Ragnar Locker Takedown Alone Won't Stop Ransomware Growth, but Here's What Will

By Vishaal "V8" Hariprasad, CEO & Co-Founder, Resilience Cyber

Europol announced its takedown of the infamous Ragnar Locker ransomware operation, including the arrest of a key target as well as ongoing interviews with suspected associates, on October 20. The takedown made international headlines, and for good reason — the Ragnar Locker group has hit over 160 international companies worldwide, predominantly those in the critical infrastructure sector, since 2020.

We should certainly applaud the law enforcement units behind the takedown, but at the same time, we must take a step back and consider the bigger picture. Ragnar Locker's takedown isn't the silver bullet the industry needs. Case in point: earlier this autumn, we learned that the Qakbot malware group — previously thought to have been taken down entirely by the FBI — is still operational.

Ultimately, Ragnar Locker is the most recent example of a Band-Aid solution that's unlikely to fix the ransomware crisis. And that crisis is only growing worse by the day. Based on internal data of client ransomware incidents and extortion demands, Resilience recently found that 2023 is poised to be one of the most prolific years for ransomware. Interestingly, the percentage of companies industrywide electing to pay a ransom has never been lower. But as a result, hackers are changing their strategies. To make up for increasing resistance to extortion attempts, they've started going after bigger companies that can afford bigger payments: data from criminal crypto payments indicate that the average cost of an extortion incident has nearly doubled from 2022 to 2023.

The shift to this kind of "big game hunting" is a prime example of how ransomware groups are constantly evolving to dodge takedowns and continue profiting. We can adopt a decapitation strategy for hacking leaders all we want — but the crisis won't fade away that easily. In fact, in the wake of these changing strategies, things may be getting worse. Our research found that hackers are increasingly targeting third-party vendors, where they can easily scale an attack to hit hundreds or even thousands of companies at once. Leading crimeware actors continue to build step-by-step hacking playbooks that make the barrier to entry very low, meaning that the arrest of a handful of attackers doesn't always lead to the end of their broader group. And all the while, the advent of generative AI and other emerging technologies opens unprecedented avenues for increasing the efficiency and scale of hacking operations.

A change in basic assumptions is sorely needed. If ransomware is inevitable, what can be done?

Collaboration Is Key

To start, we need far better collaboration between private companies and insurers. While immensely powerful, law enforcement can only do so much with limited information about ransomware operations and attacks. But by increasing data sharing and transparency, hacking victims can aid law enforcement in future takedowns. This kind of collaboration is scattered today — in part due to the shame of a large-scale attack — but should become the norm if we want to continue disrupting hacking infrastructure and making arrests. There is still need for the US government to work on deconflicting incident notification requirements, between the new SEC rules and the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) that was signed into law last year, but we are on the right path.

It's a tall order, however, and will take time to become the status quo. So, in the near term, it will be imperative to hit hackers where it hurts most: their finances.

First, law enforcement should continue to reclaim as many extortion payments as possible. This has precedent; look to the US Department of Justice clawing back $2.3 million in a cryptocurrency ransom payment from the DarkSide hacking group, which made headlines for its large-scale attack on Colonial Pipeline in May 2021. This show of force indicates to threat actors that even if they receive a massive ransom payment, there's no guarantee they'll be able to keep it. Yet this reactive approach to removing the financial incentive is only half the battle. We need a proactive way to minimize incentives for hackers, too.

That proactive way should take the form of cyber-risk calculation — and tolerance. Today, security leaders use a checklist approach to building a defense-in-depth strategy. This doesn't always prioritize controls or risk management strategies that limit monetary loss. From our extensive work with extortion-based attacks, we see that it is the threat of financial loss that drives companies to pay extortions — thus continuing to fuel the criminal ecosystem. But by shifting priorities to building cyber resilience that prioritizes limiting financial loss, we have seen clients become significantly more resilient to extortion attempts. The economics make sense, but our conversations need to cover more than security controls to get a better understanding of cyber value at risk and how to reduce the probability of a crippling incident.

Companies must ask themselves: How at risk are we, based on industry and historical attack patterns? How limited would our operations have to be following an attack? Only then can companies plug the necessary gaps in their cybersecurity postures. This means that the fallout from an inevitable ransomware attack doesn't always have to be devastating — and paying the ransom becomes less and less necessary.

Rethink Internal Operations

This risk calculation will require a fundamental rethinking of companies' internal operations. Cybersecurity departments have historically been siloed from risk management and financial leadership. But breaking down these barriers and prioritizing joint planning can help companies understand how much risk they're buying down with their mitigation controls and risk transfer investments. In this way, cyber hygiene becomes an integrated objective that can have measurable benefits.

This type of change is needed dramatically now more than ever as we see cybercriminals shift toward scaling their attacks through critical vendors and targeting bigger and bigger victims. We should aim for a world in which hacks don't make headlines — one in which companies become bulletproof against even the most intimidating threats, and attackers can't profit from their crimes in the way that they've grown used to.

Tackling ransomware operations head-on is laudable. But it will never be a silver bullet. Fortunately, we now have an unprecedented glimpse into the ever-evolving ransomware problem — and a new, clear opportunity to fix it.

About the Author

Vishaal Hariprasad, best known as "V8," co-founded what is now known as Resilience in 2016 to bridge the divide between cyber insurance and cybersecurity. As a licensed insurance broker and producer, as well as a veteran of both the US Air Force and the cybersecurity industry, Vishaal brings the leadership skills he honed in his years with the military to his position as CEO for Resilience. After graduating from the United States Air Force Academy, V8 was commissioned to military service as a Cyber Operations Officer for the Air Force. Hariprasad is an Iraq War veteran and a recipient of a Bronze Star Medal. In 2012, he co-founded Morta Security, which was acquired by Palo Alto Networks, where he then served as a threat intelligence architect. In 2015, V8 was tapped to serve as a founding partner at the Pentagon's newly established Defense Innovation Unit Experimental (DIUx) in Mountain View, California, an office under the Secretary of Defense charged with leveraging commercial technology to solve defense challenges. V8 holds a B.A. in Mathematics from the US Air Force Academy and an M.S. in Information Technology from Virginia Polytechnic Institute and State University (Virginia Tech).