The Rise of Ransomware

Post on Groove ransomware data leak site calling for attacks on the United States.

2021 may be recorded as the year of the rise of ransomware. Combating the cyber-crime operation—which encrypts data, crippling computer systems, and requests cryptocurrency in exchange for decryption—has become central to international efforts to secure critical infrastructure and protect victims against cyber-crime. Last month, the White House convened 30 nations to work in coordination against ransomware threats, demonstrating the global nature of the threat – while notably excluding Russia and China.[1] One week later, the U.S. conducted first reported cyber operation to push a ransomware group’s operations offline.[2] Ransomware itself is decades old, with the first known instance occurring in 1989.[3] So why is it exploding in importance now, and what are the implications of the rise of ransomware?

In 2020, the COVID-19 pandemic generated incentives to conduct low-risk attacks against international business. Money flowing to in-person criminal enterprises and throughout the economy dried up. Companies moved online and attempted to set up work from home infrastructure overnight, generating opportunities to conduct cyber operations against shoddy information security infrastructure.[4] Ransomware actors initially rose with the wider proliferation of decentralized cryptocurrencies and the availability of dark web markets for targeting data and exploits post-2013. Existing cyber-crime groups likely saw an opportunity to ramp up operations, increase the size of ransoms, and license their malware as ‘Ransomware as a Service’ (RaaS) to newcomers in 2020. Importantly, the increase in attacks led to an increase in profits. Victims paid ransoms in record amounts to ransomware groups, with over $590 million in confirmed ransom payments reported by US-based companies to the U.S. Department of Treasury in the first six months of 2021.[5]

The issue escalated in strategic importance in May 2021, when the Russian-speaking Darkside ransomware group conducted the largest cyber-attack on an oil infrastructure target in US history, causing regional gas shortages in the Southeast by shutting down operations software for the Colonial pipeline.[6] This was quickly followed by an increase in attacks on the meat industry, local governments, and hospitals across the US. This centered on cyber issues at a bilateral summit held between Russian President Vladimir Putin and President Joe Biden on June 16, 2021, where the leaders agreed to ‘consult’ each other about ransomware attacks.[7] Following the summit, the Biden Administration began a flurry of cybersecurity activity, further empowering the newly enlarged National Security Council Cyber Directorate (NSC-Cyber) and Office of Science and Technology Policy (OSTP) which received its first cabinet-level director, Eric Lander. The Biden White House subsequently created an inter-agency Ransomware Task Force which held an international summit on combating ransomware,[8] sanctioned a cryptocurrency exchange for laundering ransom money,[9] and coordinated the first reported state-backed take-down of a ransomware group.[10] The ransomware entities targeted by the White House are all allegedly based in Russia. In response, some ransomware operators threatened to target US interests in response to the increased US legal pressure.[11]

It is too soon to tell if these efforts will slow the proliferation of new ransomware groups. The ransom in the Colonial pipeline case was only $4.4 million, half of which was recovered in a cyber operation. A number of ransomware actors received ransom payments worth over $40 million.[12] On October 16, Sinclair Broadcast Group, one of the largest US television station operators in the US was hit by the Macaw ransomware variant, which is allegedly linked to the U.S. Treasury-sanctioned Evil Corp, a Russian cyber-crime syndicate, indicating that Russian-speaking ransomware actors continue to operate openly online in spite of US and international pressures.[13] Worse still, in both cases the ransomware actors exfiltrated sensitive corporate documents and databases as leverage to increase the ransom value, a tactic becoming more common throughout 2021.[14]

The fundamental coercive power of ransomware comes from hostage-taking, which is a tactic as old as time. From the Sphacterian hostages in the Peloponnesian War to the Barbary pirates, actors have used hostages to gain negotiating leverage to achieve their objectives. But never has it been so cheap, accessible, and hard to defend against. The strategic implications of this activity depend on the threat actor’s intent. Many of the actors responsible for ransomware attacks in 2021 are primarily financially motivated. But in allocating limited hacking resources to numerous potential targets financially motivated groups can take actions with political consequences. For instance, many Russia-based cyber-crime syndicates avoid attacking Russia and its allies. Credible reports allege the Russian government sometimes takes a cut of the profits of online criminal activity in exchange for protection from prosecution.[15] Russia may also allow state-sponsored cyber operators to conduct for-profit activities.[16] This ongoing criminal activity, like many cyber operations, gives Russia some deniability due to the attribution challenges in cyberspace. Chinese state intelligence agencies appear to operate similarly, leveraging cyber-criminal talent and techniques to act by with and through ransomware to collect information and damage targets while disguising their motives.[17] It also allows ransomware groups to work cross-purposes, selecting critical infrastructure targets that maximize extortion value or extracting sensitive data during their ransomware attacks, furthering Russian strategic interests in developing capabilities that impose costs on US economic activity, while earning cryptocurrency that is later spent, lavishly, in Russia.[18]

