I bet that the Sanctions for Cyber Crime was all dutifully recorded and added to your already bloated Sanctions monitoring program. If like me you saw it and thought, well I don't deal with anyone like that, why the hell would I!
Firstly that is typically active risk bias, but that is not what this posting is about. What I did not take into context was that some of the organisations that launch theses attacks are the groups that are now on this list, and before long I imagine there will be many, many more.
If you thought Al-Qaeda and Da'esh were decentralised glued together by weapons and money with trust built on a common ideology. You have half a chance at identifying cells and can verify the activities using these two legs, you would be right.
So why are hacking groups so difficult, with no infrastructure costs, or communications issues. They change their name at a drop of a hat, which is why they need a sponsor, which is the money person (my gender-neutral description in there!). In steps North Korea and Iran, with free soldiers that can have their ideology bent to fit their target. It really is a gift horse for them.
So what has this got to do with ransomware, I hear you ask. Some of these groups are the creators of the latest attacks and we are entering a new era of weaponisation of malware attacks.
As security increases the so-called 'script kiddies' (a derogatory term inferring that a hackers ability is the same as a 15-year-old copying hacking scripts from a discussion board and using them to attack servers from their bedroom) of the past are being blocked by better security infrastructure. Don't dismiss this threat by any means, as it only takes one mistake in your defenses!
People do pay the ransom, hence the problem. That payment will either go directly or indirectly to a Sanctioned Group or even end up funding a Sanctioned Country. If you or one of your clients decides to pay up for the key, you could just be inviting in the DoJ and your knackered data may just turn out to be the easiest problem to fix!
Just to make you feel better here is an extract from the latest alert from the US Cybersecurity and Infrastructure Agency (https://us-cert.cisa.gov/ncas/alerts/aa20-239a)
The BeagleBoyz, an element of the North Korean government’s Reconnaissance General Bureau, has likely been active since at least 2014. As opposed to typical cybercrime, the group likely conducts well-planned, disciplined, and methodical cyber operations more akin to careful espionage activities. Their malicious cyber operations have netted hundreds of millions of U.S. dollars and are likely a major source of funding for the North Korean regime. The group has always used a calculated approach, which allows them to sharpen their tactics, techniques, and procedures while evading detection. Over time, their operations have become increasingly complex and destructive. The tools and implants employed by this group are consistently complex and demonstrate a strong focus on effectiveness and operational security.
The BeagleBoyz overlap to varying degrees with groups tracked by the cybersecurity industry as: APT38 (FireEye), Bluenoroff (Kaspersky), Lazarus Group (ESTSecurity), and Stardust Chollima (CrowdStrike).