Security news that informs and inspires

Ransomware Safe Havens, Reporting Inconsistencies Trouble Authorities


Despite the U.S. government adopting many recommendations by the Ransomware Task Force in combating ransomware, authorities still grapple with several challenges that enable the ransomware ecosystem to thrive.

While the U.S. government has taken several significant steps to combat ransomware over the past year, authorities are still struggling to crack down on key factors that form the backbone of the ransomware ecosystem, including the safe haven countries that allow ransomware gangs to operate within their borders, and the lack of consistent reporting on ransomware incidents.

These challenges were discussed during a Friday event by the Institute for Security and Technology’s Ransomware Task Force (RTF), a coalition of more than 60 industry, government and law enforcement experts that a year ago released a report outlining the top gaps in the current security ecosystem enabling ransomware attacks and 48 recommendations for both businesses and the U.S. government. Since then, the RTF said, the U.S. government has adopted 12 of these recommendations and has started taking preliminary action on 29 of them. The most notable steps by the government in response to RTF’s recommendations have included the 60-day Ransomware Sprint launched by the Department of Homeland Security in an effort to tackle ransomware more effectively, as well as the Department of Justice’s (DoJ) Ransomware and Digital Task Force launched in July as a way to enhance and centralize internal tracking of investigations and prosecutions of ransomware groups.

However, these efforts are still not fully effective in extinguishing ransomware gangs protected by safe haven countries, which enable the actors to operate freely within their borders without consequence. The RTF said that for the most part, countries like Russia remain undeterred from providing the safe haven that was identified as a core issue in its original report, despite Russian authorities arresting 14 alleged REvil members in January.

“The primary challenge has been incentivizing global cooperation and action, particularly with Russia,” according to the RTF. “While Russia did arrest a handful of ransomware actors and seize their related financial assets, it has done so in such a way that indicates a belief that the potential repercussions for broader inaction are easily sustained.”

Tackling Ransomware Safe Havens

Currently, the DoJ and Department of State (DoS) are taking the lead on tackling the challenge of safe havens by exerting pressure on nations that are complicit or refusing to take action. David Scott with the FBI said that indictments or sanctions are sometimes effective tools in that they have an impact on cybercriminals’ lives since they can’t travel to certain areas. However, there are still mixed opinions on whether these options actually work in combating ransomware, he said.

“When we look at safe havens, we’re looking at a wide range of sanctions,” said Scott. “Our job is to make their lives so miserable that they hate their jobs every day and they don’t want to do this anymore.”

Chris Painter, president of the Global Forum on Cyber Expertise, said that while there are “some avenues for progress, the safe haven issue hasn’t been solved.” However, some countries are considered a safe haven for cybercriminals simply because they don’t have the capabilities to crack down on the ransomware actors within their borders. To that end, the U.S. has made strides with the DoJ and DoS coordinating with international partners to incentivize cooperation and proactive action in these resource contrained countries, a fairly recent effort has been ongoing for the past thirty days.

“There’s another class of countries that would help if they could, but that don’t have the capabilities, so there’s a positive agenda of capacity building there,” said Painter.

Overall, the RTF said that a significant approach to reduce safe havens is creating an increasingly coordinated and proactive approach by the international community. Deputy Attorney General Lisa Monaco pointed to progress on this international coordination by the U.S. government, which has also built a network of private sector partners and law enforcement to prioritize ransomware in a “whole of government" approach. The government has also employed tools to disrupt ransomware gangs before they can do harm, including the DoJ Rewards of Justice program, as well as the use of prosecution, diplomacy and sanctions, said Monaco.

“When we look at actors operating in ‘cybercrime safe haven,’ some are affiliates, others are developers, and some of the same people behind ransomware were behind botnets or banking trojans,” said Monaco. “We are basically dealing with career cybercriminals and need to look at not just how to impose costs but how to deprive them of safe haven.”

The Need for Ransomware Reporting

Both the RTF and government officials cited concerns about a lack of consistent ransomware incident reporting by businesses, despite recent legislative efforts in this area including the Strengthening American Cybersecurity Act that gives critical infrastructure entities a 72-hour reporting deadline to notify the Cybersecurity and Infrastructure Security Agency (CISA) after experiencing a cyberattack.

“The data we have is largely cobbled together through collaborations among law enforcement, government agencies, insurers, and researchers, but even this patchwork view is incomplete,” according to the RTF. “The resulting picture fails to capture the scope, scale, and impact of ransomware attacks, making it hard to accurately interpret available and incomplete data to assess the efficacy of actions being taken.”

One challenge is providing an incentive for businesses to report attacks, particularly with organizations fearing reputational impact, law enforcement backlash or regulatory requirements. During the RTF event, security experts said there needs to be better communication that relays that companies won’t be victimized by reporting incidents. A lack of response by government officials once an incident is reported is another issue, said Eleanor Fairford, deputy director for incident response with the National Cyber Security Centre.

“Reporting is an essential component with important data to inform our understanding of attacks,” she said. “Part of the reason for the drop off in reporting is a lack of response.”

Overall, as threat actors rapidly shift their tactics, it's essential to continue prioritizing efforts to combat ransomware, said the RTF. The task force acknowledged the steps taken over the past year by the U.S. government, but said that there is more work to be done.

“While the debated rise in observed incidents paints a gloomy picture at present, we believe the increased level of action, awareness, and visibility is positive and that with continued focus, will eventually lead to a greater level of understanding of this threat, along with an improved ability to deter, disrupt, prepare for, and respond to attacks,” according to the RTF.