Strategic competition with Russia and China does not fully explain the ransomware phenomena, but rather shapes the playing field on which ransomware operations are conducted. Hackers that pick up the phone when Russian or Chinese intelligence services request information, share profits, or agree to not attack domestically secure themselves and their profits while imposing costs on US interests. Ransomware is one of many instances of cheap, widely available technologies proliferating to the detriment of existing state power structures (such as oversight of financial transactions or state borders that raised the costs of transnational crime) and overcoming expensive mitigation platforms.[19] The ability of cyber operations to impose high costs on major sectors of critical infrastructure with off the shelf RaaS is concerning, as a major international conflict would result in a much wider cyber campaign to impose costs, and its decentralized and partially automated natural eludes consequential deterrence methods apart from efforts to prevent funds reaching criminals. Even these relatively unsophisticated ransomware attacks are imposing unacceptable costs on the supply-chain. The rich ecosystem for online money laundering from cryptocurrency tumblers to non-fungible tokens require new law enforcement agency capabilities to manage.[20] Corporations hold powerful positions operating critical infrastructure but continue to attempt to avoid robust spending on information security, instead relying on ransomware insurance to prevent financial losses. Government and private industry must continue to ramp up cybersecurity efforts or the US risks facing strategic competition with hamstrung power, water, oil, or logistical capacity. The Cybersecurity and Infrastructure Security Agency (CISA) reported that ransomware groups have already gained control of water treatment industrial control systems and threatened to add lethal levels of chemicals to the water if they were not paid.[21] Further, data stolen as a component of ransomware attacks can later be sold to the highest bidder or passed to government actors, as seen in ransomware group data breaches of Lockheed Martin, General Dynamics, Boeing and SpaceX in 2020.[22]

A wide range of new cybersecurity laws proposed in U.S. Congress do not go far enough in imposing costs on businesses that do not take sufficient preventative actions to defend against ransomware, but then rely on government support to recover losses and recover from the damage. The 2021 NDAA grants CISA additional cyber authorities and creates reporting requirements for cyber-crime, but does not act to unify federal ransomware response.[23]  Senator Gary Peters (R-MI) stated in October 2021 that ransomware ‘changed the equation’ regarding threats to the homeland, and that new bills will need to be passed.[24] Competing counter-ransomware proposals by Elizabeth Warren (D-MA) and Marco Rubio (R-FL) suggest  leveraging the existing ransomware task force efforts and mandating victim reporting to CISA, developing ransomware exchange standards to aid attribution, and enhancing intelligence collection on ransomware threats.[25] These reporting requirements and authorities do not go far enough to force businesses to proactively harden their networks – fines should be leveraged and government support should be contingent on cooperation and prevention. Ransomware insurance should be regulated to prevent it becoming a backstop that makes ransomware more profitable. Ransomware mediation firms should be regulated for their close contacts with ransomware groups that may amount to collusion. Further, sanctions on legal entities that launder significant profits from cyber-crime should be sanctioned and international cooperation against ransomware should be strengthened to ensure ransomware operators are arrested or extradited. Offensive cyber operations must remain an option to shut down ransomware operations and seize cryptocurrency from jurisdictions where arrests are unlikely. Policymakers must continue to ramp up counter-ransomware efforts before the next critical infrastructure ransomware attack becomes deadly, as any ransomware group could potentially be paid to deploy lethal malware (also known as ‘kill-ware’) to increase coercive power, as threatened in the water treatment attacks.[26]

If the present is any indication, the private sector will continue to lag in implementation of costly cyber infrastructure standards until compelled by regulators. Future cyber-criminals are likely to use artificial intelligence to increase the complexity and scope of their operations. Ransomware groups are also likely to become mercenaries and proxies in future conflicts. Scalable public-private partnerships for defense networks, counter operation to impose costs, norms, international treaties and cooperation, and insurance industry standards are needed today to mitigate the threat. Like many of the problems the era of strategic competition poses, the best-case scenario is managing the problem; the rise of ransomware will end with the fall of its fortunes.