Will $10 million bounties, executive orders, and sanctions solve the ransomware problem?
Posted by: Gary Brickhouse
Published 8/31/21 12:00PM
Looking back at cybercrime fifty or one-hundred years from now, most historians will likely agree that you would “never find a more wretched hive of scum and villainy” than in the 21st-century world of ransomware. In the last year alone, we’ve seen patients with life-threatening illnesses denied health services, children prevented from attending school, and critical travel along the entire U.S. eastern seaboard hampered, all because some nefarious individuals decided they’d prefer to make their living by hijacking computing systems and stealing money.
Ransomware has quickly become a global issue, with ransomware criminals acting with impunity and little to no risk attached to their criminal activities. Complicating the matter is the fact that many, if not most, of these criminals operate from countries that seem to put minimal value on morality, ethics, and fighting corruption and crime. In addition, the increasing proliferation of cryptocurrencies like Bitcoin and Monero add to the complexity by enabling criminals to hide by concealing the money trail.
In an attempt to curtail this in the United States, the Biden Administration recently announced the formation of a cross-government task force to coordinate both offensive and defensive ransomware measures. In addition, the administration is reportedly exploring partnerships with cyber insurance providers and critical infrastructure businesses to share information about ransomware attacks more quickly.
In conjunction, we have seen other efforts from security professionals, policymakers, and elected officials trying to address the ransomware problem from their respective platforms. So far, ideas range from a federal policy barring ransom payments, to implementing cryptocurrency regulation, adopting global frameworks around preparing for and responding to ransomware attacks, and even establishing bounty programs.
Can’t we just keep paying?
In October 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) warned organizations that “Ransomware Payments with a Sanctions Nexus Threaten U.S. National Security Interests” and “Facilitating Ransomware Payments on Behalf of a Victim May Violate OFAC Regulations.”
The OFAC statement further advised that OFAC reserved the right to “…impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC. “
Whether this approach will work is open to debate. While ransomware payments certainly keep the criminal’s lights on, as GuidePoint’s own Head of Threat Intelligence Tony Cook puts it: banning ransom payments in an attempt to prevent ransomware would be the equivalent of taking your own valuable piece off the board while playing a losing game of chess.
Cryptocurrency – The Great Enabler
With descriptions ranging from “digital gold” to Ponzi and pyramid schemes (and even the World’s First Global Casino), cryptocurrencies are trendy, cutting edge, and decidedly problematic when it comes to ransomware. In fact, many cybersecurity professionals consider cryptocurrencies to be a prominent driving factor in the spread of ransomware since they lack the traceability that traditional currencies and wire transfers offer.
With the recent ransomware explosion, elected officials and industry leaders have called for increased regulation or an all-out ban on cryptocurrencies, although the jury remains ‘out’ on whether this would be an effective strategy. It is likely that the topic of cryptocurrencies will be on the agenda of the upcoming FinCEN Exchange hosted by the Financial Crimes Enforcement Network (FinCEN) in August 2021.
This increased pressure on cryptocurrencies to comply with anti-money laundering and anti-terrorism financing may also prove successful in the fight against ransomware.
An international problem
Another significant problem with ransomware is the operating location of many of the criminals, because some countries take a more lenient approach to pursuing cybercrime that originates within their borders. For example, in a recent undercover interview, one independent cybercriminal openly admitted that Russia was the best place to work in the cybercrime industry because the Russian authorities and law enforcement were not likely to bother him. The National Security Agency (NSA), the Cybersecurity & Infrastructure Security Agency (CISA), the National Counterintelligence and Security Center (NCSC), and the Federal Bureau of Investigation (FBI) recently issued a joint statement warning that US and foreign organizations were under direct attack by the Russian Main Directorate of the General Staff of the Armed Forces of the Russian Federation (known as the GU or GRU). The primary cyber-warfare arm of the GRU, the 85th GTsSS, has previously been known by cybercrime gang names such as Fancy Bear, APT28, and Strontium.
Cybersecurity professionals and businesses are increasingly putting pressure on U.S. government officials to make countries that harbor cybercriminals pay for their role in perpetuating attacks like ransomware. Recently, the Biden Administration vowed to act against Russia if the Putin government does not crack down on cybercrime activities within its borders. The governments are also discussing the possibility of banning cyberattacks, with the U.S. Department of Homeland Security listing 16 sectors deemed critical.
