Cyber chatter flowed on Twitter today after a researcher, who goes by the handle @pancak3lullz, posted about claims from ransomware gang REvil that EvilCorp and Maze are actually one group operated by eight people with ties to the Russia government.
While interesting, should rank-and-file security pros even care about this kind of talk?
Probably not in terms of defense tactics, said Rick Holland, chief information security officer and vice president of strategy at Digital Shadows, who agreed that while defining attribution to prominent ransomware groups is as intriguing as it is challenging, for the majority of enterprise defenders, it’s largely a distraction.
“Your defenses don’t dramatically change whether you are up against a traditional cybercriminal or state-affiliated one,” Holland said. “Patching known vulnerabilities, enabling multi-factor authentication, and disabling macros will go a long way no matter the threat de jour.”
Joe Slowik, senior security researcher at DomainTools, warned that until substantiated, claims of a link between the two groups should be treated with extreme skepticism.
“Overall, short of having direct access to adversary infrastructure communications, or operational planning, it’s very difficult to ‘pinpoint’ such groups, especially as ransomware operations increasingly break down into multiple ‘teams’ selling access, services, and tools to each other,” he said.
Tarik Saleh, senior security engineer for malware & forensics at Amazon agreed that while it’s trivial for attackers to create new identities and infrastructure for each attack they conduct, researchers “have to capitalize on sloppy operational mistakes made by these groups to help attribute these attackers to attacks.” Who is behind the attack or why they are motivated to execute the attack may not be relevant to all security teams, he added, “but it should.” ..