National security isn’t just about warfare or physical conflict. Anything that directly impacts economic stability and economic capability are also part of national security — and that includes ransomware attacks.
This year’s ransomware attack against Colonial Pipeline is a clear example of how a ransomware attack can disrupt large portions of the economy. Whether the cyber attackers intended to disrupt the flow of gasoline across the US East Coast isn’t even the point. What matters is they did, resulting in panic buying and gasoline pump shortages.
“Cyber disruption is one of the greatest threats to the economy,” says Marcus Fowler, director of strategic threat at Darktrace. Ransomware attacks can have a “snowballing effect,” he adds, elevating them beyond independent events to a national security concern.
Not helping matters, the wide availability of malware toolkits and ransomware-as-a-service has lowered the barrier to entry for criminals, who have become increasingly more successful at targeting large organizations across a variety of industry sectors and demanding bigger and bigger ransoms.
Government Takes Action
But recent actions by law enforcement and federal investigators have made it more difficult and costly for these gangs to operate. In fact, just by designating something as a threat to national security shows the government is prioritizing the issue, Fowler says.
Some actions involve taking resources away from the cyberattackers. The FBI compromised the servers used by the gang behind the REvil ransomware and forced the group offline this fall. Law enforcement officials have also arrested several perpetrators over the past few months. They include the arrest of a Ukrainian national for taking part in the attack against Kaseya, as well as the arrest of multiple ransomware operators that used GandCrab and REvil-Sodinokibi in their operations.
In addition, a global law enforcement operation — including the French National Cybercrime Centre of the National Gendarmerie, the Cyber Police Department of the National Police of Ukraine, the FBI Atlanta Field Office, Europol, and Interpol — arrested two operators, seized $375,000 in cash, and froze approximately $1.3 million in cryptocurrency.
Last but not least, the US Department of Justice successfully reclaimed $2.3 million in Bitcoin that was paid to the attackers who targeted Colonial Pipeline.
For some ransomware operators, these arrests, takedowns, and recovery efforts are enough to convince them to shut down to avoid prosecution. Others become more resilient. Regardless, applying this kind of pressure is necessary, Fowler says, noting that this was a “resource game.” The purpose is to convince the operators that the ransom payoff is not worth the time and effort of continually setting up infrastructure and putting in new methods to evade detection and capture.
“If we keep them in the position of needing to spend resources to stand up their own [architecture] and recruit new members, does that delay what the threat actors are trying to do?” Fowler asks.
The government’s putting pressure on cryptocurrency exchanges and sanctioning some entities can’t end ransomware, but it does impede attack operations.
“Anything that makes it harder for them to do their job, where they have to put more thought or more effort around their infrastructure or around how they’re going to get paid — that is time that they’re not spending ransoming [someone],” Fowler says.
While the pressure campaign is important, it shouldn’t be considered more important than investing in defensive resources and stopping ransomware. Dealing with ransomware requires better defenses and improved response.
“You have to be putting pressure on the [attackers], while at the same time trying to ensure that you defend well enough so that in an attack you can minimize damage,” Fowler says.
Unlocking Resources for Defense
While there may be a perception that treating these attacks as a national security threat means there will be more offensive actions, such as attacking the ransomware operators, the more important impact is that more resources are unlocked that otherwise would not have been available, says Fowler. Along with increased funding, the government can establish task forces and other support structures to allocate more people to address the issues.
Elevating cybersecurity to a national security concern also makes it easier to work with international partners, which is critical because the attacks often transcend borders, with attackers, victims, and infrastructure often in different countries.
“The national security threat needs to translate to better defensive prioritization and robust activity, and not just going after them,” Fowler says. “To have a cyber strategic advantage, you need to be able to defend better.”
Amid the current surge of ransomware attacks, the fact that the national conversation now includes cybersecurity and defense is a “silver lining,” Fowler says. There was some concern within cybersecurity experts that it would take a major, multiday destructive cyber disruption before defense would be prioritized appropriately. The infrastructure bill that was passed this year has funds specifically earmarked for cybersecurity, for example.
“When you prioritize cybersecurity defense, it’s not just ransomware you are actually defending against,” Fowler says.
To make a dent in the volume of ransomware attacks requires a combination of this kind of pressure campaign and continued investment by enterprises in defense, response, and recovery.
“Defense is going to be what changes the games in terms of ransomware actors, when they just can’t get that many ransoms,” Fowler adds.