New Framework For the Win?
The Institute for Security & Technology, in partnership with cyber experts in industry, government, law enforcement, and civil society, recently formed the Ransomware Task Force (RTF). As a result of their discussions, in April 2021, the RTF released a comprehensive framework to combat ransomware. The framework calls for:
- Coordinated, international diplomatic and law enforcement efforts that prioritize ransomware and focus on putting pressure on nation-states to cease providing safe havens for ransomware criminals.
- The United States to lead by example and execute a sustained, aggressive, government-wide, intelligence-driven anti-ransomware campaign, coordinated by the White House.
- The establishment by governments of cyber response and recovery funds to support ransomware response and other cybersecurity activities.
- Mandating that organizations report ransom payments and requiring organizations to consider alternatives before making payments.
- An internationally coordinated effort to adopt a framework to help organizations prepare for, and respond to, ransomware attacks.
- Increased regulation requiring cryptocurrencies to comply with existing laws, including Know Your Customer (KYC), Anti-Money Laundering (AML), and Combatting Financing of Terrorism (CFT) laws.
While these are all excellent steps in the right direction, this framework presents some concerns that will need to be addressed if we expect to see a positive impact.
First–as a government-led initiative–it will take time and effort to legislate and to implement these policies, meaning we may not see the fruits of these efforts for many years to come. Additionally, this plan’s heavy dependence on international cooperation will compound the legislative concerns, and full collaboration may be difficult to achieve due to the issues covered above. Finally, the fourth initiative in particular is not likely to be an easy pill to swallow. Due to privacy and disclosure concerns, many companies and organizations may balk at the idea of a mandate to report all ransom payments. If history has taught us anything, organizations typically haven’t responded well to the idea of government hands reaching into and dictating corporate affairs.
Maybe Bounties Can Help
The United States government has instituted a bevy of anti-ransomware efforts, including the U.S. State Department Rewards for Justice (RFJ), a bounty program with a reward of up to $10 million “for information leading to the identification or location of any person who, while acting at the direction or under the control of a foreign government, participates in malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act (CFAA).” Other government initiatives include the creation of StopRansomware.gov, which includes alerts, news and information, and a page with information on how to report ransomware.
Bounties offered up for information leading to the capture of cybercriminals is another interesting tool that has potential. The bounty is certainly attractive enough to entice a cybercriminal to turn on his colleagues. In fact, this is the third bounty offered by the State Department’s RFJ program. In April, it offered $5 million for information on North Korean government hackers, and in July, it offered two bounties of $1 million each for information on specific Ukrainian hackers. The fact that the RFJ is openly touting a third bounty—in a substantial sum—suggests that the bounty program may be enjoying some success, even if it is only serving as a deterrent.
Will any of these solutions work?
The success of these various ideas, regulations, and sanctions remains to be seen. If history has taught us anything, it’s that there is no silver bullet. In the end, the key theme is clear: it will take multiple approaches, tools, agencies, industries, experts, and governments working in conjunction to stop the ransomware crime wave.
Gary Brickhouse
CISO,
GuidePoint Security
Gary Brickhouse, CISO and VP of GRC Services at GuidePoint Security, began his career in the security industry in 2001. Gary is GuidePoint’s internal CISO and is responsible for all aspects of the company’s information security program, inclusive of building and maintaining our internal security architecture and control practices. Gary also leads the GRC Services consulting practice where he is responsible for the development and delivery of GRC service offerings to support our clients. This unique position allows Gary greater visibility into customer needs from an industry services perspective and also as a practitioner, addressing the same risks for GuidePoint.
Previously, Gary was the Security and Compliance Architect for The Walt Disney Company, working on a large, multi-year business program where he served as the subject matter expert for compliance, data privacy, infrastructure and application security as well as securing emerging technologies like RFID. While at Disney, Gary also served several years as the Compliance Manager responsible for the oversight and execution of the parks and resorts’ compliance programs. Previous to working at Disney, Gary was an Information Security Specialist at Publix Super Markets, one of the nation’s largest retailers.
Gary is a frequent speaker at industry conferences and webinars, covering a wide array of information security topics. He earned a Bachelor of Science degree from Florida Southern College, holds the Certified Information Systems Security Professional (CISSP), and is an ITIL v3 expert.