Today, ransomware is treated mostly as a criminal problem, but there is an argument to be made for treating it as a geopolitical issue too. As such a cheap and easy way to steal money from large businesses, it’s no wonder that the CEO of the UK’s National Cyber Security Centre called it “the most immediate danger to the UK.” Put simply – it works – and we see it’s already working so well against businesses, that it could also become a tool with which to extract concessions from powerful countries.
John Shier is Senior Security Advisor at Sophos.
Ransomware affects organizations of all sizes, and in all sectors. The attackers range from low skilled cybercriminals renting the necessary malicious code and tools, to sophisticated, well-resourced groups that can be nation-state-tolerated if not actively nation-state-supported. And unsurprisingly, most attackers take full advantage of a connected, online world to launch their attacks across borders, far beyond the reach of their victims’ national authorities and law enforcement.
A growing threat
This year alone we’ve seen major ransomware attacks seriously impact national infrastructure, such as the DarkSide attack on Colonial Pipeline in the U.S., and the REvil Kaseya breach. Our own research shows that, in 2020, over one in three (37%) organizations worldwide took a direct hit from ransomware. Many, many more will have been targeted with attacks that would ultimately have unleashed ransomware had the attack not been detected and blocked in time. The fact that these attacks can happen so frequently (and that attackers can extort large sums of money from their victims) shows that encryption has emerged as a really good way to hold hostages. Surely it isn’t out of the realms of possibility for attackers or terrorists to set their sights on even bigger targets?
The answer is: no, most probably not. Keeping valuable assets hostage has been a feature of geopolitical conflict since time immemorial. In recent years, we have all seen situations of non-state actors taking hostages to negotiate prisoner swaps, and terrorist groups occupying government buildings. Just a few years ago, IS seized Iraq’s largest oil refinery as a bargaining chip. Ransomware could make these sorts of acts even easier – it doesn’t require a military power, it doesn’t require geographical advantage (or even presence) and it is practically cost free. Why wouldn’t it be a viable alternative?
Governments over the world are starting to wake up to this possibility. In June last year, the G7 stated a shared commitment to urgently address the escalating threat from criminal ransomware networks. The call is on all states to identify and disrupt ransomware criminal networks operating from within their borders and to hold those networks accountable for their actions. But awareness and commitment alone isn’t enough. We need to ensure that announcements by world leaders translate into real policy and resources to tackle this issue.
Regulate cryptocurrency exchanges
Firstly, most of the ransomware model relies on cryptocurrencies. Many cybercriminals use cryptocurrency exchanges to convert their ransoms into hard currencies So the regulation of this landscape would be a necessary and effective first step to making it more difficult for ransomware groups to profit from their endeavors. It would also hit them where it hurts most.
In practical terms, this might look like broad “know your customer” laws, and anti-money laundering policies that would prevent crypto firms within that country from being used by cybercriminals. More widely, nations could work with international bodies such as the G7, to apply these laws globally. Nation-states like Russia and China have an incentive to implement similar cryptocurrency regulations on their own crypto traders because it forces the cryptocurrency to be converted into their own currency. This subsequently both strengthens their financial power and opens a new source of tax revenue. The fewer countries available for ransomware groups to safely cash out their payments, the less appealing it will be.
Bridge the gap between cybersecurity experts and policy makers
Secondly, there is currently an unfortunate gap between cybersecurity experts and policy makers. This includes security vendors and professionals with the cyber security skills to defend against current and emerging cyberthreats. This gap has to be bridged – and quickly. Because even in the UK, the Government’s own 2021 data shows that half of UK businesses lack basic professional cybersecurity skills. Basic professional cybersecurity skills refer to things like storing and transferring personal data, setting up configured firewalls, and detecting and removing malware. A third lack more advanced skills, most commonly in areas such as penetration testing, forensic analysis, and security architecture, and 32% report a skills gap when it comes to incident response. Upskilling as a policy is essential if we are to address the problem.
Next-generation, AI-powered cybersecurity technologies and third-party threat hunting and incident response can go a long way towards protecting an organization lacking in in-house skills, but we need the people who know how to apply this technology and understand the growing digital needs of their own organization. There also needs to be more efficient use of non-security IT employees, which can easily contribute to securing an organization with simple but effective processes such as patching. The security skills issue is an escalating global challenge in the never-ending race between offender and defender.
Fit for the future
Attackers are not only deploying more advanced techniques, but they are also altering their tactics by targeting more impactful and financially lucrative organizations, causing more damage and disruption and demanding ransoms that can run into tens of millions of dollars. The average cost to a mid-sized business of remediating a ransomware attack in 2020 more than doubled compared to 2019, from $761,000 to $1.85 million – so it’s never been more important to start taking ransomware more seriously.
And while the above measures won’t eradicate the problem, they are significant steps that need to be taken in what has become a global crisis, requiring a global response – particularly given the increasingly murky and interconnected relationship that appears to exist between ransomware groups and certain nation-states.
Governments must place cybersecurity talent in the right places and work together, as well as with the private sector and multilateral groups and agencies, to establish and enforce a baseline in both national and international anti-ransomware standards. As the UK prepares to publish its new National Cyber Security Strategy later this year, it is worth bearing in mind that a strong geopolitical approach can set a new standard for cybersecurity, and in turn begin to deter criminals away from ransomware. And most importantly, keep the frightening shadow of its use as a weapon at bay for a few more years.
