Ransomware payments in the United States reached nearly $600 million in the first six months of 2021, exceeding the amount of ransom that U.S. institutions reportedly paid to cybercriminals during all of 2020. In 2021, the United States has fallen victim to a range of high-profile ransomware attacks, including on the Colonial Pipeline and software company Kaseya—and some experts worry that the ransomware threat will get worse before it gets better.
During Cybersecurity Awareness Month, Cybersecurity Fellow Maurice Turner answered questions about recent cyber attacks on critical infrastructure, the allied takedown of REvil, and how each of us can help prevent ransomware attacks. The below transcript has been edited for clarity.
Just yesterday, reports came out that the NRA had fallen victim to a ransomware attack, coming from the cybercriminal group Grief, which is believed to operate out of Russia. Grief has posted a handful of the files on the dark web and is threatening to post more if the ransom is not paid. This is just the latest in a long string of high-profile ransomware attacks that we’ve seen lately. But the one thing that all have in common is that they seem to be motivated by profit. But what happens when that changes? Is there potential for their motivations to turn political? What would a politically motivated ransomware attack look like?
Profit is often a driving factor, but it is not the only factor in attacks on computer networks. A profit-motivated attacker tends to focus on systems that have a specific set of vulnerabilities. On the other side, a politically motivated attacker will do the reverse. They choose a particular sector or even a specific organization. Then they identify techniques or software tools they can use to infiltrate those targets. This is becoming a big problem, when money isn’t the ransom. My concern is that, what happens when those demands turn to, maybe, an organization having to make a public statement denouncing their prior behavior or commitments? Or, asking for the resignation of a board member? Or even, ceasing funding of certain campaigns? Those are a few of the uncomfortable examples that come to mind when these criminal gangs look to political motives, not just profit motives.
Earlier in the month, the United States convened an international summit on combating ransomware with officials from more than 30 governments. Can you go into detail about what came out of this meeting, and would you consider it a success?
Yes, I would certainly consider it a success. International partnerships are basically the only way that we’re going to combat this threat of ransomware. There’s no way around it. Russia is ultimately the main concern when it comes to either direct, state-backed attacks or harboring criminals that seem to be able to do whatever they want from relative safety. Coming together and showing a strong, international coalition—that is willing to put aside some differences and work together to tackle this immediate threat of ransomware—is ultimately where we need to be going. The approach seems to be one that relies on diplomatic and economic pressure, but also is willing to take the next step to disrupt the worst ransomware gangs, like the REvil gang.
International cooperation is important, but with a lot of ransomware operations originating in countries like Russia, what kind of action or consensus can we really expect?
I think it’s going to fall more toward the law enforcement agencies. They already have a tremendous amount of experience working together when they need to observe and track and ultimately take down criminal elements in other areas. The recent takedown of the REvil gang was an example of that. It was more than just the United States doing it alone; it was doing it with other international partners, both in the public sector and in the private sector.
I would call that a solid B+ effort because it was effective. But I’m disappointed that both the FBI and the White House National Security Council issued a shadowy “no comment” rather than taking credit for that action. I would have liked to see a joint press conference announcement, which would have been a more significant public step to reassure the general population that the U.S. is taking this issue seriously. And, it would have been an unambiguous warning to cyber criminals that our government is willing to exercise its capabilities to disrupt those kinds of malicious activities.
Thank you for bringing up REvil because I would like to hear more about what you think of counter-hacking as a solution to the fight against ransomware. Are there more effective tools in combating cybercrime groups, or is this counter-hacking method effective?
Counter-hacking or “hacking back” is something that has been discussed for a number of years now, mostly within the context of whether or not private entities should be able to do those kinds of operations or if that’s strictly the role of government. The challenge is that, while we’re having these discussions, the criminals are getting away with more and more activities that are disrupting everyday life and, actually, making them a lot of profit. So, whatever the decision is, it needs to be made fairly soon to be able to react to this growing crime spree that we’re seeing.
I believe it’s incumbent on the U.S. to send a bold and unequivocal message that targeting and disrupting critical infrastructure sectors, like energy, food, and other supply chains, will no longer be tolerated. There are additional offensive capabilities that can be used to send that message very effectively, but ultimately, the most effective tool in combating ransomware is education. Getting people to use strong passwords and multi-factor authentication would eliminate more than 90 percent of the opportunities for ransomware to be successful. And if ransomware is less successful, that means it’s less profitable and criminals are less likely to go into that and look to ransomware as a steady source of profit and business revenue.
So all of us can play a role in combating cyber attacks and ransomware.
Absolutely, and that’s really the point of Cybersecurity Awareness Month; it’s to let folks that are not technically inclined know that they absolutely play a role in making sure that they can help keep everyone safe. It really comes down to how people can put in a little bit more effort to make themselves a lot more secure. And if we can do that, then we can really reduce the motivations for criminals to get into this line of business. Now, there will always be those criminals or even nation states that want to use network-based attacks to disrupt and cause harm, but really the focus is how do we get the general public to make themselves less attractive victims and then that really frees up resources of governments and private sector companies to focus on defending from those nation-state level attacks that, really, the average person can only be so resilient to. If they’re the target of a nation-state attack, there’s not so much they can do. But if they’re the target of a criminal group, there’s a lot they can do to prevent that criminal from being successful and taking over their systems, demanding money, or just causing damage.
Earlier you mentioned that the effort to hack back at REvil was a B+ effort. What would an A+ effort look like? Is the difference the messaging that you mentioned, or is there something else that you would have liked to see happen?
The difference is the messaging. At this point I am disappointed to see that the federal government isn’t taking credit for more of these efforts. We see it in deterrent strategies in other domains. You have a particular attack that occurs, and there’s a response, and the government takes credit for that. And it really is a matter of making sure that it’s communication going to the general public as a measure of assurance, but also it’s messaging that’s going to criminals and likely criminals that they really should think twice about performing similar attacks. Right now, there are just too many attacks to count. And that’s part of the problem, is that there are so many network attacks that are going unaccounted for, because people simply aren’t even reporting them to law enforcement or they’re not reporting them to the federal government. We don’t know how big the problem actually is, but the consensus is that it’s much bigger than what we know it is right now. Anything that can be done to help prevent attacks certainly helps on the other side when it comes to incident response and retaliation operations.
Is there anything else that you want us to be aware about as we head towards the end of Cybersecurity Awareness Month?
You touched on it earlier. Do your cybersecurity training. Sometimes, it’s not the most interesting, but oftentimes it’s helpful, because it really comes down to the basics. Use strong passwords, preferably using a strong password manager, so that way you don’t have to worry about writing it down or reusing a password. And then, whenever you can, use multi-factor authentication, whether that’s going to be a hardware key that you plug in, or getting a text message sent to your phone. That second factor of authentication will slow down a tremendous amount of potential attacks and help keep you and others more safe and secure.
Do you have any recommendations for password managers that we should be using?
Use the built-in password managers. Every major operating system and every major web browser has a password manager. It’s actually so easy to use. It’s almost more work to not use it. It keeps track of all the passwords; it suggests strong, unique passwords; and it will even auto-fill the passwords without you needing to type anything. Make it easy for yourself and use those built-in security tools to keep yourself safe.
Cameron Bertron contributed to this publication. The views expressed in GMF publications and commentary are the views of the author alone.