My Reflections on Combating Ransomware
Ransomware is part of every company’s threat model. It’s a global security threat to organizations of all sizes. It has gotten out of control, and we simply can’t continue like this. Over the past year, I’ve become increasingly morose as I, like many of you, have watched network after network be compromised, resulting in real people’s lives being ruined. I’ve tried to share what I can from where I sit in the hopes that it helps others prevent ransomware. But I’ve come to realize that my efforts alone are not enough.
When I was asked to join the Ransomware Task Force (RTF), I was excited at the opportunity to come together with a bunch of smart people to see what we could come up with. Today, the RTF put out a comprehensive 81-page report providing a framework for combating ransomware, and I’m proud I had a part in it. I wanted to share some of my reflections on ransomware, the report, and what I think we need to do next.
The ransomware ecosystem
One of my key takeaways from being part of the RTF was how complex the ransomware ecosystem is and how each of us only have a narrow view of it. I frequently discuss this surrounding cyber threat intelligence—we need to share information with other teams because none of us see all the threats. This is true for the ransomware ecosystem too. As part of the task force, I heard from experts in cryptocurrency talk about the winding path ransom payments take. I also heard from experts in cyber insurance talk about the complexities of policies. They listened to me talk about all the “ransomware precursor” malware families and how defenders share information. I came to realize that we needed each other to broaden our view of the entire ecosystem.
Think about just some of the stakeholders involved in ransomware:
- Cyber insurance companies
- Lawyers
- Law enforcement (all the way from local to global)
- Cybersecurity vendors
- Cryptocurrency exchange operators
- Elected officials
- Infrastructure providers
- Intelligence agencies
Each of these stakeholders plays some role in combating ransomware. By taking the time to learn about these different perspectives — and educating others on our own perspective — we will build a better overall perspective of the ransomware ecosystem and how we can dismantle it.
We can’t do this alone
From talking to colleagues from different companies, sectors, and parts of the world, I came to an important realization. Ransomware is not a problem cybersecurity professionals can solve alone. Nor can policymakers. Nor can law enforcement. Nor can cyber insurance companies. Nor can creators of operating systems. It’s going to take all of us.
I’ve previously said things like “well, it’s on law enforcement to arrest the actors” or “it’s on operating system developers to make sure ransomware can’t spread.” What I’ve come to realize is that each of those individual actions will only affect part of this massive, global ransomware ecosystem. It’s unfair to put the ransomware problem on any one group, so I’m getting rid of that way of thinking in my mind. It’s going to take all of us working together to try to put a dent in this problem.
So you want to help?
We all have a role to play. If you want to help, I encourage you to read through the recommendations and think about what your role in helping to combat ransomware could be.
If you’re a defender, maybe you can help with goals 3 or 4, including actions like helping highlight available resources so organizations can better respond. If you’re involved in policymaking, maybe you can encourage those who make policies to implement some of these recommendations. For those based in the U.S., you could call up your elected officials and tell them that ransomware is a priority you care about (maybe you could even offer up your cybersecurity expertise if they need advice).
Another key action we can all think about is how we can improve sharing our perspective on the ransomware ecosystem. As I noted above, there are many different stakeholders, and they don’t all understand each other. If you’re a cybersecurity professional, how could you share your knowledge with a group like law enforcement or policymakers? Maybe you could take a simple step like reaching out to your local FBI field office or joining Infragard. For good reasons, various groups of stakeholders may not trust each other. Based on what I’ve seen, though, there are a lot of good people from many different groups (including law enforcement) who are willing to work together with cybersecurity researchers. Building up trust between these different stakeholders is a great place to start, because trust is the basis for information sharing to follow. The longer we distrust others who are trying to help, the longer the adversaries are going to keep winning.
Another area where we can all take action is having difficult discussions about improving and expanding the information we share surrounding ransomware. Many of the RTF recommendations focus on voluntary or mandatory information sharing, and that’s for a good reason — if we don’t know the details of what’s happening around ransomware, it’s tougher to stop it. For any victim, there’s some level of risk in sharing details about what happened. However, there are ways to share relevant details about adversaries while still protecting privacy. It’s not easy, and it can be risky, but I think having difficult conversations about what we share with whom is an important action.
Just the beginning
One criticism of reports like this are that they aren’t taking action. That’s true. This report isn’t the end, it’s only the beginning. It’s a call to action and ideas from experts who have experienced ransomware firsthand. The recommendations aren’t perfect, and I don’t necessarily agree with all of them, but this is a starting point.
Ransomware sucks. It’s not going to get better overnight. But I have to believe that by working together and taking action, we can make it suck less. There’s too much at stake for me to believe anything else.
