Britain Wants to Use Its New Cyber Command to ‘Hunt’ Ransomware Gangs

Britain Wants to Use Its New Cyber Command to ‘Hunt’ Ransomware Gangs
Sir Jeremy Fleming, director of GCHQ, Britain's intelligence and cybersecurity agency. (Photo: ROSLAN RAHMAN/AFP, Getty Images)

The United Kingdom wants to use a recently formed cyber command to “hunt” and hack ransomware gangs, a high-level government official recently revealed.

Jeremy Fleming, the director of Britain’s signals intelligence agency, GCHQ, divulged the plans at this year’s US Cipher Brief threat conference on Monday. Fleming said that Britain had seen a significant uptick in ransomware attacks and that the government was looking to use offensive operations to deter future attacks.

Operations of this kind would likely involve the government using its own exploits to target and disable servers operated by criminal gangs, the Financial Times reports. The UK’s National Cyber Force — a new unified command, created last year — would be the vector for such activities.

In his comments, Fleming insinuated that governments simply had not done enough to impose costs on underworld operators.

“The reason it [ransomware] is proliferating is because it works . . . criminals are making very good money from it and are often feeling that [it’s] largely uncontested,” he said. “I’m pretty clear from an international law perspective and certainly from our domestic law perspective you can go after [criminal actors],” he added.

News of the UK’s plans to “hack the hackers” comes only about a week after Reuters first reported that the U.S. had conducted an operation of its own along these lines. According to the outlet, the FBI and various partners recently worked together to hack the servers of REvil — a prominent ransomware gang that has been connected to some of the biggest attacks on U.S. companies. REvil mysteriously disappeared in July, not long after conducting a gargantuan attack on software company Kaseya. At the time, it wasn’t clear what had happened to the criminals — and some speculated that the gang had intentionally shut down its own operations. However, Reuters reports that, in reality, the gang had its network infrastructure hacked by law enforcement and some of its servers were co-opted.

The news that the U.S. and the UK are engaged in such activities seems to signal a new phase of law enforcement tactics in combatting cybercrime — one in which governments more actively and openly pursue cybercriminals rather than just clean up their mess.

Oleg Skulkin, DFIR Lab deputy head with cybersecurity firm Group-IB, told Gizmodo in an email that the operation against REvil isn’t the first time that the U.S. has worked to disrupt a cybercrime group.

“There have been reports about such operations earlier,” Skulkin said. “Last year, the U.S. Cyber Command carried out an operation in parallel with private sector players to take down the infamous TrickBot botnet ahead of the Election Day to prevent it from being used to launch attacks on IT systems supporting the election process.”

However, Allan Liska, Senior Security Architect with Recorded Future, told Gizmodo that the recent FBI operation against REvil would appear to be an escalation of what the U.S. is willing to do to go after ransomware operators.

“While this is not the first time that law enforcement has seized ransomware actor’s infrastructure it does appear to be the first time they have used CNA (computer network attack) methods (at least that has been publicly reported),” Liska said. “This is the next logical progression and a sign that law enforcement is taking the ransomware threat seriously.”