The U.S. has made serious progress on half of 48 counter-ransomware recommendations since the IST published them three years ago, and the IST continues to urge attention to the remaining 24.
“We need to broaden and deepen our ability to disrupt, to deter, to prepare and respond … because if we don’t, we’ll have this exact same conversation next year,” said Andrew Boyd, an IST board of directors member during the event. “And that will be unacceptable.”
Taken as a whole, ransomware attacks are an “existential threat to our national security” on par with 9/11, Boyd said.
New support is emerging, with the Cybersecurity and Infrastructure Security Agency (CISA) piloting a ransomware vulnerability warning program. CISA scans for vulnerabilities ransomware is known to exploit, then warns participating organizations when it finds one in their environment, CISA Director Jen Easterly said. Next, CISA intends to automate such warnings under another forthcoming program called ReadySetCyber.
Additionally, CISA’s new pre-ransomware notification initiative alerts organizations to intrusions quickly, so they can react before attackers have time to encrypt or cause other harm, said Eric Goldstein, CISA executive assistant director for cybersecurity. Stopping all intrusions is an impossible goal, but the U.S. could get to a point where they’re caught quick enough to prevent harm — especially if more people and organizations start sharing warnings.
Other federal efforts need more work — with IST urging more support for victims and likely targets. The Cyber Response and Recovery Fund is one effort intended to help public and private entities in case of a major ransomware incident, but Goldstein said there are steep barriers to accessing it. For one, money can only be released if the Department of Homeland Security declares a significant cyber incident — which has never happened. Secondly, the victimized organization and CISA would have to demonstrate that no other government resources could help.
On the offensive side, there have been some successful ransomware operation disruptions, but law enforcement and private-sector partners need to work to make sure these have long-lasting effects, per a new IST report.
Brett Leatherman, deputy assistant director of the FBI Cyber Division, said enduring disruptions target many parts of threat actors’ ecosystems. That includes pursuing gangs’ means of receiving payment, tools for communicating with victims or each other, technical infrastructure and their malware and tools, as well as arrests.
Cyber criminals can be frightened off, said Timothy Court, of the U.K. National Crime Agency. He believes those striking out from behind a computer screen tend to be less hardened than in-person criminals or those who’ve gone through incarceration, and profit-seekers are less firmly resolved than ideologically motivated actors.
Many ransomware groups now operate like commercial franchises. As such, law enforcement can aim to undermine trust in the group to dissuade affiliates, by doing things like making the group’s brand “so toxic that no one goes near it,” Court said.
Deterrence strategies must suit attackers’ motives, and a rising tide of young, violent ransomware perpetrators care less about collecting extortion than building reputations.
“We had a young man [in Lapsus$] who was hacking multibillion-dollar companies, not demanding ransoms, causing chaos and also committing horrendous physical harm,” Court recalled.
Disrupting profit flow may not deter such actors, and Court recommended quick, aggressive pursuit. Many of these younger criminal groups operate from Western countries, making it easier for U.S. law enforcement to reach them, Leatherman said.
Preparing for a cyber incident isn’t just the purview of policy and IT folks, and awareness campaigns and tabletop exercises need to reach everyone, said Nicole Tisdale, founder of Advocacy Blueprints.
Cyber criminals are likely to strike targets while other disasters are going on to deepen pressure to pay. For example, they might hit a small, rural water facility in Mississippi while it's recovering from a tornado during flood season. As such, a realistic response — and the tabletop preparation for it — should involve not just IT teams but also the Red Cross, faith leaders, local civil rights organizations and others, Tisdale said.
