Ransomware has been a persistent malware issue for many years, but its operators have recently started raking in increasingly jaw-dropping cash.
First, let’s look at what ransomware is: it’s malware downloaded via a malicious email or by someone visiting an infected website. Once it’s downloaded, it uses strong encryption to lock the victim’s files and make them completely inaccessible. The attacker then demands a ransom payment (typically in cryptocurrency) to decrypt the files, often giving a deadline. It’s the stuff of movies…except it’s real life.
At the end of 2022, the formation of a Counter Ransomware Initiative (CRI) was announced. Thirty-seven nations joined in committing to build a collective resilience to ransomware. The initiative intends to work in solidarity to disrupt ransomware and pursue the actors responsible, counter the illicit finance which underpins the ransomware ecosystem, work with the private sector to defend against ransomware attacks, and cooperate internationally across all elements of the ransomware threat.
“The CRI is committed not only to protecting ourselves and each other from ransomware but also to helping other countries protect and disrupt so that ransomware is unable to gain traction worldwide,” the Counter Ransomware Initiative statement said. “To that end, we intend to share technical and threat information and provide protection and remediation recommendations as broadly as possible.”
The amount of ransomware funds made has rapidly increased over time, with one report claiming the total amount paid by ransomware victims increased by 311% in 2020 to reach nearly £288m ($350m) worth of cryptocurrency.
According to IBM’s 2022 Cost of a Data Breach report, the cost of a ransomware attack was £3.73m ($4.54m) in 2022. In addition, Sophos’ 2022 ransomware report recorded an average ransom payment of £668,868 ($812,360) in 2021, an almost five-time increase from the 2020 average of £139,972 ($170,000).
With this mind-boggling amount of money being made from just one form of cybercrime, is there an adequate response at a national level to stop these groups from operating and continually victimising businesses and the public sector?
“The CRI is committed not only to protecting ourselves and each other from ransomware but also to helping other countries protect and disrupt so that ransomware is unable to gain traction worldwide” Counter Ransomware Initiative
The launch of the CRI’s International Counter Ransomware Task Force seems to have come at the right time, with Clare O’Neil, the inaugural chair, saying the Task Force “will enable sustained and impactful international collaboration.” O’Neil is Australia’s Minister for Home Affairs and Cyber Security.
O’Neil says: “Ransomware represents a global threat, and Australia calls on other nations to be part of this global initiative to support effective detection, disruption and prosecution of cyber criminals who use ransomware for financial and other gain.”
The international cooperation will include information and intelligence exchanges, sharing best practice policy and legal authority frameworks, and collaboration between law enforcement and cyber authorities.
Until now, actions taken against ransomware groups have been localised to national law enforcement. However, it’s easy to deduce that if the law enforcement efforts of multiple nations were coordinated and shared intelligence, success in taking down ransomware operators would be more widespread.
Let’s take No More Ransom, for example. This project launched in 2016 and is backed by national law enforcement (public sector) and private sector cybersecurity vendors. No More Ransom offers decryption tools and advice to users.
Brian Honan is CEO of BH Consulting and a member of No More Ransom. He acknowledges that governments are now aware of the impact of cybercrime (not just ransomware) on the economy and critical infrastructure. “Governments, like the UK and US, are issuing sanctions against individuals and organisations known to be involved in ransomware, and many governments are looking at the legalities around paying ransoms and other types of criminal extortion.”
In terms of response management, Honan says, in no uncertain terms, that the primary responsibility for tackling cybercrime (be that ransomware or otherwise) “should lie with our governments and the relevant law enforcement and security agencies.”
“[Governments and law enforcement agencies] have the power and capabilities to arrest the criminals behind these attacks and bring them to justice. However, there are many challenges in achieving this – not least the international aspect of cyber crime making it difficult, but not impossible, for criminals to be tracked and arrested.”
Honan counters that the onus to protect against ransomware, and other forms of cyber crime, is not solely the responsibility of our governments, and adds that private sector organisations “need to wake up to the fact that as their business is reliant on computers and the internet more than ever” and consequently need to ensure the resilience of their organisation in the face of an ever-evolving threat landscape.
Tim West, head of threat intelligence at WithSecure, says public/private partnerships are not a particularly new or novel concept but considers them “necessary when looking to combat ransomware.” West names No More Ransom as an admirable counter-ransomware alliance, explaining that it “seeks to nullify ransomware actors’ ability to cause impact by offering decryptors to ransomware variants.”
“Governments, like the UK and US, are issuing sanctions against individuals and organisations known to be involved in ransomware” Brian Honan
There is emerging evidence that the UK is among the nations taking ransomware more seriously. A statement from the UK government determined ransomware as a tier-one national security threat, as it sanctioned seven Russian cyber criminals through coordinated actions with the US government.
NCSC CEO Lindy Cameron says ransomware “is the most acute cyber threat facing the UK” and reveals that the NCSC is working with partners to bear down on ransomware attacks and those responsible, “helping to prevent incidents and improve our collective resilience.” This is particularly notable given that it was revealed last year that the majority of the British government’s ‘Cobra’ crisis management meetings were convened in response to ransomware attacks rather than other emergencies.
It’s uncontroversial to say that people feel there should be a better response to ransomware. Efforts like the CRI and No More Ransom are undoubtedly a strong start, but is it enough at this stage? Given that the recovery cost for one ransomware attack (Chip company Applied Materials) was reportedly $250 million, we may have a (disappointing) answer.
West says we can’t expect to make much of a dent in ransomware actors through arrest. Ultimately, he argues, “ransomware is a relatively low-risk crime for actors” as the risk of arrest is low (when actors follow self-imposed codes of conduct not to attack Russia/CIS). Moreover, it operates at a scale where disruption is more of an annoyance than an existential risk.
Honan adds that cyber crime cannot be fought in isolation. “We need our governments to share and work more closely together to fight cybercrime,” he states, adding that it involves not just the sharing of threat intelligence but also coordination of joint international operations against cyber crime gangs and introducing international treaties and laws to enable criminals identified to be involved in cyber crime to be brought to justice.
“In Ireland, there is an old Irish phrase that says ‘Ni neart go cur le cheile’ which translates to ‘There is no strength without unity,’ and we need governments to unite in the fight against cybercrime.”
Cyber insurance has been popular for years, but the introduction of ransomware cover to policies − claims to cover the cost of ransomware, including incident response and clean-up, as well as the ransom itself − is hotly debated.
“Morally, many people don’t agree with the payment of ransoms, so there is always the debate on whether it is needed as part of the coverage,” says Ed Ventham, co-founder and cyber insurance broker at Assured. “Just because you buy cyber insurance doesn’t mean you have to buy ransomware coverage,” he adds, noting that removing that element of the policy is optional.
Ventham says cyber insurance “protects you against that event that you cannot recover from.” Ransomware is the single biggest reason for pay-outs in the cyber insurance market. “Even if you morally object to paying the ransom, that’s OK, and trained experts will work with you and offer advice around that decision. Ransomware coverage is more than just the ransom itself, though. It’s about the recovery costs, too.”
The Assured co-founder contends that reported costs around ransomware are often given as a total amount and considers that the incident response and clean-up costs are typically significantly higher than the ransom payment itself. “Cybersecurity and cyber insurance work hand in hand, complementing each other and helping with prevention, remediation and mitigation of a further event.”
Ventham says that while cyber insurance is seen as a new concept, it is “as old as cybersecurity.”