IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Much to Do About Ransomware: Report Highlights a Path Forward

The threat is fast, frequent and international. Keeping up may take stronger cross-border public-private partnerships, improved reporting rules, a higher national cybersecurity baseline and cryptocurrency payment disruptions.

Ransomware drew $400 million of extortion from victims worldwide in 2020 — a price tag that doesn’t account for cleanup costs — and costs could hit more than $265 billion by 2031, according to numbers from the White House and Cybersecurity Ventures, respectively. Despite the U.S.’s heightened attention on the attack type, it’s becoming faster and more costly, says a new report from think tank Atlantic Council’s GeoTech Center, which cited the figures.

“Things are not going in the right direction,” said GeoTech Center distinguished fellow David Bray during a July 26 virtual report launch. “This report, I think, sets the foundation for what can be things we can do differently.”

Key proposals for the U.S. include strengthening international public-private partnerships, driving more incident reporting within the country, raising the nation’s cybersecurity baseline and addressing criminal use of cryptocurrency, speakers said.


Ransomware perpetrators are increasingly using automated tools for greater speed and efficiency, Bray said. For example, GPT-3 — a neural network model that produces natural-sounding text — can write phishing emails “that are more effective” than ones written by humans, he said. According to the report, criminals are now “encrypting or stealing data within hours of the initial infection.”

Attacks are especially targeting local governments, schools, utilities, hospitals and other organizations that cannot easily tolerate any downtime. U.S. Department of Energy Senior Advisor for Cybersecurity Cheri Caddy said criminals expect quick payouts from hitting entities that need to stay available 24/7, and small, municipal and state water and power entities are at risk, due to the vitality of their operations and their limited resources for cyber defense.

And while big-name victims like Colonial Pipeline may make headlines, it’s small- and medium-sized businesses (SMBs) who are most often victimized, said technology journalist John Sakellariadis, who spent a year studying ransomware on a Fulbright grant. SMBs may have only one full- or part-time IT specialist, Bray said, and federal agencies need to find ways to scale tabletop exercises and other supports to help them.

The U.S. also needs to look at the full international picture when planning against threats. Ransomware continues to be a worldwide affair, with criminals in one or more countries collaborating to attack victims in another and routing money internationally.

Russia has been a major source of ransomware, but Brazil, China, Iran and other nations are showing increased activity, Sakellariadis said. That puts more pressure on developing international partnerships to rally against this borders-spanning threat.

New opportunities may also be emerging as ransomware evolves. Criminals with limited technology skills have been able to get involved in these attacks by purchasing ransomware as a service (RaaS). But the report also cites a trend in which affiliates — criminal actors who deploy ransomware malware developed by other parties — are becoming more tech savvy. These players have often used methods like botnets and stolen credentials to deploy ransomware but are now using more advanced methods like hacking into networks.

The rise of more skilled affiliates shifts the power balance between them and their developer partners, something the report said can lead to infighting that law enforcement could exploit.


The federal government needs victims to report incidents so that agencies can better understand the threats and alert other potential victims. But reporting hasn’t been fast or frequent enough to keep pace with ransomware attacks.

A March 2022 law will — when implemented — require critical infrastructure to report certain incidents and ransom payments to the Cybersecurity and Infrastructure Security Agency (CISA). The agency has several years to hammer out the specifics of these requirements and government still needs to motivate reporting from entities not covered by the law.

As CISA and policymakers do so, Sakellariadis said they should consider how to balance competing desires. Asking for detailed accounts can give prosecutors more leads for tracking down perpetrators. Meanwhile, requesting simpler, broad-strokes reporting makes the task easier for smaller victims to quickly comply. That may encourage more participation, granting a better picture of the overall landscape but less in-depth understanding of particular threats.

The report also urged different federal agencies to come to common agreement around what they want victims to report, including by standardizing questions and reporting timelines across all situations.

Speakers also recommended safe harbor laws to entice reporting where it’s not legally obligated. Governments would need to clarify details such as how victims can report, how that information would be protected and used, and what kinds of victims and incidents would be covered by the safe harbor policies, the report explained.

Caddy also said that victims may skip reporting because they don’t realize why the information is necessary. But government needs alerts so it can forewarn organizations that may be victimized next.

“Part of the key mental barrier that needs to be overcome is this notion that you’re in this by yourself and that no one else is impacted,” Caddy said.
U.S. Department of Energy Senior Advisor for Cybersecurity Cheri Caddy
U.S. Department of Energy Senior Advisor for Cybersecurity Cheri Caddy discusses ransomware.
Department of Justice Deputy Chief for Computer Crime Michael Stawasz also said that a federal “no wrong door” approach to reporting has ultimately caused confusion. Federal government wanted to let victims inform any relevant agency about cyber incidents, trusting the agencies would share the intelligence with each other.

“We thought we were being accommodating; we may have been less than crystal clear,” Stawasz said. “So I think there’s been some thought about where is the right place to direct people, even if it isn’t the exclusive place.”


Ransomware actors will keep at it so long as the crime is sufficiently profitable and convenient.

Simply getting organizations to adopt good cyber basics can add friction for attackers. The report finds criminals commonly take advantage of weak passwords and insufficiently secured remote desktop protocol (RDP) endpoints, for example.

On the prosecution side, Stawasz said government should focus less on heaping lengthier sentences on the perpetrators they arrest and more on catching a greater number of criminals in the first place. Making arrests more common will go farther in convincing attackers that repercussions may affect them.


Ransomware actors commonly demand extortion in cryptocurrency, which is easy to move overseas and offers levels of anonymity or pseudonymity. Federal government has sought to crack down on cryptocurrency operators that facilitate illicit payments to ransomware actors.

Law enforcement looking to stop perpetrators from making off with their ill-gotten gains need to time their interventions. Sakellariadis recommended letting payments reach extortionists, so they’re more likely to provide victims with decryption keys in exchange. A more opportune disruption would be to instead intercept payroll disbursements between the ransomware organizations and their employees.
Jule Pattison-Gordon is a senior staff writer for Government Technology. She previously wrote for PYMNTS and The Bay State Banner, and holds a B.A. in creative writing from Carnegie Mellon. She’s based outside Boston.