Frameworks, Guidelines & Bounties Alone Won't Defeat Ransomware

COMMENTARY

The US government is ramping up efforts to stem the increasingly disruptive scourge of ransomware attacks. For example, the State Department recently offered up to $15 million for information on LockBit, and $10 million for information on the BlackCat/ALPHV or Hive ransomware gangs. 

Where these bounties might be most effective is in enticing operators to "out" rival threat actors, or disgruntled affiliates to exact some revenge if they are cheated out of their cut of a ransom. However, the conditions that need to be met in order to collect these bounties are rigorous, and the payouts represent a tiny fraction of the revenue ransomware operators and their partners are realizing, leaving little incentive to cooperate with authorities.

So, is the government doing enough? Is a criminal law enforcement approach to this threat really going to make a dent in attacks? Are adversarial nations taking advantage of this big gray area that is the nexus of cybercriminal and nation-state operations? 

Ransomware Operators as Nation-State Proxies

We know rogue nations like Russia support ransomware operations, and they provide a safe harbor for attackers. A recent report by Chainalysis assessed that 74% of all the illicit revenue generated by ransomware attacks during 2021 went to Russia-linked attackers, the lion's share of ransomware proceeds. 

We cannot discount the potential dual nature of many of today's ransomware attacks. There is plenty of overlap between cybercriminal activity and nation-state operations, as evidenced by shared tooling and attack infrastructure. Using ransomware gangs as proxies provides plausible deniability for nations like Russia, while leveraging them in a larger geopolitical strategy. 

Nations like Russia have zero interest in relinquishing such valuable assets to Western authorities. Don't let the faux "takedowns" the Russian government has touted fool you — they are purely a publicity stunt, and no more.

Designating Some Ransomware Attacks as Terrorism

Ransomware attacks targeting critical infrastructure providers like healthcare organizations have crossed the line from cybercriminal activity to a serious national security threat. It's no longer just speculation as to whether ransomware attacks are threatening lives. 

When remote attackers disrupt systems critical to care and hold dozens of healthcare providers and their patients to ransom, we simply call it an IT security event and the government response is to offer more guidelines and frameworks. But if hundreds of gunmen coordinating with an adversarial nation entered dozens of hospitals and held the staff and patients hostage, preventing the administration of care for days on end, would offering the hospital guidelines on how to detect gunmen be an acceptable government response?

A recent report by Ponemon found a direct link between ransomware attacks and negative patient outcomes: 68% of survey respondents said ransomware attacks disrupted patient care; 46% noted increased mortality rates; 38% noted more complications in medical procedures. Other research found that between 2016 and 2021, ransomware attacks contributed to between 42 and 67 patient deaths, as well a staggering 33% increase in death rates per month for hospitalized Medicare patients. There is definitely a case to be made to designate some of these attacks as acts of state-supported terrorism. 

Some might argue that the lack of a clearly stated political motive behind ransomware operations means that, while an attack on a hospital that disrupts patient care and leads to negative outcomes could be described as inflicting terror, it would not necessarily meet the definition of terrorism.

However, executive order 13224, issued by the George W. Bush administration in September 2001, does not support that conclusion, and seems to be clearly applicable to some ransomware attacks, such as those against healthcare providers:

"For the purpose of the Order, 'terrorism' is defined to be an activity that (1) involves a violent act or an act dangerous to human life, property, or infrastructure; and (2) appears to be intended to intimidate or coerce a civilian population; to influence the policy of a government by intimidation or coercion."

Cybercriminal activity is the purview of law enforcement. They investigate, collect evidence of a crime, indict, and prosecute when possible. So far this has only resulted in a few arrests, mostly of low-priority suspects. But if we designate these attacks as threats to national security, there are different rules of engagement that would go far beyond mere indictments, and can include offensive actions deemed appropriate and proportional, both cyber and kinetic. 

The Hard Truth: Guidelines and Frameworks Are Not Enough

Organizations that are the victims and potential victims of these attacks have largely been left to fight this battle on their own while getting little to no protection from the government. Unless and until the US and allied governments make this determination, there are few real consequences for these threat actors while targeted organizations are still left to fend for themselves. While guidelines and frameworks are useful, they are still "do-it-yourself" approaches to a threat that clearly rises to the level of a national security issue. 

We need more than vanilla government public relations programs to combat ransomware attacks. It is imperative that the US government and allied nations that are the targets of these attacks differentiate at least a portion of them by reclassifying them as terrorist acts so we can leverage some new tools in this fight. Otherwise, it will be a long, hard, lonely road ahead for ransomware victims.