Synopsis
The cybersecurity challenges facing society today have the potential to be as consequential and complex as other transnational threats. Countering them will require cooperation by the entire cybersecurity community and by many who consider themselves well outside the cyber community. Fortunately, there are many different avenues for advancing the cyber industry’s body of knowledge and building and enhancing cooperative relationships. This paper examines the reasons why cyber cooperation is needed urgently and discusses possible avenues for collaboration.
Cyberattacks Are on a Roll: Frequent, Costly, and Damaging
Once only the stuff of science fiction, cyberattacks are now so common, and such a serious threat, that the U.S. government recently compared them to the terrorism threat after 9/11. (1) Cyber threat activity is not new, but it is both increasingly common and increasingly disruptive to daily life. Research shows ransomware incidents are growing by nearly every measurable metric. According to a survey by Sophos, the number of ransomware victims worldwide fell during the early part of 2021 when compared to the same time period in 2020 (probably due to better targeting by threat actors), but more of the organizations that were victims paid ransoms than in the previous year, and ransom amounts more than doubled in the course of one year. (2)
The impact of ransomware attacks on daily life also seems to be growing in severity: in May, an attack on Colonial Pipeline caused a major gasoline shortage across the eastern United States in an attack that more deeply entrenched “ransomware” as a household word. (3) Since then, ransomware attacks and other forms of cybercrime have disrupted daily life around the world via attacks on education institutions (4), international IT software manager Kaseya (which prompted business shutdowns around the world) (5) and various government websites. (6,7,8) Government attention to ransomware is also growing. The October 2021 Joint Statement of the Counter Ransomware Initiative – a meeting of 31 national government representatives – described ransomware as “an escalating global security threat with serious economic and security consequences.” (9)
Cyber Threats Thrive Where Opportunity, Capability, and Impunity Meet
Cyber threat actors’ success is due in part to the current environment where the rewards of a successful ransomware attack greatly outweigh the risks. Put differently, ransomware is an extremely lucrative moneymaking scheme requiring a relatively small investment.
Threat actors can easily procure ransomware attack tools and deploy them with little fear of attribution or prosecution. They do not need the support of powerful nation-states that seek to further a political agenda through asymmetric means; in fact, the tools and expertise required to carry out a ransomware attack are available to anybody curious and opportunistic enough to find them online. Thanks to the software as a service (SaaS) business model, the barrier to entry for a cyberattack has dropped in recent months. For details on this topic, check out EclecticIQ’s previous research on readily available tools for novice potential threat actors.
Another aspect of the low risk for ransomware attackers is their relative anonymity. Attributing an attack to a group or individual is difficult: it requires a massive investment in time and expertise that could divert valuable resources needed for recovery from an attack. In many cases, ascribing attribution would require disclosing sensitive research methods. Even if a victim sought to name their attacker, the group or individual may operate beyond the reach of national law enforcement, making prosecution nearly impossible.
The Cybersecurity Community, Businesses, and Industry Play Catch Up
Businesses far too often find themselves behind the curve in their efforts to counter, prevent, or respond to ransomware. A victim’s cost/benefit analysis is very likely to favor paying ransoms and trying to end the ransom event as soon as possible, for several reasons. Operational shutdowns, brand or reputation damage, a drop in stock price, and the potential for follow-on cyberattacks are factors that skew decision making in favor of paying ransoms quickly. After a ransomware attack shut down his company’s gasoline distribution pipeline, the CEO of Colonial Pipeline put it this way when asked about his decision to pay a $4.4 million ransom: “I didn't make it lightly. I will admit that I wasn't comfortable seeing money go out the door to people like this…But it was the right thing to do for the country." (10)
To date, government actions to address the threat have been primarily reactive and strategic, rather than focused on demonstrating the ability to dismantle ransomware operations. In addition to hosting the aforementioned Counter-Ransomware Initiative, U.S. authorities recently sanctioned a cryptocurrency distributor (11) for its role in facilitating ill-gotten gains from ransomware attacks. The United Kingdom in November 2020 announced the creation of a National Cyber Force, which will bring together experts from across government to conduct both defensive and offensive cyber operations (12). For its part, Australia’s Department of Home Affairs announced in October 2021 its Ransomware Action Plan, which will direct efforts to one of three lines of effort: “prepare and prevent,” “respond and recover,” and “disrupt and deter.” (1) Many other governments are also pursuing various efforts to counter ransomware.
While all these steps are necessary and important, they will have little impact on deterring ransomware operations in the near term. Strategic steps like these must be translated into initiatives to be implemented, evaluated, and adjusted. Even the best efforts are limited by budgets and competing priorities and could take years to implement—during which time threat actors also continue advancing.
