President Biden faces the first major test of his administration following the single largest global ransomware attack to date and a possibly linked supply chain attack that breached a contractor used by the Republican National Committee.
It seems ironic these attacks happened around the time of our nation’s celebration of independence from foreign powers. During President Biden’s Geneva summit meeting with Russian President Vladimir Putin, he warned that further attacks on infrastructure critical to the national security of the United States would be met with decisive action. Experts believe these recent attacks may signal a test of Biden’s resolve.
We are not convinced the response matters. A cyber war of attrition has been underway between the world’s superpowers for decades. We need to refocus our attention on the threat, which is the increasing tendency to normalize ransomware as a fact of life.
Alongside the proliferation of ransomware gangs and their affiliates, there is a running narrative about the sophistication of the organizations that control them and their methodologies. What was once a nuisance primarily targeting individual devices has evolved into a large-scale criminal enterprise, complete with affiliate programs, tech support, and corporate structure. Ransomware syndicates are now a subject of fascination for many. And for understandable reasons.
In June, the LockBit ransomware gang announced an update that boasted about its unparalleled “encryption speed and self-spread function.”
“The only thing you have to do is to get access to the core server,” they pitched new business prospects and existing customers. “LockBit 2.0 will do the rest.”
LockBit is by no means alone in their corporate approach to digital extortion. A group known as HimalayA recently trolled for new affiliates by promising a discounted 30% commission rate. They also touted their nonpareil communications with victims. The examples abound of ransomware gangs behaving like multi-level marketing companies.
On the legal side of the ransomware epidemic, businesses and organizations alike are increasingly accommodating these threat actors.
Several cyber insurance providers cover the cost of ransom, at least in part, in their policies. Technical and security consultants, most notably Booz Allen, have added both ransomware negotiation and payment to the services they offer. Tax consultants have started to recommend victimized organizations deduct ransom payments as legitimate business expenses.
Our friend and colleague Ondrej Krehel, co-founder and CEO of the cybersecurity consulting firm LIFARS, recently likened the rise of ransomware-as-a-service (RaaS) syndicates to venture capitals. Cyber risk analytics provider CyberCube recently compared them to drug cartels.
While the comparisons are apt, comparing ransomware activities to other lionized enterprises, regardless of which side of the law they operate on, runs the risk of downplaying the severity of the threat they pose.
Ransomware gangs and the RaaS models build their malware, recruit and support programmers and technicians, constantly refine and improve their code to stay ahead of security patches as well as the competition. In other words, they operate like many businesses. But unlike most organizations, these gangs answer to no authority as long as they avoid Russian-speaking targets.
The similarity to legit business ends there. Victims who pay ransoms don’t always regain access to their data, RaaS affiliates don’t always get paid, ransomware gangs can suddenly retire or vanish altogether, intellectual property and data can be stolen and/or re-used. While tech moguls are subject to SEC filings over tweets, can be compelled to testify before Congress, and are subject to a codex of governing laws, no such structure or accountability exists for ransomware gangs.
The combined lack of consequences and logistical limitations makes the rapid evolution and sophistication of ransomware operations like nothing else we have witnessed in the public sector.
Never has a crime offered the potential for financial reward with such limited risk as ransomware currently does. Leveraging stolen account credentials following a data breach for identity theft-related crimes seems like backbreaking labor in comparison to having an affiliate infect a system with malware (often by sending a well-aimed email attachment), collecting your share of the spoils, and moving on to the next target.
Relying on third party services to negotiate and handle payments, and counting on insurance policies and tax deductions to lessen the blow provides a tremendous incentive for ransomware gangs to continue to evolve and improve their methods. It will get worse. We need to re-think ransomware deterrence, and resist the urge to normalize or monetize our response.