Can ransomware threat unite global rivals? Don’t bet on it

The fight against ransomware is going global — maybe.

An 81-page report released late last month by the Institute for Security and Technology’s Ransomware Task Force (RTF) and backed by dozens of tech organizations including giants like Microsoft, Cisco, Amazon Web Services, and FireEye, is calling for a public/private coalition to “disrupt the ransomware business model,” which it says has become “an urgent national security risk around the world.”

Among the government agencies represented in the RFT are the U.S. Department of Justice, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the Secret Service, the FBI, Europol and the U.K. National Crime Agency.

To which just about anybody even dimly aware of the power, reach, and ongoing devastation of ransomware might declare, “It’s about time.” Because its use by attackers to encrypt the files of their victims and then demand payment (usually in cryptocurrency) in exchange for a decryption key or a promise not to make the stolen data public has been at epidemic levels for years.

Indeed, the ransomware attack that led to the indefinite shutdown last week of the Colonial Pipeline, the main fuel supply line to the U.S. East Coast, produced shocking headlines but shouldn’t have shocked anybody. Experts have been warning about the risk of such attacks for a decade or more.

The pipeline runs about 5,500 miles from Houston, Texas to Linden, New Jersey and carries gasoline, diesel, jet fuel and heating oil. The shutdown raised fears of a spike in gasoline prices. According to CISA, the intrusion is the work of a relatively new Russian ransomware gang known as Darkside.

Good luck with that

So could an international campaign to disrupt the ransomware business model prevent catastrophic attacks like this? A cynic might declare, “Good luck with that.”

Because among the key recommendations (out of 48 total) in the report is a call for an international coalition to “create incentives to direct nation states away from providing safe havens to ransomware criminals.”

Those incentives aren’t specified, and the RTF didn’t respond to a request for comment. But it’s a major stretch to imagine hostile nation states like Russia, North Korea and Iran joining hands with their adversaries in the West to sing “We Shall Overcome Ransomware.”

Those nations, after all, aren’t simply safe havens for ransomware gangs. In some cases, they sponsor those gangs.

Sammy Migues, principal scientist with the Synopsys Software Integrity Group, noted that it hasn’t been possible to get universal cooperation on the basic fundamentals for controlling the spread of COVID: Wear a mask, wash your hands, social distance. “And that was life and death,” he said, adding that the world’s nations also haven’t reached consensus on other existential threats like nuclear weapons.

“It’s not even a pipe dream,” he said of global collaboration on ransomware. “There are always going to be havens for criminals and there will always be espionage. Even if we love each other we don’t trust each other.”

And he said while many of the recommendations make sense at an academic level, the practical reality is something else. “Who is really going to follow 48 recommendations?” he said.

Still, Migues and others say some attention on ransomware, if long overdue, is still welcome. It has been an “urgent national security risk” for years. When it’s aimed at health care institutions and/or critical infrastructure — as is increasingly the case — it can have consequences well beyond financial, threatening the physical health and safety of its targets.

In the words of the report, “while ransomware is profit-driven and ‘non-violent’ in the traditional sense, that has not stopped ransomware attackers from routinely imperiling lives.”

4,000 attacks per day

And it has been a decade since it “moved to the big time,” as data security and analytics firm Varonis put it in a blog post titled “A Brief History of Ransomware,” spiking from about 60,000 attacks in 2011 to more than 720,000 by 2015. Now, according to the U.S. Justice Department, there are an average of 4,000 ransomware attacks per day, or about 1.46 million per year.

One tech website, Bleeping Computer, has been running a regular feature called “The Week in Ransomware” for years. It never lacks for material.

I noted in a post nearly three years ago that a “ransomware tsunami” was coming after municipalities started getting hit with attacks more regularly — and a number were paying the demands.

And besides the Colonial Pipeline attack, in recent days there were also headlines reporting:

• Scripps Health’s hospital system was hit with a ransomware attack that disrupted care, forcing it to stop patient access to its online portal, postpone appointments, and divert some critical-care patients to other hospitals. According to the San Diego Union-Tribune, electronic medical records were inaccessible, forcing staff to use paper records. The attack also affected telemetry, the electronic monitoring of patient vital signs, “a critical function that has long been automated at modern hospitals but one that can be performed manually if necessary.”
• The ransomware gang Babuk threatened to leak 250 gigabytes of data stolen from the Washington DC Metropolitan Police Department, including police reports, internal memos, and arrested people’s mug shots and personal details, some of which could endanger police informants.

