Critics may complain that it feels like “too little, too late,” but international cyberjustice can be a slow and complex matter.
After all, even criminal cases where there are ample witnesses and photographic evidence (such as traffic camera footage with drivers and vehicle tags clearly visible)․․․
․․․even cases of that sort may drag on for months or years, as the wheels of justice slowly turn.
Now imagine that cybercrime victims who are prepared to provide evidence in court are in country X, which wants to prosecute, but the alleged perpetrator is in country Y; the servers they used were in country Z; the service providers who made the various interactions possible are in countries M and N; the malware they used was written by a partner-in-crime from country P but who is now living in country Q.
With X, Y, Z, M, N, P, and Q involved, you’re probably reminded of those inscrutable and intimidating geometry problems you struggled through at school, wondering if you’d ever manage to thread the needle of proof through the myriad circles, lines and angles in the mystifying diagram on the paper in front of you.
Well, the US Attorney’s Office is at least having a go at a ransomware case that unfolded from 2021 to 2023, involving ransomware known as Black Kingdom that circulated in various guises from at least 2019.
This ransomware exploited various different known-but-often-left-unpatched security holes over the years, such as CVE-2019-11510 (a file-stealing security hole in a popular VPN product), and the double-barreled vulnerability CVE-2021-26855 plus CVE-2021-27065, also known by the nickname ProxyLogon (a remote code execution hole in Microsoft Exchange).
The fact that you can still read a warning about the VPN-based variant of this malware in a 2020 post on the website of the UK’s NHS (National Health Service) is a stark reminder of the wide range of victims that criminals connected with this ransomware family went after.
Indeed, a clinic and a school are explictly mentioned amongst known victims whose brushes with this ransomware are part of the evidence in the charges now being brought in the US.
The suspect in this case is one Rami Khaled Ahmed, now 36 years old.
He’s named in the indictment, but because he apparently lives in Sanaa in Yemen, the chance of him ever appearing in a US court seems very small indeed.
But he’s been charged anyway, and that’s a start.
The indictment claims that the suspect attempted to infect 1500 potential victims in the US and elsewhere, with at least four known US victims explicitly listed in the charges: “a medical billing services company in Encino, a ski resort in Oregon, a school district in Pennsylvania, and a health clinic in Wisconsin.”
The US Attorney’s press release also notes that “the FBI is investigating this matter with assistance from the New Zealand Police,” by way of a reminder of just how globally convoluted this sort of case, even an apparently straightforward one like this, can become.
Ahmed faces three charges, each “worth” five years is prison, so he could face 15 years if he’s ever brought to trial and convicted.
Malware attacks of this sort, which seek out and exploit well-known vulnerabilities, sidestep the need for phishing attacks or other human-on-human social engineering, and therefore don’t draw as much attention to themselves in advance.
So, in four simple words: Patch Early, Patch Often.
You’ll often hear the jocular (but not really funny) term N-day vulnerability used to describe this sort of security hole.
Remember that a zero-day is a bug that was found by attackers before a patch was available, so there were zero days that you could possibly have patched ahead of the crooks.
Understandably, zero-days attract the most media attention and often cause the most fear, although that fear generally subsides once a patch comes out.
But if you don’t apply that patch for a further N days, even though you could have, you are giving attackers what is essentially a “free pass” of N days’ duration during which the bug is still effectively a zero-day for you.
And the longer you leave it, and the larger N gets, the more widely-known the exploit becomes; the better criminals become at scanning and finding unpatched systems on the internet; and the more successful and easier-to-abuse the exploitation tools in circulation become.
Don’t be one of those people who leaves it!
If you’re struggling to stay on top of the demands of finding, fixing and monitoring all the patch-points in your business, why not sign up with SolCyber for a human-centric, human-friendly cybersecurity service that doesn’t just throw AI at the problem and then leave you to work out whether the AI’s reports-added-to-all-the-other-reports are right or wrong?
SolCyber’s human-to-human cybersecurity will find, inform, fix, and explain the issues to you one-to-one, so you not only know what’s happened, but also how it was dealt with and why, and how you can adapt your business workflow positively to reduce the chance of it happening again.
Paul Ducklin is a respected expert with more than 30 years of experience as a programmer, reverser, researcher and educator in the cybersecurity industry. Duck, as he is known, is also a globally respected writer, presenter and podcaster with an unmatched knack for explaining even the most complex technical issues in plain English. Read, learn, enjoy!
By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.
