Ransomware has spiked in public awareness of late, with high-profile incidents such as the 2021 Colonial Pipeline panic, and it continues to cause new problems for local government, in places ranging from Dallas to Spartanburg County, S.C. As a result, federal efforts to fight these attacks are ongoing, and they have frequently aligned with the recommendations of the Ransomware Task Force (RTF), a public-private collaboration whose members have previously included the now-acting National Cyber Director Kemba Walden.
RTF released a 2021 report detailing the global ransomware landscape with proposals for how nations could work to disrupt it in long-lasting ways, and the U.S. has made at least some progress on most of the recommendations in that report, speakers said during a recent event hosted by the Institute for Security and Technology (IST), which coordinates the RTF. Among the wins: international partnerships have disrupted some perpetrators, and the U.S. has started pre-emptively warning organizations when they have vulnerabilities that are susceptible to ransomware actors.
But ransomware variants are becoming harder to attribute, and insufficient incident reporting still leaves researchers and governments in the dark on the full scope of the problem, speakers said.
Federal security and cybersecurity officials said they want to compel cryptocurrency entities and cloud services providers to keep cyber criminals off their services. Anne Neuberger, U.S. deputy national security adviser, said the U.S. is also mulling a ban on ransomware payments, with exemptions granted to some essential organizations.
THE STATE OF RANSOMWARE IN THE U.S.
But it’s unclear if any of this marks a lasting shift away from ransomware. The drop in such attacks against the U.S. may have been driven by world events, with Russia’s war against Ukraine diverting the attention of cyber crime groups in the region, the RTF said.
Officials are cautious about describing the landscape, but some tentatively suggest hope.
The rate of ransomware attacks seems to be somewhat stabilizing, and, “I think a level, plateau, steady state is where we've been,” said David Ring, head of the FBI Cyber Division’s private-sector engagement and cyber criminal intelligence missions.
However, Allan Liska, intelligence analyst at the threat intelligence platform provider Recorded Future, said the situation remains murky.
“We think ransomware attacks have seen a resurgence in 2023, after dipping a little bit in 2022," Liska said, "... but the answer is that we don’t know,” because there’s not enough incident reporting to get a clear picture.
Regardless of the number of attacks, those that do successfully hit can be punishing. Ransomware continues to strike U.S. hospitals, schools and local governments.
Fully understanding the ransomware landscape is challenging, because reporting requirements are often nonexistent or “fragmented,” making it hard to get a complete view, Liska said. Even the FBI believes it only received victim reports on about 20 percent of Hive ransomware attacks, Ring said.
Michael Phillips — RTF co-chair and chief claims officer at cyber insurance provider Resilience — said organizations fear being stigmatized if they admit to suffering a ransomware attack, and they also want a standardized way to report. That latter step would make it easier for victims to inform authorities promptly, while they’re still in crisis mode dealing with the effects of an attack.
Mandatory reporting requirements are forthcoming for some sectors under the Cyber Incident Reporting For Critical Infrastructure Act (CIRCIA), which passed in 2022. But the Cybersecurity and Infrastructure Security Agency (CISA) is still paving the way for its implementation, and CISA Chief Strategy Officer Valerie Cofield said “we won't see the fruits of that legislation for a couple of years.”
The ransomware ecosystem is also changing in ways that make it harder to attribute perpetrators and track growing strains of the malware, Liska said.
Prior years have seen ransomware-as-a-service (RaaS) models proliferate, in which developers create the malware while other cyber criminals called “affiliates” deploy it and share some of the extortion profits.
“We're now seeing a lot of threat actors move away from there,” Liska said.
Ransomware code is increasingly leaked and stolen, leading to some new variants that include other ransomware groups’ code. Liska calls these variants “Franken-ransomware” and said the code recycling makes it difficult to determine who’s actually behind attacks.
“That kind of fracturing of the ransomware market has made it harder for us to track and identify what the growing strains are [or] even [identify] ‘who hit us?’” Liska said. “I get this question all the time now – ‘Hey, we got hit by this, do you know what it is? Because there’s no name in the ransom note, just some random email address.’ … That’s a real challenge for incident response and even for reporting.”
WHAT DO DEFENDERS STILL NEED TO DO?
The U.S. has made strides in the past year toward building intergovernment and public-private collaborations around disrupting ransomware as well as in working to address risks from cryptocurrency entities that facilitate perpetrators’ payments, per the RTF’s report. The U.S. also deepened its focus on reporting and information sharing.
