The criminal industry built around hackers stealing and encrypting organizations' data and demanding payment for its return has become a global scourge. Furthermore, it is not just a problem for businesses: government agencies, schools, and even hospitals have been thrown into chaos by ransomware attacks, meaning this type of cybercrime has a multitude of consequences. According to multiple security vendors, it is a problem that's only getting worse.
You might think that when it comes to ransomware's ongoing nuisance, there is not much good news to report. However, amid all the gloom, there was some good news in October. A group of public and private sector groups from several countries worked together to take down Russian-led REvil. The international task force of law enforcement and intelligence cyber specialists hacked REvil's network, took control of some of their servers, and put them out of business.
The REvil takedown collaborators were the FBI, Cyber Command, the Secret Service, and "like-minded countries," according to Tom Kellermann, VMware's head of cybersecurity strategy, who is also an adviser to the US Secret Service on cybercrime investigation. The White House National Security Council also referred to government ransomware efforts working with the private sector. In the battle between the infosec community and ransomware cybercriminals, it seems evident that the side which is better at collaborating with its allies will have the upper hand. Until now, that distinction has gone to cybercriminals.
In the wake of his firm's success against BlackMatter, Emsisoft threat analyst Brett Callow told the New York Times, "the reason ransomware operators have gotten away with so much crime is that, until recently, there has been far too little cooperation and communication all around." It is generally agreed that ransomware groups would not be able to stay in business if they were not better at collaborating than the teams trying to stop them. The need for more cooperation when fighting ransomware is among recommendations in a recent report from the Institute for Security and Technology's Ransomware Task Force. "It will take nothing less than our total collective effort to mitigate the ransomware scourge," the report says.
However, what makes the cybercriminals' collaboration effective, and what can the infosec industry learn from how they operate? One thing the criminals do well is taking care when selecting whom they work with. Their "affiliate partners" are carefully vetted to ensure they have the required skills and allegiances. It could be said that the federal government has also followed suit. It has engaged what Wired described as "the most serious constellation of cyber talentever assembled in the US government," across the various government organizations tasked with playing cyber protection, including the Cybersecurity and Infrastructure Security Agency, National Security Agency, US Cyber Command, and the National Security Council, among others.
Nevertheless, having the best people is only useful if they are deployed effectively, and again, that is something the ransomware groups have mastered. Their profit-sharing model of ransomware as aservice (RaaS) works well to motivate these actors to constantly find new targets while shifting the heavy lifting to more sophisticated professionals, resulting in a highly effective division of labor. Nevertheless, the agencies tasked with playing cyber protection have overlapping responsibilities but limited funding, and critical gaps in the defensive landscape still exist.
While some overlap of law enforcement responsibilities helps prevent criminal activity from slipping through the cracks, given the limited resources available, it is also essential to ensure there is no unnecessary doubling up of duties undertaken by the agencies. Under the affiliate structure that ransomware groups employ, there are well-defined divisions, for example, between those who develop the attack software and those who deploy it. This ensures that everyone in the criminal ecosystem carries out their role effectively. Similarly, clear role structures need to be in place in the infosec community to ensure the agencies operate at maximum effectiveness.
Ransomware groups are also effective at pooling their resources. The infosec community could emulate this through a response recommended in the Institute for Security and Technology's Ransomware Task Force's report. It suggests a proportion of cyber-insurance premiums be used "to evaluate and pursue strategies aimed at restitution, recovery or civil asset seizures, on behalf of victims and in conjunction with law-enforcement efforts." This could be a powerful way of focusing the industry's efforts in a practical direction.
Recent federal government initiatives, together with the recent successes against REvil and BlackMatter, suggest that authorities benefit from better collaboration. While we may have had success in a few recent battles, we must continue to fight efficiently with all the resources we can muster across government and private sectors. For example, we can garner effective collaboration for cybersecurity and cyber resilience by setting up a hub of private sector infosec firms and researchers, together with a joint government agency task force. This structure would allow both sides to build trust, harness their respective strengths and powers, and work together on operational ransomware campaigns. It is the type of simple but potentially effective collaboration we need if we are going to learn from the cybercriminals' strengths to beat them at their own game.