How to stop Ransomware attacks
Last year, victims paid out nearly $350 million to ransomware groups, an increase of more than 300% over the previous year.
At least since Julius Caesar paid 50 talents to a band of Cilician pirates for his freedom, ransom has proved to be a popular and profitable criminal enterprise. In the digital age, it’s wreaking havoc far beyond its immediate victims.
Ransomware attacks, in which gangs infiltrate a company’s computer systems and demand payment before unlocking their files, have been surging of late. An attack on Colonial Pipeline Inc. resulted in gas shortages across the East Coast last month. A similar infiltration caused the meat producer JBS SA to shut facilities in three countries. Even the poor operators of the Martha’s Vineyard ferry recently succumbed to digital extortion.
Beyond mere inconvenience, these attacks are imposing serious costs. Last year, victims paid out nearly $350 million to ransomware groups, an increase of more than 300% over the previous year. Attacks on health-care systems alone may have cost $21 billion. As a recent report from a tech-industry research group notes, these attacks are leading to “dangerous real-world consequences that far exceed the costs of the ransom payments.”
Belatedly, the U.S. government seems to be taking notice. Last month, President Joe Biden issued an executive order that attempted to ease information-sharing, secure government supply chains, and bolster defenses in the executive branch. Last Thursday, the Justice Department announced a new effort to prioritize ransomware prosecutions. These initiatives are welcome, but not enough.
An effective defense requires disrupting the extended criminal networks behind these attacks. Increasingly, practitioners provide what they call “ransomware as a service,” in which sophisticated developers write malicious code, then rent or sell it to unskilled “affiliates” who initiate the attacks and collect the ransom. This model works so well that about two-thirds of attacks now use it.
To defeat this approach, the Justice Department needs to get more aggressive. Its recently formed Ransomware and Digital Extortion Task Force, which yesterday announced it had recovered much of the funds extorted from Colonial Pipeline, is a good start. To be most effective, it should dedicate a team of U.S. attorneys and FBI agents with technical backgrounds to long-term cybercrime investigations. Such a team would focus on prosecuting the high-level developers who write and sell malware, dismantling the infrastructure that enables their attacks, and disrupting the cryptocurrency exchanges that process the resulting payments. Kellen Dwyer, a former federal prosecutor, estimates that the cost of such an effort — employing perhaps 10 prosecutors and 20 agents — would be as little as $5 million a year.
Next, the U.S. needs to make clear that harboring ransomware gangs will no longer be tolerated. American diplomats could help by persuading more countries to ratify the Budapest Convention, a treaty that establishes common standards for cybercrime probes. When Biden meets Russian President Vladimir Putin in Geneva on June 16, he should emphasize that abetting these attacks, as Russia has done for years, will trigger economic sanctions. And the Treasury Department should put overseas crypto exchanges on notice that they’re expected to comply with anti-money-laundering and know-your-customer laws, and that they’ll be barred from the formal financial system if they don’t.
Finally, Congress can aid victims of these attacks by establishing a fund to help them recover their systems if they’ve acted in good faith. To be eligible, companies should have to report any attack to the authorities, refuse to pay a ransom, demonstrate that they adhered to federal cybersecurity standards, and agree to invest in specified security improvements. Such restrictions should encourage better cyber defenses across the board, while also cutting off the flow of funds that has made ransomware so attractive in recent years.
Caesar, by the way, tracked down his former captors and crucified them. One needn’t go quite that far. The U.S. government simply needs to ensure that the costs of ransomware attacks far exceed the benefits.