“Things are not going in the right direction,” said GeoTech Center distinguished fellow David Bray during a July 26 virtual report launch. “This report, I think, sets the foundation for what can be things we can do differently.”
Key proposals for the U.S. include strengthening international public-private partnerships, driving more incident reporting within the country, raising the nation’s cybersecurity baseline and addressing criminal use of cryptocurrency, speakers said.
TODAY’S RANSOMWARE
Ransomware perpetrators are increasingly using automated tools for greater speed and efficiency, Bray said. For example, GPT-3 — a neural network model that produces natural-sounding text — can write phishing emails “that are more effective” than ones written by humans, he said. According to the report, criminals are now “encrypting or stealing data within hours of the initial infection.”
Attacks are especially targeting local governments, schools, utilities, hospitals and other organizations that cannot easily tolerate any downtime. U.S. Department of Energy Senior Advisor for Cybersecurity Cheri Caddy said criminals expect quick payouts from hitting entities that need to stay available 24/7, and small, municipal and state water and power entities are at risk, due to the vitality of their operations and their limited resources for cyber defense.
And while big-name victims like Colonial Pipeline may make headlines, it’s small- and medium-sized businesses (SMBs) who are most often victimized, said technology journalist John Sakellariadis, who spent a year studying ransomware on a Fulbright grant. SMBs may have only one full- or part-time IT specialist, Bray said, and federal agencies need to find ways to scale tabletop exercises and other supports to help them.
The U.S. also needs to look at the full international picture when planning against threats. Ransomware continues to be a worldwide affair, with criminals in one or more countries collaborating to attack victims in another and routing money internationally.
Russia has been a major source of ransomware, but Brazil, China, Iran and other nations are showing increased activity, Sakellariadis said. That puts more pressure on developing international partnerships to rally against this borders-spanning threat.
New opportunities may also be emerging as ransomware evolves. Criminals with limited technology skills have been able to get involved in these attacks by purchasing ransomware as a service (RaaS). But the report also cites a trend in which affiliates — criminal actors who deploy ransomware malware developed by other parties — are becoming more tech savvy. These players have often used methods like botnets and stolen credentials to deploy ransomware but are now using more advanced methods like hacking into networks.
The rise of more skilled affiliates shifts the power balance between them and their developer partners, something the report said can lead to infighting that law enforcement could exploit.
RETHINKING REPORTING
The federal government needs victims to report incidents so that agencies can better understand the threats and alert other potential victims. But reporting hasn’t been fast or frequent enough to keep pace with ransomware attacks.
A March 2022 law will — when implemented — require critical infrastructure to report certain incidents and ransom payments to the Cybersecurity and Infrastructure Security Agency (CISA). The agency has several years to hammer out the specifics of these requirements and government still needs to motivate reporting from entities not covered by the law.
As CISA and policymakers do so, Sakellariadis said they should consider how to balance competing desires. Asking for detailed accounts can give prosecutors more leads for tracking down perpetrators. Meanwhile, requesting simpler, broad-strokes reporting makes the task easier for smaller victims to quickly comply. That may encourage more participation, granting a better picture of the overall landscape but less in-depth understanding of particular threats.
The report also urged different federal agencies to come to common agreement around what they want victims to report, including by standardizing questions and reporting timelines across all situations.
Speakers also recommended safe harbor laws to entice reporting where it’s not legally obligated. Governments would need to clarify details such as how victims can report, how that information would be protected and used, and what kinds of victims and incidents would be covered by the safe harbor policies, the report explained.
Caddy also said that victims may skip reporting because they don’t realize why the information is necessary. But government needs alerts so it can forewarn organizations that may be victimized next.
“Part of the key mental barrier that needs to be overcome is this notion that you’re in this by yourself and that no one else is impacted,” Caddy said.
“We thought we were being accommodating; we may have been less than crystal clear,” Stawasz said. “So I think there’s been some thought about where is the right place to direct people, even if it isn’t the exclusive place.”
FRICTION AND FEAR
Ransomware actors will keep at it so long as the crime is sufficiently profitable and convenient.
Simply getting organizations to adopt good cyber basics can add friction for attackers. The report finds criminals commonly take advantage of weak passwords and insufficiently secured remote desktop protocol (RDP) endpoints, for example.
On the prosecution side, Stawasz said government should focus less on heaping lengthier sentences on the perpetrators they arrest and more on catching a greater number of criminals in the first place. Making arrests more common will go farther in convincing attackers that repercussions may affect them.
THE CRYPTOCURRENCY QUESTION
Ransomware actors commonly demand extortion in cryptocurrency, which is easy to move overseas and offers levels of anonymity or pseudonymity. Federal government has sought to crack down on cryptocurrency operators that facilitate illicit payments to ransomware actors.
Law enforcement looking to stop perpetrators from making off with their ill-gotten gains need to time their interventions. Sakellariadis recommended letting payments reach extortionists, so they’re more likely to provide victims with decryption keys in exchange. A more opportune disruption would be to instead intercept payroll disbursements between the ransomware organizations and their employees.