The digital scourge known as ransomware — where hackers shut down electronic systems until a ransom is paid — is worse than ever. In recent months, these attacks have leaked sensitive government data, thwarted the operations of hundreds of companies and even temporarily shut down one of the United States’ largest oil pipelines. The Latest Cyber Gang on the Street — Groove, a motley crew of criminals who have already leaked 500,000 private passwords — has begun threatening President Biden straight away. (It’s probably pure bluff, of course.)
To combat the ransomware problem, the Biden administration has so far taken a two-pronged approach: joint diplomacy with countries harboring cybercriminals and extensive defensive capabilities at home. These are critical efforts. But to really tackle the problem, the government must also develop an offensive strategy – and fight back.
Diplomacy with Russia, even if it succeeds, will not be enough. Despite repeated requests from the Biden administration, there is no evidence that Russia’s President Vladimir Putin has taken any action to put pressure on ransomware criminals operating within Russia’s borders. Instead, REvil, the Russian-speaking group that claimed responsibility for this summer’s attacks on numerous US companies, has brought its servers back online after a brief hiatus in August.
although the most powerful Ransomware groups are believed to operate out of Russia, other countries, including: North Korea and Iran, are also big players, and cybercrime from these countries is even more concerning. America has significantly less diplomatic influence over North Korea and Iran than over Russia. Both North Korea and Iran are already subject to extensive US sanctions, so gently asking, or even sternly urging, that they stop ransomware groups just won’t work.
Purely defensive strategies will also fall short. Cybersecurity expertise is expensive and in high demand in the United States. It is unrealistic to expect that every American hospital, school, fire department and small business can defend itself against highly sophisticated criminals. The task is too big.
Instead, a comprehensive anti-ransomware strategy should make it harder for criminal groups — and the nation states that may support them — to carry out attacks. An aggressive campaign would target the basics of ransomware criminals’ operations: their personnel, infrastructure and money.
The United States is capable of such successful campaigns. In 2015, US intelligence and military professionals established Task Force ARES and launched a cyberwarfare campaign against Islamic State as forces on the ground continued to drive out insurgents from Syria and Iraq. The digital control targeted ISIS personnel with disinformation, disrupting their networks and excluding them from their servers and web accounts. The task force significantly disrupted ISIS’ online activities and reduced its media activities to a shadow of itself within six months.
The United States should build on the model used by the Task Force ARES and focus on the technical and financial infrastructure of ransomware criminals. Such a campaign could reveal personal information about the perpetrators, shutting down the ransom payment servers they use to carry out operations, seizing their cryptocurrency wallets, and perhaps even introducing subtle bugs into their code that allow victims to unlock their data without paying a ransom.
Coupled with more aggressive law enforcement actions and threats of serious sanctions, this kind of offensive strategy is America’s best bet to disrupt the onslaught of attacks coming from states more or less immune to diplomatic calls.
The United States should also strive to undermine the financial model of ransomware, which mostly relies on payments through anonymous cryptocurrency wallets. Again, this is something America already knows how to do. After the May ransomware attack on Colonial Pipeline, which closed off 5,500 miles of pipeline along the east coast, federal officials were able to recover most of the ransom payments paid with cryptocurrency.
The European Commission has recently suggested regulations that would impose certain identification requirements for cryptocurrency payment systems. This is especially important because cryptocurrencies allow ransomware criminals to collect payments anonymously, reducing their chances of being tracked down by law enforcement. US intelligence and law enforcement agencies should push for similar changes.
Critics of this aggressive approach caution that it threatens to cause a dangerous escalation of violence between countries. But based on the evidence available so far, countries rarely retaliate against cyber-attacks much more vigorously. An survey Incidents and responses between 2000 and 2014 found that cyber rivals tend to focus on stopping or slowing down the intrusion rather than escalating a confrontation. Even if there is an escalation, I think it’s a risk worth taking.
In the short term, the Biden administration is right to bolster the federal government’s defensive capabilities and encourage private companies to do the same. But the United States must recognize that it will not be able to defend itself from the ransomware problem.