Ransom-War Escalation: The New Frontline in Cyber Warfare

By Nissim Ben Saadon, Director of Innovation, CYREBRO

High-profile ransomware attacks against government targets in Costa Rica and Peru last year brought a new twist to the concept of cyberwar: Ransom-War. With the rise of ransomware-as-a-service (RaaS) and the relative impotence of government agencies to counter attacks, for-profit ransomware wars conducted by private or state-sanctioned hacking groups against local and national government targets are increasing in severity and intensity. In this article, we’ll take a deep dive into why this is happening and discuss possible mitigation options.

The Rise and Fall of Conti

The now-defunct ransomware group known as Conti set the standard for Ransom-War attacks. Prior to announcing its public support for the Russian invasion of Ukraine, the group – together with its sister group REvil – rampaged across the digital world.

Over an 18-month period, Conti accumulated over $180 million in payouts, leading the US Department of State to offer a $15 million reward for information leading to the identification or conviction of its members.

Notably, Conti was responsible for the state of national emergency declared by Costa Rica in 2022, after that country refused to pay a $10 million ransom and suffered a 672GB leak of sensitive data from various Costa Rican government agencies. Costa Rica’s then newly-elected president, Rodrigo Chaves, declared the country “at war” with cybercriminals.

Similarly, Conti hacked Peru’s premier intelligence agency, which is responsible for national, military and police intelligence, as well as counterintelligence. They succeeded in exfiltrating 9.1GB of sensitive intelligence data.

The group apparently disbanded after a crackdown precipitated by their public support for the Russian invasion of Ukraine. Yet the bar they set for sheer audacity and efficacy in their attacks against government targets remains high.

Most Recent Ransom-War Targets

In recent months, other ransomware hacking groups seem to be targeting government entities worldwide with increasing frequency. Most notably:

• In July 2023, the city of Hayward, California declared a state of emergency, after a ransomware attack breached the city’s computer systems and networks.
• Also in July, Barts Health NHS Trust – an entity within the UK’s national healthcare system – suffered a ransomware attack, potentially leaving data from 2.5 million people at risk.
• In February 2023, the city of Oakland, California was hit by a ransomware attack, forcing it to take all systems offline.
• That same month, the S. Marshals Service – a federal government agency – suffered a ransomware attack that exposed sensitive law enforcement information.
• In January of 2023, also in the UK, a ransomware attack shut down the Royal Mail, the country’s largest mail delivery service.
• Also in January, a ransomware attack on San Francicso’s Bay Area Rapid Transit Authority (BART) led to the release of sensitive files after the authority refused to pay the ransom.

Drill Down: Why Target Governments?

Ransomware groups target governments for several reasons. First, governments collect and store valuable data on their citizens and have large budgets. This makes them potentially lucrative targets for financial gain. Second, they own and run sensitive critical infrastructure. Attacking governments allows ransomware groups to disrupt critical services with the resulting chaos potentially exerting political pressure to pay ransoms. And of course, some threat actors have political or ideological agendas, and governments represent easy and symbolic targets for local or regional vendettas.

To better understand the motives of Ransom-War threat actors, we analyzed the above-mentioned Costa Rica attack more in-depth. Costa Rica is, after all, a popular tourist destination and not generally considered a country with overbearing or extended political reach. So why would Conti have chosen to launch an attack against such an unassuming country?

• Theory 1 – The attack was simply a crime of opportunity. Attackers were looking for vulnerabilities or weaknesses and struck when they found them in the Costa Rican government’s systems.
• Theory 2 - Owing to the sensitive timing of the attack (immediately following the transition of power following a national election), it was an attempt to destabilize the country or overthrow it altogether.
• Theory 3 - Based on internal Conti communications, the attack may have been a smokescreen created to remind the public of the group’s prominence and lucrative attack prowess.
• Theory 4 – Since Costa Rica publicly rejected the Russian invasion of Ukraine and Conti was aligned with Russia, the motivation was political.

Understanding the motives of ransomware groups that target governments is crucial for devising effective strategies to combat and mitigate the impact of ransomware attacks on governments.

What Can Governments and Their IT Service Providers Do?

It is common for attackers to target companies providing IT services to governments, as they may be less secure.

While having backups in place can mitigate the need to pay for a decryption key, it does not prevent ransomware attacks from occurring against government agencies or entities. To establish robust government cybersecurity, it is crucial to implement preventive measures and proactively counter threats. Some actions companies providing services to governments can offer:

• Limit publicity over governmental projects – this is particularly important in foreign media outlets in foreign languages.
• Decentralize public and external digital assets so that if attackers are familiar with one IP/domain, they can’t know everything within the public domain
• During wartime, reduce the attack surface by temporarily taking down unnecessary public assets such as old websites
• Review and prioritize publicly accessible vulnerabilities, and address their urgency according to risk
• Continuously monitor networks and proactively hunt for threats to identify and intercept intrusions early on

The Bottom Line

Ransom-War is on the rise. High-profile attacks against strategic government targets are becoming increasingly severe and intense. Governments are attractive targets due to their valuable data, large budgets, and critical infrastructure. To combat this menace, governments must implement effective preventive measures. It’s time for governments to take a stand and protect their digital fortresses from acts of Ransom-War.

About the Author

Nissim has over 10 years’ experience serving in a variety of cybersecurity functions including being a CISO, and providing DFIR, malware analysis and SIEM professional services for private companies, military organizations and government. He also occasionally creates and teaches cybersecurity courses for professionals. He currently serves as CYREBRO’s Director of Innovation. Nissim can be reach via LinkedIn at https://www.linkedin.com/in/nissim-ben-saadon-0ba173bb/ and at CYREBRO via www.cyrebro.io.