How to control ransomware? International cooperation, disrupting payments are key, experts say

Ransomware evolved from a menial cybercrime issue to a crisis that threatens national security. Incidents such as the Colonial Pipeline attack show that this type of criminal activity can impact not just specific organizations that lack good security practices, but every citizen. It has the potential to disrupt life and prevent people from accessing basic services, including healthcare.

The White House is exploring ways to keep the phenomenon in check. Since ransoms are typically paid in cryptocurrency, one idea is to track these transactions better. This is a difficult task because many Bitcoin exchanges are based overseas and they only have to comply with loose regulations.

The US hopes for international cooperation to make cryptocurrency transactions more transparent and dismantle criminal gangs. Ransomware has been on the agenda of the G7 Summit in the UK, where political leaders called on all states to “urgently identify and disrupt ransomware criminal networks operating from within their borders.” Also, during a subsequent meeting in Geneva, US President Joe Biden handed Russian President Vladimir Putin a list of 16 critical infrastructure sectors that should be “off-limits to attack.”

Security researchers welcome these actions saying they might slow the growth of ransomware to a certain degree. They say, however, that organizations should continue to upgrade their security against the ransomware threat.

Effective ransomware regulation requires international cooperation

At the end of April, the Ransomware Task Force at the Institute for Security and Technology published 48 recommendations that were sent to the White House. Dozens of experts working for security companies, government, law enforcement, international organizations, and civil society contributed to the framework.

Jen Ellis, vice president of community and public affairs at Rapid7, who was part of the task force, says that the recommendations are “a fairly serious lift,” and that they work best when applied together. A few, however, have higher priority, such as international cooperation.

Ellis says that she hopes the G7 states will take action, as promised during the summit. “World leaders need to recognize that ransomware is not a niche technical issue, but rather a significant societal problem that needs to be addressed collaboratively at the highest levels,” she says. “We will only see progress made with continued pressure brought to bear on countries that provide safe harbors for attackers.”

Disrupt but don’t ban cryptocurrency ransom payments

These international conversations should include cryptocurrency exchanges, crypto kiosks, and over-the-counter trading desks that need to comply with the already existing laws, says retired US Army Major General John Davis, vice president for Palo Alto Networks, who co-chaired the Ransomware Task Force.

Even forcing the big players to align to the legislation could have an impact, says Mike Sentonas, CTO at CrowdStrike. “The difficult thing with regulations for cryptocurrency exchanges is that many are global and don’t have incentive to comply with US regulations. The key would be to have a global consensus on making regulations on more valid and legitimate exchanges. If you are talking about $20 million [ransom payments], there are only so many [exchanges] that have the actual ability to cash out, and those are the ones that are easier to regulate and need to address these transactions of ransomware payments.”

During the Ransomware Task Force meetings, some experts raised more rigid ideas, including prohibiting all ransom payments or banning cryptocurrencies completely. The general conclusion, according to Ellis, was that such regulations “would likely cause more harm than good.”

“If paying ransoms is prohibited, it’s likely we will see attackers turn to specifically targeting organizations that are least likely to withstand attack and the ensuing disruption,” Ellis says. “In some cases, this could cause victims—desperate to salvage their business—to make payments in secret, essentially making them even more vulnerable to extortion from their attackers.” She adds that prohibiting cryptocurrency transactions would also “unfairly punish those using or trading cryptocurrencies for legitimate reasons.”

Public-interest technologist Bruce Schneier agrees that banning cryptocurrency is not the answer, saying that while it is “conceptually simple, it’s also impossible.” He argues in a piece written with Nicholas Weaver, lecturer at the University of California at Berkeley, that the easier alternative is to “merely disrupt the cryptocurrency markets.”

They say that in the realm of cryptocurrency, criminals have many options to make it more difficult for law enforcement to track the money: They can break a ransom into smaller transactions, or they can jump blockchains converting Bitcoin to Monero to Ethereum and then back to Bitcoin.

Yet, at some point, because there are only so many things one can buy with Bitcoin, the criminals need to convert cryptocurrency into traditional money. For this, they need an exchange that’s connected to a banking system. Schneier and Weaver say that these exchanges typically try to understand who their customers are, and they will likely cooperate with law enforcement. Converting cryptocurrency into traditional money requires “a large amount of normal activity to keep from standing out,” they wrote.

In the Colonial Pipeline ransomware incident, the FBI was able to follow the digital money, according to court records. A special agent saw, on a publicly visible Bitcoin ledger, how criminals transferred the money to other wallets. At some point, 64 of the 75 Bitcoins paid by the Colonial Pipeline company ended up in a wallet for which the FBI obtained the private key. “The extortionists will never see this money,” said Stephanie Hinds, acting US attorney for the Northern District of California.

Ellis says that tracking cryptocurrency transactions is necessary for restraining ransomware. She adds that fighting cybercriminals requires a wider range of measures, and the more ideas the tech world has, the better. “It will take many different actions—some legislative, and many not—to reduce ransomware,” she says.

