Disrupting ransomware

Strategic Insight 009/2023

David J.Hickton

20 April 2023

Disrupting ransomware

Governments around the world are making significant progress in disrupting and deterring cyber criminals from launching ransomware schemes, but far more is needed to properly address this evolving problem.

It’s been nearly a decade since the United States Department of Justice indicted notorious Russian cyber criminal Evgeniy Bogachev for masterminding the notorious GameOverZeus malware scheme. By conservative estimates, Bogachev’s Business Club gang stole more than $100 million across the United States alone. As the prosecutor leading the investigation, my own estimate of their take was: ‘how high can you count?

The Bogachev case is recognised as the first prosecution of ransomware. In truth, we found the ransomware scheme by accident. At that time, most of the world was unfamiliar with the then-novel cyber extortion schemes that locked victims’ computers and demanded a ransom in the equally novel cyber currency called Bitcoin. The investigative team came to me very late in the effort to ask whether I would add additional charges for a ransomware scheme called ‘Cryptolocker’ to the indictment. In nine short months, Cryptolocker had caused millions in victim losses and had become the number one source of complaints to the FBI hotline. Following the announcement of Bogachev’s prosecution in June 2014, he was placed on the FBI’s Most Wanted List and a $3 million reward was offered for his capture.

Bogachev is one of the most infamous cyber criminals of all time. He is also a suspected Russian intelligence asset. It has been reported that his cybercrime digital highways were harnessed by Vladimir Putin to facilitate the invasion of Crimea in 2014. His role in the current crisis in Ukraine is unknown, but he has been a model for Russian cyber aggression. He remains at large.

Limited progress

That’s not to say that progress isn’t being made. In the United States, for example, the Department of Justice has made significant strides turning the benefits of anonymous digital currency ledgers into traceable tracks to find perpetrators. In June 2021, in the Colonial Pipeline case, the Department of Justice (DOJ) was able to track and seize the ransom funds paid and identify the extortion hackers. In July 2021, the DOJ, in partnership with the Department of Homeland Security, established a one stop Ransomware Resource to better facilitate cooperation and to identify and disrupt ransomware actors.

Progress was realised again with the January 2023 takedown of the Russian Hive Ransomware consortium. Through this effort, law enforcement working across multiple jurisdictions were able to save more than 1,500 victims in 80 countries from having to pay over $130 million. Another indicator of progress can be seen in the United States-United Kingdom coordinated sanctions against seven leading members of the Russian hacking gang known as Trickbot, which targeted hospitals and healthcare centres with ransomware attacks.

We can expect to see more coordinated sanctions targeting ransomware actors in the future. Making it harder for these bad actors to receive ransoms and to move money does work. For sanctions against ransomware actors to be even more effective, more governments will need to participate. To be sure, sanctions against ransomware actors are no easy task – both because of the challenges of attribution and because victimised organisations desperate to recover may be willing to pay ransoms. But persistent, cooperative sanctions can raise the costs of enacting ransomware schemes for bad actors.

All of this recent progress is laudable, but more needs to be done to mitigate this problem. Hackers still collected more than $450 million in ransom payments last year, with 41 percent of ransomware victims choosing to pay up rather than risk losing their data. In some instances, victims could incur penalties or sanctions for paying hackers or other prohibited entities in an effort to retrieve their data. Each victim who pays does so knowing that there is no assurance that they will get their data or that they will be protected from further attacks. That’s not to mention the advent of generative AI that has made it far easier for hackers to develop even more pernicious ransomware.

Coordinated next steps

We need a better approach to our software and technology products, one that is ‘secure by design’, as the U.S. Cybersecurity and Infrastructure Agency head Jen Easterly put it in a recent visit to Pittsburgh.

We need to tighten our defences, including by implementing zero trust architectures. Just as hackers move to the weakest link in the supply chain, ransomware criminals will migrate to victims who are unprotected or lack resolve. It’s incumbent upon all of us – from governments to corporations to individual citizens – to properly protect ourselves against this pernicious threat. This means we need better awareness of threat vectors, real-time information sharing and cooperative distribution of remedial and response measures. All of this is possible only if we improve public and private sector collaboration across the globe.

Individual nation states will need to put an emphasis on fighting ransomware. The United States, for example, took a critical step in announcing a new national cybersecurity strategy. The White House specifically addressed ransomware and said it will ‘employ all elements of national power’ to combat the threat along four lines: leveraging international cooperation, disrupting ransomware infrastructure, bolstering infrastructure to make it more resilient to attacks and addressing the use of virtual currency to launder ransom payments. The White House recognised that ransomware is a ‘borderless challenge requiring international cooperation’. This is a good start; now it needs to be put into action.

Of course, the ransomware and cybercrime problem is not just a nation state problem with nation state solutions. We need global action. We need to ensure that the entire connected free world is united in cooperation in combatting ransomware. This means vigilant detection, strong enforcement and stiff penalties. This means more investigations and a full toolbox approach from criminal prosecutions to economic and trade sanctions, including delicensing and debarment. There must be coordinated diplomatic consequences where it can be established that a nation state is the perpetrator.

Unfortunately, the truth is that there is no perfect solution to abate this evolving threat. Encryption, and double ransomware extortion schemes, are difficult to combat and the problem seems to be getting worse, despite progress being made on multiple fronts. But we can partner productively and, with resolve, can ensure that the profit in these attacks is no longer worth the risk.

David Hickton is a distinguished fellow at the Azure Forum for Contemporary Security Strategy. He is the founding director of the University of Pittsburgh’s Institute for Cyber Law, Policy, and Security, which hosts the Pittsburgh Task Force on Public Algorithms. He is a former U.S. attorney for the Western District of Pennsylvania.

This article was originally published in EU Cyber Direct on 30 March 2023.

The Azure Forum is a nonpartisan, independent research organisation. In all instances, the Azure Forum retains independence over its research and editorial discretion with respect to outputs, reports, and recommendations. The Azure Forum does not take specific policy positions. Accordingly, all author views should be understood to be solely those of the author(s).