Ransomware is now a national security risk. This group thinks it knows how to defeat it
Ransomware is a growing international problem and it needs global cooperation in order to prevent attacks and take the fight to the cyber criminals behind the disruptive malware campaigns.
A paper by the Institute for Security and Technology’s (IST) Ransomware Task Force (RTF) – a coalition of cybersecurity companies, government agencies, law enforcement organisations, technology firms, academic institutions and others – has 48 recommendations to help curb the threat of ransomware and the risk it poses to businesses, and society as a whole, across the globe.
Members of the group include Microsoft, Palo Alto Networks, the Global Cyber Alliance, FireEye, Crowdstrike, the US Department of Justice, Europol and the UK’s National Crime Agency.
Some of the solutions suggested include governments giving a helping hand to organisations affected by ransomware and providing them with the required cybersecurity support so they don’t fall victim in the first place.
Others focus on more direct action, such as taking the fight to ransomware gangs by disrupting their infrastructure, or even regulating Bitcoin and other cryptocurrencies that cyber criminals use to anonymously demand ransom payments from victims.
Ransomware attacks involve cyber criminals compromising the networks of organisations – often via phishing attacks, stolen Remote Desktop Protocol (RDP) credentials or exploiting software vulnerabilities – and then encrypting as many files and servers with malware as possible.
Organisations will in many cases only become aware they’ve been infected when they see a ransom note on the screens of machines across their network. Often, the victims feel as if they’ve got no option but to pay the ransom – which can amount to millions of dollars – in order to restore the network.
Ransomware has been around for a number of years, but the cyber criminals behind the attacks are getting bolder, demanding ever-growing ransoms from targets and in many cases blackmailing organisations into payment by threatening to leak sensitive data stolen from the compromised network.
And it isn’t just sophisticated criminal gangs that are causing problems; the rise of ransomware as a service means that almost anyone with the skills required to navigate underground forums on the dark web can acquire and use ransomware, safe in the knowledge that they’ll probably never face being arrested for their actions.
“The tools are available to malicious actors to ramp up the scale of what they want to do and be able to get away with it. That’s what happens as technology diffuses into society and you have inadvertent ramifications which have to be dealt with,” says Philip Reiner, executive director of the RTF and CEO of IST.
“We’re grappling with that as a global society and we have to come up with better solutions for the problems it presents.”
Ransomware isn’t new, it’s existed in one form of another for decades and the threat has been rising over the past five years in particular. While it’s perceived as a cybersecurity problem, a ransomware attack has much wider ramifications than just taking computer networks offline.
But many organisations still aren’t taking the necessary precautions to protect against ransomware, such as applying security patches, backing up the network or avoiding the use of default login credentials. These concerns are viewed as issues for IT alone, when in reality it’s a risk that needs the focus of the entire business.
“We have to stop seeing leaders think of this as a niche computer problem; it’s not, it’s a whole business event. You should think about ransomware in the same way you think about flooding or a hurricane – this is a thing that will close your business down,” says Jen Ellis, vice president of community and public affairs at Rapid7 and one of the RTF working group co-chairs.
“But we don’t. We think about it as a niche computer event and we don’t recognise the impact it has on the entire business. We don’t recognise the impact it has on society.”
In 2017, the global WannaCry attack demonstrated the impact ransomware can have on people’s everyday lives when National Health Service (NHS) hospitals across the UK fell victim to the attack, forcing the cancellation of appointments and people who came for treatment being turned away.
But years later, the problem of ransomware has got worse and in some cases hospitals around the world are now actively being targeted by cyber criminals.
“You would think there would be no greater wake-up call than that, yet here we are years later having these same conversations. There’s a real problem with how people think about and categorise ransomware,” says Ellis.
To help organisations recognise the threat posed by ransomware – no matter the sector their organisation is in – the RTF paper recommends that ransomware is designated a national security threat and accompanied by a sustained public-private campaign alerting businesses to the risks of ransomware, as well as helping organisations prepare for being faced with an attack.
But the Ransomware Task Force isn’t just suggesting that governments, cybersecurity companies and industry are there to help organisations know what to do if faced by a ransomware attack – one of the key recommendations of the report is for cybersecurity companies and law enforcement to take the fight to the cyber-criminal groups behind the attacks.
A recent operation involving Europol, the FBI and other law enforcement agencies around the world resulted in the takedown of Emotet, a prolific malware botnet used by cyber criminals – and something that had become a key component of many ransomware attacks.
Many cyber criminals switched to using other malware like Trickbot, but some will have taken the fall of Emotet as a sign to give up, because finding new tools makes it that little bit harder to make money from ransomware.
“If you’re screwing with infrastructure, like going after Emotet, you’re making it harder,” says Chris Painter, president of the Global Forum on Cyber Expertise and former senior director for cyber policy at the White House.
In line with this, the paper recommends that the pace of infrastructure takedowns and the disruption of ransomware operations should increase – ultimately with the aim of arrests and bringing criminals who develop and deploy ransomware to justice.
It’s notoriously difficult to apprehend members of ransomware groups, especially when it’s an international problem. More often than not, the organisation that comes under a ransomware attack faces an extortion demand from someone who is in another country entirely.
And that’s a particular problem for European and North American governments, when large quantities of ransomware attacks by some of the most prolific groups appear to originate from Russia and former-Soviet states – countries that are highly unlikely to extradite suspected cyber criminals.
But identifying cyber criminals isn’t impossible – the United States has indicted individuals from Russia for the NotPetya cyberattacks, as well as naming and shaming three North Koreans for their involvement in the WannaCry ransomware attack. Meanwhile, Europol has previously arrested individuals for being involved in ransomware attacks, demonstrating that, while difficult, it isn’t impossible to track cyber criminals down and bring them to justice.
One key factor that has allowed ransomware to succeed is that attackers are able to demand payments in Bitcoin and other cryptocurrency. The nature of cryptocurrency means that transactions are difficult to trace and, by the time the Bitcoin has been laundered, it’s almost impossible to trace back to the perpetrator of a ransomware attack.
The Ransomware Task Force suggests that in order to make it more difficult for cyber criminals to cash out their illicit earnings, there needs to be disruption of the system that facilities the payment of ransoms – and that means regulating Bitcoin and other cryptocurrency.
“It’s recognising that cryptocurrency has a place and there’s a reason for it, but also recognising that it’s notoriously being used by criminals – is there more that can be done there to make it harder for criminals to use it, or make it less advantageous to them,” says Ellis.
Recommendations in the report for decreasing criminal profits include requiring cryptocurrency exchanges to comply with existing laws and to encourage information exchange with law enforcement.
The idea is that by applying additional regulation to cryptocurrency, it allows legitimate investors and users to continue using the likes of Bitcoin and Monero, but makes it harder for cyber criminals and ransomware gangs to use it as an easy means of cashing what they’ve extorted out of victims – to the extent that, if it’s too difficult, they won’t bother with attacks in the first place.
“If they’re using cryptocurrencies as a way to hide, if you have more compliance with existing regulations, it makes it tougher for them,” says Painter.
The paper offers 48 recommendations and has been presented to the White House. It’s hoped that with cooperation across the board, businesses can be provided with the tools required to prevent ransomware attacks, governments can get more hands-on with providing help, and law enforcement can hunt down ransomware attackers – but it’s only going to work if ransomware is viewed as global problem, rather than one for individual organisations or governments to fight alone.
“What’s really important is that this has an international perspective on it, because it’s not an American problem, it’s an international problem,” says Reiner.