Countering Ransomware Will Require Strategic Thinking and Creative Problem Solving
How can members of the cybersecurity community work together to more effectively counter ransomware and other types of cyber threats? With the reach of cybercrime growing, even the public is beginning to see the disruptive effects of cybercrime. This awareness means the timing is right to pursue all types of solutions for countering cybercrime. It also means that attitudes must shift to acknowledge that cybersecurity is no longer just a “cyber” issue, nor an issue that only governments can and should address. In an ideal scenario, the “cybersecurity community” would include everybody who uses the internet, an email account, or a smartphone. Cybersecurity should not be a technology specialization; instead, the principles and importance of good cyber hygiene should be common knowledge.
Some aspects of countering cybercrime are inherently governmental. Progress on these issues will depend upon diplomatic outreach to the governments of nation-states where ransomware actors operate, among them Russia, China, and North Korea. Nonetheless, there are many other opportunities for industry, academia, and even individuals to be part of the cybersecurity solution. These opportunities center on information sharing, resilience, and learning more about the problem.
The ideas below could move the cybersecurity community forward along several different lines of effort.
- Ransomware and other cybercrimes must be both clearly defined – preferably in a consistent way across national borders, industry sectors, and government entities. This definition should emphasize that ransomware and similar actions are just as criminal as a physical assault or theft. It is critical to reach the consensus that ransomware is a punishable offense.
- Right now, the barriers to meaningful public-private collaboration are too high. Governments should assist the private sector by adopting policies incentivizing cyber resilience and reporting cybercrimes to law enforcement. In turn, industry should view cyberattacks not as attacks against a single company, but rather threats to an industry vertical and to society. Such a viewpoint would necessitate cooperation and communication over secrecy.
-
Cybersecurity experts, victims of ransomware, and industry leaders should expand the definition of “damage” from a ransomware attack beyond ransom monies paid. Calculations should include an estimate of the value of intellectual property stolen, productivity lost during an attack, and the cost of recovery in the aftermath. Only with a clear-eyed view of the costs will the community be able to articulate the need for a cyber defense strategy and resources.
- Academia should study cybercrime as it does other forms of conflict. Research into the inner workings of threat groups and their life cycles, ransom processes, effectiveness, etc., should include case studies on previous attempts to take down cyber gangs (such as Trickbot) and their effectiveness.
Outlook
Ransomware Operators Have the Upper Hand for Now
Cybercriminal groups will continue developing new attack techniques to deploy alongside tried-and-true methods for as long as ransomware remains lucrative and relatively easy. To put the balance back in their favor, the government, industry, and the public must shift expectations about the threat of cybercrimes and adopt new norms to make cybercrimes more difficult and riskier to carry out. Getting there will require coordinated, long term education and cooperation initiatives, but those efforts will be well worth the resulting resilience and security.
References
- The New York Times. 4 June 2021. https://www.nytimes.com/2021/06/04/us/politics/ransomware-cyberattacks-sept-11-fbi.html
- HelpNetSecurity. 28 April 2021.
https://www.helpnetsecurity.com/2021/04/28/ransom-paid/ - National Public Radio. 11 May 2021.
https://www.npr.org/2021/05/11/996044288/panic-drives-gas-shortages-after-colonial-pipeline-ransomware-attack - We Live Security. 9 Sept 2021.
https://www.welivesecurity.com/2021/09/09/howard-university-cyberattack-suspends-classes/ - Kaseya. July 2021.
https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-August-4th-2021 - Government Technology. 6 August 2021. https://www.govtech.com/security/ransomware-shuts-down-online-services-in-joplin-mo
- Italy 24 News. 1 August 2021.
https://www.italy24news.com/News/141464.html - ZDNet. 20 July 2021.
https://www.zdnet.com/article/hundreds-of-touchscreen-ticket-machines-are-offline-after-a-ransomware-attack/#ftag=RSSbaffb68 - The White House. 14 October 2021.
https://www.whitehouse.gov/briefing-room/statements-releases/2021/10/14/joint-statement-of-the-ministers-and-representatives-from-the-counter-ransomware-initiative-meeting-october-2021/ - Fox Business. 19 May 2021.
https://www.foxbusiness.com/business-leaders/colonial-pipeline-ceo-why-paid-hackers-millions-ransom - U.S. Department of the Treasury. 21 September 2021. https://home.treasury.gov/news/press-releases/jy0364
- Government of the United Kingdom. 3 October 2021. https://www.gov.uk/government/news/permanent-location-of-national-cyber-force-campus-announced#history
- Department of Home Affairs (Government of Australia). October 2021. https://www.homeaffairs.gov.au/cyber-security-subsite/files/ransomware-action-plan.pdf
About EclecticIQ Threat Research
EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Threat Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government. EclecticIQ’s Threat Research team strives to apply the analytic rigor principles of U.S. Intelligence Community Directive 203 to its analysis—please click on the link for more detail.
We would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com.
