Security news that informs and inspires

‘We Have to Change the Decision Calculus’ to Stop Ransomware

The recent law enforcement actions against ransomware groups, from indictments in the United States to raids and arrests in Ukraine and across Europe, have generated a lot of headlines and had some short-term effects on operators, but to truly put the hammer down on those groups, a broader, more cohesive strategy that encompasses both the public and private sectors is what’s needed, experts say.

Ransomware has been around for several years and is no longer a shiny new threat, and researchers and law enforcement agencies have a good grasp on how the groups operate, how victim organizations are compromised, and where some of the group members are located. They have also developed a good picture of how the business models for ransomware groups work and how cryptocurrency ransom payments are funneled to them, laundered, and later cashed out. That understanding of the landscape has enabled law enforcement to notch some considerable victories against ransomware operators, including an operation that resulted in the arrests of 12 people in Ukraine and Switzerland, and a separate raid last week that resulted in the arrest of a Russian national allegedly involved in the REvil ransomware operation and seizure of more than $6 million in ransom payments.

Those operations and others that have hit ransomware groups recently involve cooperation from law enforcement agencies around the world and deep collaboration with private sector security researchers, and the cooperative effort has been effective. But hitting back at the operators can only go so far. If one or two or three operators are arrested, there are dozens more waiting behind them to take the reins, because the money is good and the risk is so low, particularly in countries that are not on speaking terms with the U.S. The next step in taking the advantage away from the operators and their sponsors likely has to come from enterprise security teams rather than the FBI or Interpol.

“Ransomware is like Thanos; it was inevitable. It’s such a permissive environment with misconfigurations and vulnerabilities to exploit and ransomware is just the ultimate monetization of those vulnerabilities,” Chris Krebs, the former director of the Cybersecurity and Infrastructure Security Agency, said during a keynote speech at Cyberwarcon Tuesday.

“Doxing, degradation, and imposing costs is part of it, but changing the permissive environment that they operate in has to be part of it. This is how you win a war. You never fight it. You put the adversary in a position where the calculus changes and they no longer want to fight.”

"“I think it will clear out some of the chuckleheads. It’s in the strategic objectives of the Kremlin to continue supporting this."

Imposing financial and legal costs on operators has been effective to a certain extent, but those approaches are time consuming, expensive, and difficult to execute. And they generally don’t have a direct effect on the leadership of ransomware groups such as REvil, DarkSide, or others. The people who get swept up in the raids and investigations tend to be affiliates in ransomware-as-a-service (RaaS) operations or mid-level operators who handle the money laundering. Moving up the food chain is difficult and does not scale very well.

“I think it will clear out some of the chuckleheads. It’s in the strategic objectives of the Kremlin to continue supporting this, whether they’re directing fire or not,” Krebs said.

“It will get some of the more recent entrants who weren't as skilled, and what that leaves you is the more serious actors.”

Just as researchers and law enforcement agencies have dug into ransomware groups and learned their patterns and tendencies, the operators have learned how defenders are reacting to intrusions and are now taking more time to assess target organizations and build rapports with employees in order to gain access. One Iranian attack group in particular, which Microsoft tracks as Phosphorus, has spent as long as six or eight months building relationships with potential victims over email, using fake conference or podcast invitations and impersonating legitimate think tanks. During that time, the attackers don’t send any malicious content or links and simply seek to establish trust with the target. When the malicious link or attachment inevitably arrives, the victim is conditioned to trust the attacker on the other end and will often take the bait.

“We are seeing threat actors getting very patient before going after victims. They’re building a courtship and in doing so they’ve had a lot more success. They’re building trust with victims,” said James Elliott, a member of the Microsoft Threat Intelligence Center.

“A lot of these groups have gotten smarter.”

That means that defenders need to get smarter, too, as do policy makers who are looking for ways to address the ransomware problem, as well the broader security issues facing U.S. businesses and government agencies. Congress has focused quite a bit of attention on cybersecurity issues in the last year and there are several bills in the works that take on various aspects of the problem. Some type of requirement for organizations to report breaches is likely to emerge, as is a requirement that businesses disclose ransom payments quickly after they make them.

“I think regulation is inevitable, and I also think it’s inevitable that we will get it wrong. We have to distill down the critical functions and prioritize. We have to change the decision calculus across the private sector,” Krebs said.