The Biden administration will host a global coalition of multinational government security leaders from 50 nations where they will discuss cyber threat intelligence sharing and encourage non-payment policies regarding ransomware and data extortion attacks in Washington, DC, next week.
“There isn't a global norm today around, ’Should ransom payments be made during a cyberattack?’” The Record reported Anne Neuberger, the deputy national security adviser, as saying.
“And I think what we're saying is, yes, we could ideally bring this to a U.N. process for a new norm or we can try to work it in this more purpose-built international partnership to start establishing that norm ... we're seeing it takes quite a bit of negotiation to get there because there's such a diversity of members.”
Takeaway: Strengthening international cooperation in regard to threat intelligence sharing and the development of policies to undermine the financial incentive for ransomware and data extortion attackers is certainly welcome news, but will these initiatives actually work to diminish the threat from ransomware attacks? No, not likely at all.
While we have seen some scattered arrests of ransomware affiliates and other low-level threat actors in the space on occasion, overall law enforcement actions have had very little impact in regard to disrupting ransomware operations – they simply rebrand and spin up new operations.
That’s because the one thing the most notorious ransomware gangs have in common is their ties to Russia and the Putin regime. We know that the most active ransomware gangs are closely aligned - if not directly controlled to a degree – by the Russian government and its intelligence apparatus.
This overlap of cybercriminal activity with nation-state-supported operations we see with the Russian ransomware model conveniently allows for plausible deniability for Putin when attackers are directed or allowed to hit targets that have geopolitical significance.
The Russians need to be very cautious about how they conduct such attacks so they don't trigger an international incident that would elicit a direct response from the US or their allies.
Using ransomware gangs as a proxy to conduct the attacks in order to maintain plausible deniability and thwart attribution is the strategy here. This is one of the key reasons cyber operations have become such an important aspect of larger geopolitical issues - attribution is hard.
The US and allied governments are in a tough position regarding what actions to take to stem this wave of ransomware attacks, namely because there is so much ambiguity in determining root attribution for the attacks.
Law enforcement actions again criminal elements are necessary, but even when these threat actors are arrested, there is quickly someone to take their place. Ultimately, it's the Russian government that is both providing safe harbor for criminal elements conducting ransomware attacks with impunity and is very likely influencing some of their targeting.
Until the US government directly sanctions the Putin regime for their direct or tacit support, we will not see this spate of ransomware attacks abate any time soon. It's only a matter of time before we see another massively disruptive attack against a critical infrastructure target, and by then it will be too late to act.
Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.