Ransomware attacks reportedly dropped by almost a quarter globally over the first half of the year. International sanctions against Russia have been identified as contributing to the downturn in activity, suggesting that effective prevention of cyber extortion may be achievable through international cooperation against the criminals who carry out the attacks. Until now, proposed countermeasures have largely focused on stemming the flow of ransom money following an attack, either by banning ransom payments or the cryptocurrencies used to pay them.
Ransomware is one of the biggest cyber threats to business and public organisations. Defined as the deliberate blocking of computer systems until a ransom demand is met, it has become a huge criminal enterprise in recent years, causing billions of dollars’ worth of losses in the US alone with substantial disruption to critical infrastructure – American organisations are the prime target of ransomware perpetrators.
With their operations and reputations at stake, targeted companies and organisations have tended to pay the demands hackers make in order to decrypt their computer files. In the first half of 2021, ransomware payments in the US amounted to $590 million. An unprecedented attack on major fuel supplier, the Colonial Pipeline, closed down much of its network for several days.
Such incidents have concentrated minds in the Biden administration, not least because most ransomware attacks emanate from Russia, which is suspected of shielding or even sponsoring the groups responsible for them. In July last year, the US president hinted at possible retaliation if his Russian counterpart failed to crackdown on Russian cybercriminals.
The US Treasury subsequently urged companies to bolster their cyber defences and stepped up its own counter-measures, sanctioning ransomware actors and virtual currency exchanges that convert ransoms into fiat currency. The list of cyber-related designations is extensive, and federal finance officials have warned of the sanctions risks of making and facilitating extortion payments. At the same time, proposed US legislation that would penalise countries sponsoring ransomware attacks is being considered by Congress.
As the war in Ukraine broke out, there was concern that Moscow might employ its cyber-criminal proxies to intensify ransomware attacks, but in fact over the first half of the year there was a 23 per cent decrease in such attacks worldwide, according to the US cybersecurity firm SonicWall. The decline coincided with the US and its allies escalating sanctions against Russia in response to the Ukraine conflict, including sweeping financial penalties, such as the removal of key Russian banks from the SWIFT international financial transaction system.
In late May, National Security Agency (NSA) director of cybersecurity Rob Joyce told a security conference in the UK that sanctions had played a part in a decline in ransomware incidents by making it harder for cyber criminals to process ransoms and purchase the technology required for attacks. He said another reason for the downturn in attacks was likely improved awareness and defensive measures by US businesses – American officials renewed their calls for companies to boost cybersecurity protection on the eve of the Russian invasion of Ukraine.
This suggests that sanctions that frustrate ransomware actors’ ability to move money around in concert with greater public and private sector focus on countering their attacks are viable means of preventing cyber extortion. Proposed prevention measures to date have largely focused on banning the predominant method of ransom payment, cryptocurrencies, and prohibiting payments altogether.
Some jurisdictions have either banned or restricted cryptocurrencies because of their association with crime, speculative investment, and the threat they pose to financial policy. Others recognise their utility and potential – and would prefer to carefully regulate the technologies without stunting the innovation and enterprise they represent. Indeed, many countries are exploring or have even launched central bank digital coins, pegged to the value of their respective fiat currencies.
In truth, cryptocurrencies are decentralised, borderless, and almost impossible to regulate or control. A ban on them would probably only succeed in shifting more digital transactions onto the dark web, making it harder to detect sanctions-breaking and encouraging the use of cryptocurrencies by criminals.
Moreover, a ban would almost certainly not succeed in stopping ransomware attacks, which predate cryptocurrencies anyway. Criminals would almost certainly just find another way to receive funds. What’s more, a ban would also deny law enforcement a promising means of tracking down extorted funds. Advances in blockchain investigative techniques mean that payments in bitcoin and other cryptocurrencies can be traced. The pseudonymity of cryptocurrency transactions that has allowed organised crime to evade the ‘follow the money’ investigative strategy is gradually being undermined.
Prohibitions on ransomware payments, meanwhile, seem at first sight to be a more realistic option. But with companies and organisations facing severe operational disruption, and consequent reputational and commercial damage when their networks are compromised, some corporate decision-makers might feel they have no option but to pay ransoms (most are undisclosed anyway), possibly with less traceable privacy coins and from jurisdictions without strict legal controls.
The probability of that happening has been raised by the emergence of ‘double extortion’ attacks, where cyber criminals up the ante by threatening to release confidential information – exfiltrated from a computer system before it is encrypted – if victims refuse to pay up. If even relatively small numbers of ransomware victims are prepared to risk making illegal payments, then hackers will have reason to continue their extortion activities, as profits are potentially so large.
A debate around countering ransomware attacks is vital and urgent given its global financial and disruptive effects. Proposed bans on payments and cryptocurrencies are unlikely to turn the tide against cyber extortion, even if they can make a contribution in a limited fashion. On occasion they may even be counterproductive. Like so many legal matters involving cyberspace, without coordinated international measures it is often a simple matter for adversaries to move operations to a non-cooperative jurisdiction and carry on their activities.
The recent decline in ransomware attacks suggests that targeted sanctions, consistently and internationally applied, may degrade the ability of cybercriminals to mount ransomware operations because they are denied ‘real world’ operating capability. These are lessons that may be applied against other jurisdictions in which international cybercrime is highly active. But the most significant factor in preventing ransomware attacks will continue to be effective institutional cyber security, which remains the responsibility of the data holder to invest in and maintain.
David Claridge is the CEO of the geopolitical and security intelligence service Dragonfly. A commentator on security and intelligence issues, David holds a PhD in International Relations from the University of St Andrews.
The views expressed in this article belong to the authors alone and do not necessarily reflect those of Geopoliticalmonitor.com