Getty Images/iStockphoto

DOJ Indicts WannaCry Creators, as Global Feds Impact Egregor Efforts

DOJ indicted three North Korean hackers for a range of nefarious activities, including WannaCry. Meanwhile, a global effort led to the arrest of some Egregor ransomware members.

In two separate actions this week, federal efforts have stymied global cybercriminal activities. The Department of Justice indicted the creators of WannaCry, while transnational government cyber specialists stopped some criminal activities tied to the Egregor ransomware variant.

The moves join earlier takedowns of NetWalker and Emotet hacking groups.

First disclosed on February 12, the Security Service of Ukraine today shed light on the global efforts to thwart the distribution of Egregor. Known as SBU, the law enforcement authority is the main Ukrainian security agency.

The ransomware variant first appeared in September and quickly began wreaking havoc across all sectors. It’s believed to be the follow-up group to Maze, which was one of the first groups to popularize the double extortion technique. 

Egregor has been seen injecting Maze code into its variants. The FBI warned in January that the group was targeting and extorting private sector organizations. Officials warned that after the hackers compromised a victim, they’d exfiltrate data and encrypt files, before leaving a ransom note.

For healthcare, the most notable Egregor attack was seen on GBMC HealthCare, which infected IT systems and forced some of the platforms offline in early December.

It appears, at least for now, SBU has blocked some activity through international cooperation between the agency, the United States, and France. According to the report, Egregor has caused more than 80 million in losses from more than 150 victims.

For the investigation into the illegal activity, these cybersecurity leaders seized Egregor’s computer equipment, information on its victims, and other evidence of illegal activity.

Members of the group, including the organizer, were served “a notice of suspicion of committing criminal offenses of extortion, unauthorized interference in the work of computers, automated systems, computer or telecommunication networks.”

The investigation is ongoing, and it’s currently unclear if it was the Egregor leaders or some of its affiliates who were arrested. Given the liquidation of Egregor’s assets, the Ukrainian government is asking anyone with information on the group to share information with investigators.

“To see so many arrests made in a short period of time - NetWalker, Emotet and now Egregor - is unusual and a positive development,” said Emsisoft Threat Analyst Brett Callow. “Besides disrupting the operations of the groups concerned, enforcement action provides a deterrent which, until now, has been largely absent.” 

“For example, a group called Ziggy ceased operations citing the arrests made in the NetWalker case as the reason. They also handed us their keys so we could create a decryptor enabling past victims to recover their data (about 1,000 businesses),” he added.

Meanwhile, DOJ indicted the creators of WannaCry: the global cyberattack that crippled hundreds of victims across the world in May 2017, including the UK National Health Service. WannaCry’s worming capabilities allowed it to quickly proliferate through unpatched devices that were vulnerable to EternalBlue, a stolen NSA hacking tool.

At the time, the Department of Health and Human Services urged healthcare entities to be on alert, given the extensive impact it had on victims. Data showed that WannaCry had infected a range of medical devices during the attack, as well.

According to DOJ, three North Korean nationals were behind the attack as members of the country’s Reconnaissance General Bureau (RGB), a military intelligence agency. The group operated as Lazarus Group and APT38.

Outside of WannaCry, the hackers were allegedly behind the 2014 cyberattack on Sony Picture Entertainment, a range of global banking hacks from 2015 to 2019, ATM schemes, and multiple spear-phishing campaigns on government employees and contractors, among other nefarious activities.

“The indictment alleges that these groups engaged in a single conspiracy to cause damage, steal data and money, and otherwise further the strategic and financial interests of the DPRK government and its leader, Kim Jong Un,” officials explained.

“Nation-state indictments like this are an important step in identifying the problem, calling it out in a legally rigorous format, and building international consensus,” said Assistant Attorney General John C. Demers. “If the choice here is between remaining silent while we at the Department watch nations engage in malicious, norms-violating cyber activity, or charge these cases, the choice is obvious — we will charge them.”

The indictment and Egregor arrests are positive developments, as nation-state actors continue to target US organizations -- especially those in healthcare. As the COVID-19 vaccine rollout and research has continued in recent months, nation-state hacking groups have kept pace.

Hackers with ties to foreign governments have already successfully targeted a number of entities tasked with the COVID-19 response.

Next Steps

Dig Deeper on Cybersecurity strategies