COMMENT
The US government is stepping up efforts to stem this increasingly disruptive situation scourge of ransomware attacks. For example, the State Department recently offered up to $15 million for information on LockBitand $10 million for information on Black Cat/ALPHV OR Hive ransomware gangs.
Where these bounties might be most effective is in getting operators to “eliminate” rival threat actors, or disgruntled affiliates to exact some revenge if they are cheated out of their share of the ransom. However, the conditions that must be met to reap these rewards are stringent, and the payments represent a small portion of the revenue that ransomware operators and their partners are making, leaving little incentive to cooperate with authorities.
So is the government doing enough? Will a criminal law enforcement approach to counter this threat really be able to make a dent in attacks? Are adversary nations taking advantage of this large gray area that forms the nexus between the operations of cybercriminals and nation-states?
Ransomware operators as nation-state proxies
We know that rogue nations like Russia support ransomware operations and provide a safe haven for attackers. A recent one Chainalysis report estimated that 74% of all illicit revenue generated by ransomware attacks during 2021 went to Russia-linked attackers, the lion’s share of ransomware proceeds.
We cannot ignore the potential dual nature of many today ransomware attacks. There are numerous overlaps between cybercriminal activity and nation-state operations, as evidenced by shared tools and attack infrastructures. Using ransomware gangs as a proxy provides plausible deniability for nations like Russia, while also leveraging them into a broader geopolitical strategy.
Nations like Russia have no interest in handing over such precious assets to Western authorities. Don’t be fooled by the fake “removals” advertised by the Russian government: they are purely a publicity stunt and nothing more.
Designate some ransomware attacks as terrorism
Ransomware attacks targeting critical infrastructure providers such as healthcare organizations they have crossed the line between criminal cyber activity and serious threat to national security. It’s no longer just speculation about whether ransomware attacks threaten lives.
When remote attackers disrupt critical care systems and demand ransom from dozens of healthcare workers and their patients, we simply call it an IT security event, and the government’s response is to offer more guidelines and facilities. But if hundreds of gunmen, coordinating with an adversary nation, entered dozens of hospitals and took staff and patients hostage, preventing treatment from being administered for days on end, offering hospitals guidelines on how to spot the gunmen would be a acceptable response from the government?
A recent report from Ponemon found a direct link between ransomware attacks and adverse patient outcomes: 68% of respondents said ransomware attacks disrupted patient care; 46% noted increased mortality rates; 38% noticed more complications in medical procedures. Other research found that between 2016 and 2021, ransomware attacks contributed to the deaths of 42-67 patients, as well as a staggering 33% increase in the death rate per month for hospitalized Medicare patients. There is certainly reason to view some of these attacks as acts of state-backed terrorism.
Some might argue that the lack of a clearly stated political motive behind ransomware operations means that, although an attack on a hospital that disrupts patient care and leads to adverse outcomes could be described as inflicting terror, it would not necessarily meet the definition of terrorism.
However, Executive Order 13224issued by the George W. Bush administration in September 2001, does not support this conclusion and appears to be clearly applicable to some ransomware attacks, such as those against healthcare workers:
“For purposes of the Order, ‘terrorism’ means an activity that (1) involves a violent act or an act dangerous to human life, property, or infrastructure; and (2) appears to be intended to intimidate or coerce a civilian population; influencing a government’s policy through intimidation or coercion.”
Cyber criminal activity is the responsibility of law enforcement. They investigate, gather evidence of a crime, charge and prosecute when possible. So far this has resulted in only a few arrests, mostly of low-priority suspects. But if we define these attacks as threats to national security, there are several rules of engagement that would go well beyond simple accusations and can include offensive actions deemed appropriate and proportional, both cyber and kinetic.
The hard truth: guidelines and frameworks are not enough
Organizations that were victims and potential victims of these attacks have largely been left to fight this battle alone, getting little to no government protection. Unless and until the United States and allied governments make this decision, there will be few real consequences for these threat actors while the targeted organizations are still left to their own devices. While the guidelines and frameworks are helpful, they are still do-it-yourself approaches to a threat that clearly rises to the level of a national security issue.
We need more than just government public relations programs to combat ransomware attacks. It is imperative that the US government and allied nations that are the targets of these attacks differentiate at least some of them by reclassifying them as terrorist acts so that we can leverage some new tools in this fight. Otherwise, the road ahead for ransomware victims will be long, difficult and lonely.