As lawmakers mull outlawing poor security, what can they really do to tackle online gangs?
Headline-grabbing takedowns are nice, but long-term solutions require short-term sacrifices
Comment In some ways, the ransomware landscape in 2023 remained unchanged from the way it looked in previous years. Vendor reports continue to show a rise in attacks, major organizations are still getting hit, and the inherent issues that enable it as a business model remain unaddressed.
Yet what 2023 may be remembered for is how law enforcement (LE) bookended it with a showing of progress and intolerance, making good on promises to bring down gangs that were once showpieces for the cybercriminal world.
Lawyer guilty of arrogance after ignoring tech supportREAD MORE
The demise of RagnarLocker and Qakbot followed that of Hive at the start of the year, and partial success was enjoyed in the attempts to end AlphV/BlackCat in December. While the latter still lives on and has continued to breach victims, LE was able to release a decryptor for hundreds of previous cases, and that alone shouldn't detract from what has been a huge year for counter-ransomware ops.
AlphV/BlackCat might have squirmed their way out of authorities' clutches for now, but the action from national security agencies this year has given the industry reasons to be cheerful after a barren year for good news on this front.
2022 saw a rare drop in ransomware attacks but it was short-lived and still plagued by major incidents, even if there weren't quite as many of them. LE also failed to register a single significant bust, with the previous one being REvil's shuttering in late 2021.
Conti died off, but only its brand. And LE had no hand in the matter. The group ravaged organizations and governments for years before splitting off into smaller cells.
Indeed, 2023 was something of a statement sent by authorities. For years, various agencies repeated renditions of 'ransomware can no longer be tolerated', but the disruptions from the past 12 months feel like genuine steps in the right direction.
However, there are still missing pieces of the puzzle, and the lack of arrests remains a concern. Dismantling an operation is no mean feat and should be commended, however, in the grand scheme of things, it stops essentially nothing if the criminals continue to run free.
The need for robust intervention here is undeniable. LE's takedowns are impactful but not preventative. The industry needs governments to insert themselves into the crisis and take decisive action to stop ransomware from becoming even more out of hand than it already is.
Take AlphV/BlackCat, for example. It was arguably the scummiest of all the ransomware groups in 2023. In the space of 12 months, its leaders – believed to be based in Russia – signed off on some of the worst acts ever seen in ransomware, including the leaking of breast cancer patients' nudes. Despite being known for freely targeting hospitals, charities, schools, and other similarly sensitive targets, the attack on Lehigh Valley Health Network was a new low.
The crew also continued to push the boundaries of extortion, even going so far as to weaponize the Securities and Exchange Commission (SEC). In November it allegedly filed a regulatory complaint over a target's failure to report a breach within the mandated four-day window. It then repeated the trick in December. Both were brazen attempts to hurry along ransom payment negotiations. No wonder the feds tore it down.
If the authorities are serious about disrupting ransomware for good, and ensuring criminals like those behind the worst operations are left without a job, then the approach must change. If takedowns alone aren't working, and they aren't working, other solutions are required.
Governments will have crucial roles in the fight against ransomware. Industry will no doubt pray that 2024 will be the year in which state influence finally exerts itself into cybercrime in the way it needs to. Introducing impactful legislation, however, will be far from straightforward.
Step up, lawmakers
It goes without saying that the private sector must do better while it waits for higher powers to enact the required change. Building better, more secure products will ease the burden of applying the countless patches released every month – a relentless function of security gigs that shouldn't be as disruptive as it is.
Law enforcement is doing a solid job at disrupting ransomware within its powers, and cybersecurity awareness in organizations is increasing gradually to mitigate the threat. The next step in the fight against ransomware, however, must come from the legislature. 2024 can and should be the year that's remembered not just for the biggest takedowns, but for the impactful policy decisions that help quell the threat for good.
That said, there aren't any perfect solutions here. There are a few schools of thought when it comes to combating ransomware through legislation, the most prominent of which is to ban ransom payments entirely, both from the public and private sectors.
Politicians have wrestled with implementing a ransom ban for years, but have taken no serious steps to introduce one. The closest we've come on a global scale is with the International Counter Ransomware Initiative's (CRI) pledge to refuse ransom payments, but without any private sector implications, it means fairly little.
Despite it being a solution that would almost certainly deliver the desired outcome in the long term, the short-term consequences of banning ransom payments would likely be dire. The organizations hit with ransomware in the first months, years, or however long it takes for ransomware gangs to abandon their craft, after such a law's enactment will have their futures jeopardized. There is also the genuine possibility that the hard work infosec has done to promote a culture of transparency is wholly undone. Attacks could once again be hidden from the public and authorities, and payments continue to flow, but more quietly.
Another approach is to outlaw poor security practices. The idea is that organizations which leave themselves open to targeting by cybercriminals ensure there are always individuals willing to exploit them, perpetuating the issue.
Neither this approach, nor one that involves a ban on payments, is actually ideal or even productive when we consider potential victims like hospitals. These types of underfunded institutions that provide critical services cannot afford any downtime, let alone a SOC staffed with world-class talent. When they get hit, the only priority is to get systems back online so people don't die. Do we punish the overstretched hospital IT teams here?
- Spanish phisherfolk caught in cops' net in multi-million-euro catch
- Admin behind E-Root stolen creds souk extradited to US
- US officials close to persuading allies to not pay off ransomware crooks
- A tale of 2 casino ransomware attacks: One paid out, one did not
An area to explore further is placing greater responsibilities on organizations involved in the trading of cryptocurrencies to disrupt the flow of funds to known cybercrime rings. It's one of the intentions of the CRI and can already be seen in action today.
The UK's Financial Conduct Authority (FCA), for example, already has the power to audit crypto firms, like exchanges, for anti-money laundering (AML) and terrorist procedures. Part of the CRI's pledge is to also implement the Financial Action Task Force (FATF)'s Recommendation 15, which essentially stipulates that similar checks should be carried out at the government level across all 50 of its members.
However, given that I've been requesting briefings with the FCA to discuss this very matter, and its plans to stem the flow of illicit funds, for months now, only for it to ignore every contact, I have little confidence this is considered a priority at the regulatory level.
Ensuring the legislative approach that's taken is both effective and doesn't threaten the futures of organizations is going to be a difficult task. What's incontrovertible though is that legislation is required in some capacity.
What we have seen in the past year though is Western governments' willingness to keep fighting and refusal to back down against the threat. The concrete action of LE in 2023 not only delivers admirable disruption to cybercrime but serves as a constant reminder that ransomware will never be accepted, even though it has become somewhat normalized.
It's a precarious road ahead but here's hoping 2024 builds on the progress of 2023. ®