However, each idea that’s proposed should be assessed thoroughly by experts of various fields. “The devil will be in the details,” says Nicolas Christin, assistant professor of engineering and public policy at Carnegie Mellon.

Paying “feeds” ransomware problem, but necessary for some 

Ransomware often puts organizations in an impossible situation, says Sandra Joyce, executive vice president of Mandiant Threat Intelligence. “If you’re a hospital that’s been a victim of ransomware and they are asking for a certain amount of money typically in cryptocurrency, then you have a choice between treating your patients or not treating your patients.”

Today, the question of paying or not paying the ransom “is not as cut and dried as it once was,” says Raj Samani, chief scientist at McAfee. “The gangs are raising the stakes,” he argues.  “There are a massive number of things that need to be considered when deciding to pay or not.” 

Victims need to carefully assess the situation and know who the attacker is. Sending money to sanctioned entities might get them into trouble because they are breaking the law. “The problem is that a lot of the companies or organizations that pay don’t necessarily have much of a choice, as they might be lacking the ability to completely recover with minimal downtime,” says Christin.

What feels right in the short term might backfire in the long run. Paying ransoms feeds into the bigger problem, says CrowdStrike’s Sentonas. “Over the past year, we’ve seen the number and cost of ransoms grow exponentially. This is because threat actors are continuing to get ransomware incentives.”

Payments from companies increased 341% during 2020, to a total of $412 million, according to blockchain research firm Chainalysis. Also, many insurance companies have raised their premiums for cyberattacks. At least half the buyers need to pay between 10% to 30% more, and a few of them up to 50% more, according to a survey cited by the US Government Accountability Office.

The Ransomware Task Force recommends organizations to be open when they are hit and disclose the payment information to a national government. They should also conduct an extensive cost-benefit analysis before making the decision and review alternatives.

The call should be made by the organization’s core executives because they are the ones who can best assess the extent of the damage, says Marc Grens, co-founder and president of DigitalMint, a cryptocurrency broker that helps consumers purchase Bitcoin through physical kiosks and teller windows. “I believe [organizations] should work with the government,” he says. “They should reach out to law enforcement early and often, to understand who the threat actor is. The more data they have, the better.”

If a company decides to pay, Grens advises the least it could do is to negotiate the price down. Ransomware gangs are mostly willing to work out a deal. Sometimes paying will not make the problem go away for good. Around 80% of businesses that decided to pay the ransom experienced a subsequent attack, according to a Cybereason survey. Almost half the respondents said that at least some of the data was corrupted.

“The most effective and important thing is that all enterprises need to invest more in security so they can outrun adversaries,” Sentonas says. “Many enterprises have outdated systems or are reliant on legacy technology from the 1990s that really hasn’t changed much. Those systems need to be updated to be able to quickly detect any malicious activity.”

Russia’s actions key to attackers’ response to ransomware regulation 

Historically, the ransomware business blossomed after the criminal gangs discovered cryptocurrency. In 2013, the destructive CryptoLocker made hefty profits by allowing victims to choose the preferred currency: US dollars, euros or Bitcoin. Crooks made money before that and will likely continue to do so.

New regulations could convince some groups in Eastern Europe to stop their operations, as it already happened with the Avaddon gang, which recently released all its 2,934 decryption keys and shut down. Others, however, will carry on. “The criminals will innovate as we have seen before,” says McAfee’s Samani.

DigitalMint’s Grens argues that some groups might even increase their disruptive activity “to show what happens to your countries, your companies, by not giving [victims] an option to pay.” To Dmitry Smilyanets, cyber threat intelligence expert at Recorded Future, ransomware is more of a program that needs to be tackled diplomatically. He says that the gangs’ reactions will depend on the world leaders’ decisions, adding that the West will be able to fight cybercrime “only if there is a political will in Russia to prosecute its own citizens. Without law enforcement on the ground in Russia, it’s impossible to address cybercrime issues.”

The researcher claims that the Russian president Vladimir Putin is “annoyed” by the recent ransomware attacks that targeted the US, and that this is “a bad sign for Russian-based cybercriminals.” Smilyanets has his doubts that Putin will allow for Russian criminals to be sent overseas because his country’s constitution states that it does not extradite its citizens. However, there’s a chance that the gangs will be prosecuted transparently in Russia, says Smilyanets.

Smilyanets believes that some sort of collaboration between the Kremlin and the White House will likely happen. The head of the Russian FSB, Alexander Bortnikov, said on June 23, during the Moscow International Security Conference, that Russia will work with the US to track down cybercriminals, according to RIA Novosti news agency. He added that Russia would take the measures discussed by the two presidents and put those into practice, hoping for reciprocity. “In this case, [ransomware gangs] will face ruthless federal security services [in Russia] pretty quickly,” Smilyanets says.