The U.S. has now made “significant” progress on 50 percent of the task force’s 48 recommendations and some progress on 92 percent of them. That’s up from May 2022, when IST CEO Phil Reiner reported “significant” progress on 25 percent and some progress on 88 percent.
More remains to be done, even on areas that are showing progress. U.S. Rep. Elissa Slotkin called for ensuring crypto exchanges, kiosks and trading desks follow Know Your Customer (KYC) and anti-money laundering practices.
“There are gaps in our crypto regulations, and these gaps allow bad actors to evade the law,” Slotkin said in pre-recorded remarks.
Acting National Cyber Director Kemba Walden said multipronged efforts can help make ransomware less profitable and less easy for perpetrators to conduct. Addressing illicit cryptocurrency use can disrupt the flow of profits, while requiring cloud services providers to follow KYC practices could help hamper ransomware operations by preventing nefarious use of this digital infrastructure.
Pushing for software and hardware to be secure-by-design and secure-by-default could also make the U.S. more cyber secure overall — and do so in a way that lifts the responsibility off of small players and end users, Walden said.
Ransomware actors may collaborate across borders and operate in one country while targeting victims in another. That makes international counter-ransomware partnerships a key piece of combating this global problem. Deputy National Security Adviser Anne Neuberger said that countries are most willing to come together to tackle threats from cyber criminals, rather than threats from other nation-states.
“When we talk about, potentially, countering Chinese malicious cyber activity, there are some countries who will say, ‘We don't want to do that publicly,’” Neuberger said.
The U.S. and its partners have been trying a variety of disruptive efforts and are working to assess just how impactful any of these strategies are, Neuberger said. For example, the U.S. and international partners took actions against the Hive ransomware gang and dark web marketplace Genesis Market. Those included seizing Hive servers and decryption keys as well as 11 of Genesis Marketplace’s domain names. But questions of effectiveness remain:
“We know it has a disruptive impact — for how long?” Neuberger said. “How do we extend how long that lasts? How do we ensure these disruptions have foundational impact on the infrastructure, on the people, on the money laundering networks, that makes this possible and that drive it?”
WHETHER TO PAY
Whether organizations should be allowed to pay ransom is a tricky question. The U.S. is actively discussing whether to issue a broad ban against this practice, while allowing case-by-case exemptions for essential entities, Neuberger said.
“A question that we’ve grappled with — both within the U.S. government and bilaterally, as well as multilaterally … is, do we ban ransomware, with a waiver?” Neuberger said.
Paying extortion makes the attacks profitable, enabling and encouraging more ransomware. But when victims are critical entities, not paying risks leaving their essential services going down for longer.
“For an individual entity, it may be they make a decision to pay. But for the larger problem of ransomware, that is the wrong decision,” Neuberger said. “Now, there may be an individual entity — a major hospital, an emergency services — that we just are committed to bringing the services back up as quickly as possible. So [when] we think about banning ransom payments, we asked, ‘Would we do so with a waiver — e.g., notifying [and] asking the permission of the relative U.S. government?’”
The RTF’s 2021 report warned that imposing a full ban on ransom payments might prompt perpetrators to initially test this resolve and ramp up their attacks against essential organizations like “health-care providers, local governments and other custodians of critical infrastructure.”
“As such, any intent to prohibit payments must first consider how to build organizational cybersecurity maturity, and how to provide an appropriate backstop to enable organizations to weather the initial period of extreme testing,” that report read.
The 2021 RTF report recommended nations require victims to avoid paying unless they’d first conducted a cross-benefit analysis to confirm that doing so would really be worthwhile. Victims should also have to consider alternative options before choosing to pay. Sometimes data is recoverable elsewhere or decryption keys are already available, for example.
BRIGHT SPOTS
CISA launched a ransomware vulnerability warning pilot program in January through which it can proactively alert organizations about issues that ransomware actors are likely to exploit. This effort aims to reach them in time to prevent an attack before it happens.
For example, the program in February warned 93 critical infrastructure owners and operators about a Microsoft Exchange ProxyNotShell vulnerability and has since seen a “30 percent uptick in patching that vulnerability,” Cofield said.
The past two years have also seen ransomware victims become more trusting of federal government support, with the FBI’s Ring saying victims are more likely to report attacks.
“Two years into this, I think the conversation has shifted to, rather than, ‘Should we report this to law enforcement?’ to ‘When should we report this to law enforcement?,’ which is a small change, but a very, very significant change in terms of how people think,” Ring said.