Why Attribution is a Major Pain in the Ass


September 19, 2023

World map

Attribution is a significant challenge in most cases - from simple things like reusing code from another attack group, to adding annotations to code in another language, to more technically complex techniques like abusing legitimate network tools - efforts to thwart attribution have long been a major element of attacker tradecraft.  

This is one of the biggest reasons the "hack back" strategy is rife with problems. For instance, attackers often compromise third-party systems and use them in subsequent attacks against other targets.  

So, who are you going to “attack back”? The other victim? Not a good idea from a legal or ethical standpoint - and probably not a good look for your organization.

Ransomware (and other) attackers employ a range of tactics to avoid detection and attribution, including:

  • Use of Tor and VPNs: Attackers often route their communication through the Tor network or virtual private networks (VPNs) to obfuscate their IP addresses and locations, making it difficult to trace them.
  • Compromise of Third-Party Infrastructure: Attackers can compromise systems of one victim and use them to attack another, making attribution more difficult.
  • Anonymous Payment Methods: Ransom payments are typically demanded in cryptocurrencies such as Bitcoin, Monero, or Ethereum, which offer a degree of anonymity. This makes it challenging to track the flow of funds and identify the attackers.
  • Encryption: Ransomware payloads are usually heavily encrypted to evade detection by antivirus and security software. Advanced encryption algorithms make it difficult to analyze the malware's code.
  • Polymorphic Malware: Ransomware authors frequently use polymorphic techniques, which alter the malware's code and behavior with each infection. This makes it harder for signature-based detection methods to identify the malware.
  • Living-off-the-Land (LotL) Techniques: Once inside a network, attackers move laterally to compromise multiple systems, often using legitimate administrative tools and credentials. This mimics normal network behavior, making it harder to detect their presence.
  • Supply Chain Attacks: Targeting third-party vendors or software providers can enable attackers to compromise a target indirectly, further distancing themselves from attribution.
  • Fileless Malware: Some ransomware strains operate without dropping executable files on disk, residing only in memory. This can evade traditional file-based security measures.
  • Counter-Forensics: Skilled attackers may attempt to tamper with or delete log files, making it difficult for incident responders to reconstruct the attack timeline and identify the initial entry point.
  • Red Herrings: Attackers may intentionally leave misleading clues like code reuse or annotation in code in a language other than the attackers to direct attribution to another group or nation-state, diverting investigative efforts.

The funny thing is, everyone seems to be really hung-up on establishing attribution, and because media cycles run much faster than DFIR investigations, threat actors probably kick back with some popcorn and enjoy the show as the attribution game plays out in headlines.  

For the most part, no one really needs to play the attribution game beyond law enforcement and governments.  

Whether you're a mom-and-pop shop or a major pharmaceutical, the "who" behind the attack should be way down the list of things to care about. Your concern should be on the "how" and "why" so you can better inform your security program against future attacks.

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile (PDF).