While recent coordinated law enforcement efforts have been successful in temporarily knocking down ransomware groups like LockBit and BlackCat, a new report highlighted how the industry as a whole needs to scale disruption efforts against ransomware in order to see effective, long-term impacts.
The report was released Wednesday by the Institute for Security and Technology’s Ransomware Task Force (RTF), a coalition of more than 60 industry, government and law enforcement experts that made 48 recommendations in 2021 aimed at targeting the ransomware threat ecosystem. Though 24 of these 48 recommendations have seen significant progress, the remaining half have still not been fully implemented, and the RTF pinpointed areas where these measures could use further investment and resource allocations from governments, industry and civil society.
It's important to note that law enforcement agencies have carried out varying types of disruptive measures against ransomware groups over the last year, including efforts to target infrastructure, seize backend servers and take down darknet sites, as seen in the Hive and BlackCat disruptions. But more work beyond these efforts is needed, said the RTF report: While these have been temporarily disruptive to ransomware operations, they don’t fully eliminate the issue. The effectiveness of these operations is difficult to measure, for instance, and threat actors behind the groups have in some cases been able to rebuild their infrastructure or reassemble under new names.
“The purpose of disruptions is to throw as much sand in the gears as possible,” said Taylor Grossman, deputy director for digital security at the Institute for Security and Technology, in a video interview with Decipher. “The disruptions we’re seeing are affecting bottom lines. [Ransomware groups are] still active, which is a problem, and they’re still able to reform... so that’s where I think it’s about prioritization and resource allocation, making sure that governments have the manpower and financial resources to throw more people at this problem, to start to disrupt as much as possible.”
The RTF said that in order to better combat ransomware groups, government agencies need to work more closely with industry partners in order to “increase the costs associated with the ransomware profit model.” Part of that partnership should involve more clarity around lawful defensive measures that the private sector can take against ransomware groups, in order to help assuage concerns about legal liability.
“Providing clearer information about how and when companies can protect themselves without fearing later legal repercussions will increase the likelihood that they do so and enhance the defense of the entire ecosystem,” according to the report.
The report also pointed to increased information sharing as another critical piece for ransomware disruption. While cyber incident sharing measures - like CIRCIA and the SEC’s cyber rules - are coming together, the RTF said the government should also create more incentives for voluntary sharing in other areas that touch the ransomware ecosystem. For instance, more information sharing between cryptocurrency entities and law enforcement could lead to valuable insights about cryptocurrency accounts or transactions associated with ransomware actors.
The disruption of ransomware is complex, in part because it involves several stakeholders across the industry - including law enforcement and cybersecurity government agencies, private sector organizations, security researchers and cryptocurrency firms. At the same time, the ransomware threat landscape continues to evolve. A recent report released by Chainalysis in February recorded $1.1 billion in ransomware payments in 2023, a significant increase from the $567 million reported in 2022 and the highest number observed by the firm ever.
With all of these different moving pieces, the RTF called for an overhaul in some of the processes that entities are using to fight ransomware. The U.S. government should rethink how it incentivizes companies to adopt security measures outside of merely providing guidance for them, for instance, and do more to draw attention to the worst ransomware offenders. There should also be more “reciprocal sharing” of information in the partnerships formed around mitigating ransomware, the report said.
“Achieving progress on the remaining 24 RTF recommendations will help address the ransomware threat, and the U.S. and other governments worldwide will need to continue to act going forward,” according to the report. “At the same time, they should work toward driving adoption of secure-by-design and default across the ecosystem.”