Security news that informs and inspires

Whole of Government Effort, Collaboration Needed to Disrupt Ransomware

If the last year has proven anything, it’s that there is no short-term fix for the ransomware plague. Patching, detection, remediation, off site backups, and quick incident response are all vital, but none of them alone or all of them together is a guaranteed answer to the problem. The road to a true solution will be long and will require serious collaboration between enterprise defenders, government agencies, and law enforcement to disrupt the ransomware ecosystem.

As ransomware has progressed to the level of becoming a national security concern in the past year, the efforts of government agencies have moved from raising awareness and encouraging basic security practices as preventative measures, to tracking down ransomware operators and attempting to disrupt the technical and payment infrastructures. That has led to some notable successes in identifying some ransomware groups and even forcing some to abandon their operations, but prosecutions have been hard to come by, due to the fact that most ransomware groups operate from countries such as China and Russia that will not extradite their citizens.

The payment problem has proven just as thorny. Ransomware payments are exclusively made with cryptocurrencies, and while transactions for many of those are public record, tracing the funds to the specific criminals who eventually receive them is difficult. The FBI’s recovery of $2.3 million of the $4.4 million hat Colonial Pipeline paid to DarkSide ransomware actors is a rare success against years of failures on this front. And that was not strictly an FBI operation; it was done with the aid of a private firm that specializes in identifying and tracing ransomware payments.

That kind of collaboration, which utilizes the strengths of law enforcement and private companies both, will be critical if the fight against ransomware is to succeed anytime soon.

“The real goal in this disruption is getting the government doing what it’s good at doing, and the private sector doing what it’s good at doing. The problem is so broad we shouldn’t be looking at this only as a law enforcement issue. This has to be a network defense issue as well. The same intelligence that’s being used to disrupt ransomware has to be used to harden defenses as well,” Neil Jenkins, a former Department of Homeland Security official and member of the Ransomware Task Force, said during a virtual panel on ransomware hosted by Cisco Tuesday.

The Ransomware Task Force is a private-sector effort that includes experts from a range of security and technology companies and government agencies, and earlier this year it released a framework of recommendations and principles for addressing ransomware and disrupting the payment flow. Among the key recommendations is that the federal government treat ransomware as not just a law enforcement challenge, but one for the entire government.

“Leaders have to understand their place in the ecosystem and what their decisions might mean in the event something happened."

“At the federal level, I can tell you there’s a great deal of concern about what we’re seeing here. That focus is very much there. Whether the general population follows along with that, I don’t know. It needs to be a whole of government approach and we need to take it outside of law enforcement and take these actions anywhere we can find a lever,” said Matt Olney, director of threat intelligence and interdiction with Cisco Talos.

The Biden administration has moved in this direction, establishing its own task force to combat ransomware earlier this month and set up a new website that coordinates all of the government’s anti-ransomware efforts. Part of that effort focuses on steps that organizations can take in order to be prepared for a potential ransomware attack. Technical preparations such as hardening high-value assets, creating and testing off site backups, and applying patches are vital, but so is the process of raising awareness with executive leadership about the potential damage from a ransomware attack.

“Now is the time, if you haven’t already done it already, to have those conversations with leaders to get them started thinking about what this would mean to your company from a business perspective if this happened,” said Helen Patton, an advisory CISO at Cisco, and the former CISO at The Ohio State University.

“Leaders have to understand their place in the ecosystem and what their decisions might mean in the event something happened. But it’s up to the CISO to make those connections with the FBI, CISA, and the other agencies ahead of time to work out what potential steps might mean.”

The technical aspect of preparing for a potential ransomware incident can be overwhelming, but narrowing the scope down can help.

“If you’re concentrating on what ransomware operators are doing and focusing your attention on hardening those assets, you’ll be miles ahead of where other people are,” said Olney.