So yes, if there’s a way to make this catastrophic madness stop, it’s long past time to do it. The question, of course, is whether the RTFs proposals can be executed effectively and whether they will work.

For starters, they look to be changing the standard of how to disrupt the ransomware business model.

For most of ransomware history, the bulk of the responsibility has been on individual organizations to implement well-established security measures to prevent those attacks or, if they do get breached, to be prepared to respond.

By now they should be familiar: Create regular data backups that aren’t connected to your network; build security into your software and keep it up-to-date; train your employees to spot phishing attempts; apply the “principle of least privilege” to employees by limiting their access to only what’s required to perform their jobs; segment your network, so if attackers breach one component they don’t have access to all of it; and improve your security “hygiene” with virtual private networks and protective domain name systems.

The RTF’s priority recommendations don’t abandon individual responsibility entirely, but put most of the emphasis on the coalition of government and private sector organizations. The recommendations include:

• Diplomatic and law enforcement efforts focused on “a carrot-and-stick approach to direct nation states away from providing safe havens to ransomware criminals.”
• The U.S. should lead “a sustained, aggressive, whole of government, intelligence-driven anti-ransomware campaign, coordinated by the White House.”
• Governments should establish cyber response and recovery funds to support ransomware response and other cybersecurity activities, mandate that organizations report ransom payments, and require organizations to consider alternatives before making payments.
• Launch an international effort to develop “a clear, accessible, and broadly adopted framework to help organizations prepare for, and respond to, ransomware attacks.”
• Governments should impose tighter regulation of cryptocurrency, an enabler of ransomware crime. This should cover “cryptocurrency exchanges, crypto kiosks, and over-the-counter trading “desks” to comply with existing laws, including Know Your Customer, Anti-Money-Laundering, and Combatting Financing of Terrorism laws,” the report said.

There are 40-plus more recommendations, but those are the biggies. So how are they going over with the cybersecurity community? The reviews are mixed.

Boris Cipot, senior security engineer with the Synopsys Software Integrity Group, calls it “the right way forward,” but adds that it’s coming very late in the game. The proposals, he said, are addressing an “ongoing catastrophe,” much of which could have been prevented if software development standards, cryptocurrency regulation, and information sharing about attacks “had been handled as a part of normal operations in the past rather than now with a task force.”

Josephine Wolff, assistant professor of cybersecurity policy at the Tufts Fletcher School of Law and Diplomacy, said many of the recommendations are “very sensible,” but noted that the real challenge is “figuring out what it would mean to create incentives to direct nation states away from providing safe havens to ransomware criminals or tighten regulation of the cryptocurrency sector or disrupt the ransomware business model.”

Not to mention that “it depends tremendously on how many countries — and which ones — get on board. I have a hard time imagining Russia or North Korea suddenly switching course to curb ransomware since their governments are fairly closely tied to some of the major ransomware initiatives originating in those countries,” she said.

Cipot agrees. “Realistically there’s no chance to succeed in this,” he said. “Where is the motivation for Russia, for example, to hunt down hackers who don’t endanger the Russian state or the ones living there?”

“There are known cases where malware first checked if the computer locale was in Russia and if it was, it didn’t execute. So the hackers made sure the Russian authorities weren’t interested in hunting them down. And Russia is just one example,” he said.

And when it comes to giving private sector companies incentives to report attacks and ransomware payments, the only government incentives so far are punitive. A memo from the U.S. Department of the Treasury last October warned of the “sanctions risk” against any entities, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response that “facilitate ransomware payments to cyber actors on behalf of victims.”

The RTF calls for a response and recovery fund to help organizations with alternatives to paying the ransom. But the reality is that most organizations need their data decrypted, and quickly, simply to stay in business. They are unlikely to be interested in applying to a government bureaucracy for some recovery funds that they might or might not get.

Migues said the war on ransomware is likely to be very long, because while knowledge about it and what to do about it are well established, there aren’t enough qualified people to fill open cybersecurity jobs and the technology in existing products, from routers to critical infrastructure to the Internet of Things “isn’t currently adaptable to the evolving threat model.”

Indeed, organizations apparently have difficulty keeping up even with known threats. “There are still thousands of sites out there vulnerable to Heartbleed,” Migues said, referring to the notorious software vulnerability that became public in 2014.

Cipot said security basics will be more effective than grand plans. “I’d rather put the effort into cyber hygiene, and then work on diplomatic agreements with other countries,” he said.