Tag Archive for: sanctions

US sanctions alleged Russian ransomware hackers known as Trickbot

/in


ABC News

6-year-old who shot teacher had history of violent behavior at school, assistant principal failed to act: Lawyer

The teacher shot in class by her 6-year-old student in Newport News, Virginia, claims the shooter had a history of violent behavior at school and accused the school’s assistant principal of failure to act despite being told repeatedly that the student had a gun at school, her lawyer alleged in a letter notifying the district of the intent to file a lawsuit. Two other letters were submitted by parents of students who go to Richneck Elementary School. In the letter, a lawyer for Abigail Zwerner, the teacher who was shot, alleged that four teachers, including Zwerner, and a guidance counselor all warned the school’s assistant principal, Ebony Parker, about the shooter’s behavior on the day of the shooting, but Parker failed to act when she was first notified, between 11:15 and 11:30 a.m., and when Zwerner was shot at 1:59 p.m.

Source…

Ransomware Payments Become an Even Riskier Choice Amidst the Ever-Growing Sanctions List | Faegre Drinker Biddle & Reath LLP

/in


In February 2022, Executive Order 14024 highlighted that Russia’s invasion of Ukraine threatened not only Ukraine but also the national security and foreign policy of the United States. Pursuant to this executive order, and in the face of national security concerns, the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) has instituted extensive sanctions, including both economic and trade sanctions. Also, in response to the national security concerns, the Cybersecurity and Infrastructure Security Agency (CISA) issued a Shields Up notice, urging companies to bolster their cybersecurity to protect themselves against the threat of a cyberattack.

As the conflict between Russia and Ukraine continues, the threat of a cyberattack, specifically ransomware and NotPetya-style attacks, remains top of mind. However, as entities continue to bolster their cybersecurity and protect themselves against these attacks, they should be cognizant of the implications that OFAC sanctions may have in connection with such an attack.

All U.S. persons must comply with the sanctions against Russia. U.S. persons are defined as U.S. citizens and permanent residents regardless of location, as well as all persons and entities who are in the U.S. and all entities incorporated in the U.S. and any of their foreign branches.

This analysis becomes complicated during ransomware attacks. When an entity is the victim of a ransomware attack, they typically have to make a decision about whether to pay the attacker a ransom in order to retrieve their data or to get a key to unencrypt their data. Ransom payments — including payments with cryptocurrency or payments facilitated through third parties — to sanctioned persons or entities are in violation of the OFAC regulations. In light of the Russia-Ukraine conflict, the number of sanctioned individuals and entities has increased dramatically, making it more difficult to ensure that an entity requesting a ransom payment is not subject to sanctions.

Making a ransomware payment where it is known that the ransomware attacker originated from a person or group on the OFAC sanctions list is in violation of the OFAC regulations and subjects the payor…

Source…

How Russian sanctions may be helping US cybersecurity

/in


Federal government officials say sanctions placed on Russia following its invasion of Ukraine may have positive effects on cybersecurity in the United States.

Leaders in both the National Security Agency (NSA) and FBI have said Russian sanctions are slowing down ransomware attacks and cyber attacks perpetrated by state-sponsored actors and cybercriminals since the beginning of its invasion. The White House issued wide-ranging economic sanctions against the country earlier this year. In addition, federal agencies have imposed cybersecurity sanctions on both the Russian government as well as private entities, including cryptocurrency exchanges and mixers, over ransomware activity and state-sponsored attacks stemming from the region.

Rob Joyce, the NSA’s director of cybersecurity, stated at the CyberUK event last month in Wales that from his perspective, ransomware has fallen over the last two months. He believes that Russian sanctions are one of several factors potentially impacting ransomware numbers.

Rob JoyceRob Joyce

“As we do sanctions and it’s harder to move money and it’s harder to buy infrastructure on the web, we’re seeing them be less effective — and ransomware is a big part of that,” Joyce said during a panel discussion. “We’ve definitively seen the criminal actors in Russia complain that the functions of sanctions and the distance of their ability to use credit cards and other payment methods to get Western infrastructure to run these [ransomware] attacks have become much more difficult.”

Joyce reinforced that message while speaking at RSA Conference 2022 last week.

“Sanctions related to Russia and their Ukraine problem have impacted the ransomware actors,” Joyce said during a session titled “State of the Hacks: NSA’s Perspective.” “They are finding it difficult to extract funds out of the ecosystem, get them converted as well as use payments that are accepted to buy the infrastructure they need to operate.”

Joyce said that the decrease in attacks caused by cybersecurity sanctions may lead to the Russian government going to ransomware as a service (RaaS) providers in order to gain access to their targets. He said that as threat actors become quicker at exposing…

Source…

Evil Corp Switches to Ransomware-as-a-Service to Evade US Sanctions

/in


Evil Corp—or at least a hacking group affiliated with it—is mixing things up.

Mandiant reports(Opens in a new window) that a threat actor it’s been tracking as UNC2165 appears to be related to the cybercrime group, which was sanctioned(Opens in a new window) by the US Treasury Department in 2019 for using “the Dridex malware to infect computers and harvest login credentials from hundreds of banks and financial institutions in over 40 countries, causing more than $100 million in theft.”

Those sanctions prevent organizations from paying a ransom to restore access to their systems. Financially motivated threat actors like Evil Corp aren’t targeting organizations for the fun of it, or looking to further a nation-state’s agenda, so they have to maximize their chances of getting paid. That means they need to make it harder for their victims to identify them.

A timeline of ransomware strains used by groups affiliated with Evil Corp

Which is why Mandiant says that hacking groups affiliated with Evil Corp have used a variety of ransomware strains over the last two years. The groups initially used WastedLocker(Opens in a new window), but after that ransomware’s connection to Evil Corp was revealed, they switched to a ransomware family known as Hades(Opens in a new window). Now they’ve started using a ransomware-as-a-service (RaaS) called Lockbit.

Mandiant says that using a RaaS offering makes sense for groups affiliated with Evil Corp:

Recommended by Our Editors

Both the prominence of LOCKBIT in recent years and its successful use by several different threat clusters likely made the ransomware an attractive choice. Using this RaaS would allow UNC2165 to blend in with other affiliates, requiring visibility into earlier stages of the attack lifecycle to properly attribute the activity, compared to prior operations that may have been attributable based on the use of an exclusive ransomware. Additionally, the frequent code updates and rebranding of HADES required development resources and it is plausible that UNC2165 saw the use of LOCKBIT as a more cost-effective choice.

The company says it expects similar groups “to take steps such as these to obscure their identities in order to ensure that it is not a limiting factor to receiving payments from victims.”…

Source…