Tesla and FBI thwart $1 million Russian Ransomware hack

A Russian national was charged with one count of conspiracy to intentionally cause damage to a protected computer.

Egor Igorevich Kriuchkovfrom about July 15, 2020 to about August 22, 2020, conspired with associates to recruit an employee of a company to introduce malware — i.e., malicious software programs designed to damage or do other unwanted actions on a computer system — into Tesla's computer network. The malware would supposedly provide Kriuchkov and his co-conspirators with access to the company’s system. After the malware was introduced, Kriuchkov and his co-conspirators would extract data from the network and then threaten to make the information public, unless the company paid their ransom demand.

Kriuchkov contacted and met with the employee numerous times to discuss the conspiracy. Kriuchkov promised to pay the employee $1 million dollars after the malware was introduced. In furtherance of the conspiracy, Kriuchkov provided the employee with a burner phone, and instructed him to leave the burner phone in airplane mode until after the money was transferred.

The employee, however, instead reported Kriuchkov's offer to Tesla, which in turn alerted the FBI.

According to Matt Walmsley, EMEA Director at Vectra, typically, ransomware attackers seek internal access to privileged entities associated with accounts, hosts and services given the unrestricted access they can provide and the ease replication and propagation. "In this case, the recruitment or coercion of a Tesla insider to aid the attempted deployment of malware tools to stage their attack demonstrates the lengths ransomware groups will go to. Ransomware operators have evolved into using “name and shame” tactics whereby victim’s data is exfiltrated prior to encryption and used to leverage ransomware payments. These bullying tactics are making attacks even more expensive, and they are not going to stop any time soon, particularly within the current climate. These attackers will attempt to exploit, coerce, and capitalize on organizations’ valuable digital assets," says Walmsley.

Walmsley notes that in most cases, organizations can't rely on external prior notification or assistance. "Security teams need to be agile as time is their most precious resource in dealing with ransomware attacks and malicious insider behaviors. Early detection and response is key to gaining back control and stopping the attackers in their tracks before they can propagate across the organization, stealing and denying access to data and services.”

Steve Durbin, managing director of the Information Security Forum, says, “Ransomware is one of the most prevalent threats to an organization’s information and is more and more profitable for criminals. An affected organization will have to face the likelihood of a double financial hit as it is forced to pay a large ransom to protect its people or resume normal operations, and then to retrospectively build in security."

"Ransomware attackers are not interested in stealing assets and using them to cause damage. They are interested in exploiting the value of the asset to its owner," adds Durbin. "When striking at organizations, attackers will target systems that are vital to business operations, some of which may be operating in an unprotected manner or which may have been unsuspectingly exposed during the COVID-19 response with workers forced to access corporate systems from home. Ransomware tends to hit organizations in three key impact areas:

Operational – the hijacking and holding to ransom of systems brings operations that rely on them to a halt
Financial - potentially heavy ransoms will need to be paid to organized criminal groups to restore products and systems;
Legal and regulatory compliance - retrospectively fitting information security considerations to products and services will affect the organisation’s profits.

"Fines may also ensue if customer data is compromised via a ransomware attack. To protect against the scale and scope of these threats, an organization must to rethink its defensive model, particularly its business continuity and disaster recovery plans. Established plans that rely on employees being able to work from home, for example, do not stand up to an attack that removes connectivity or personally targets individuals as a means of dropping ransomware into the corporate infrastructure. Revised plans should cover threats to periods of operational downtime caused by attacks on infrastructure, devices or people. Creating a cyber-savvy workforce that takes information security seriously, while fostering a culture of trust, will help to eradicate poor security practices as well as reduce the number and scale of incidents," concludes Durbin.

Terence Jackson, Chief Information Security Officer at Thycotic, notes that ransomware has evolved over the years from being something that required somebody fairly skilled in writing code to a ransomware-as-a-service (RaaS) offering. "But, the skills that it takes to launch a ransomware attack have diminished. Exploit kits can be effortlessly purchased off of the web now just like other commercial off-the-shelf software (COTS)," he says. "Phishing is, and will likely continue to be, the preferred method for ransomware as it only takes one employee to open the door. This makes the attackers job much easier and again lowers to technical bar of entry to perpetrate an attack. As long as humans remain the weakest link in the defenses, ransomware attacks will continue to escalate.”

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.