting Linux systems
- How agencies can protect against attacks and mitigate damage from them
For more insights from Liska, check out the full interview and keep an eye out for his new book, Ransomware: Understand.Prevent.Recover, at the end of October.