In the past 10 years, ransomware has become inescapable. All kinds of institutions have been targeted, from the schools children go to, to fuel and medical infrastructure. A report from the US Treasury estimates there were over half a billion dollars in ransomware payouts in the first half of 2021 alone. Law enforcement has struggled to get a handle on the situation, with many groups operating for years with no apparent fear of repercussions.
This year, federal law enforcement decided to try something new. In April, the Department of Justice created the Ransomware and Digital Extortion Task Force in a move to prioritize the “disruption, investigation, and prosecution of ransomware and digital extortion activity.” The task force is supposed to help share information between DOJ departments, as well as work with outside and foreign agencies. In the months since, it’s made some impressive prosecutions, but they’re just a sliver of the overall — and the bigger picture remains maddeningly unclear.
One of the first publicized wins for the group came in June, when the Department of Justice said the group was handling the case of an individual alleged to be partially responsible for the malware suite known as Trickbot, which could help expose a system to a ransomware attack. Days after that announcement came an even bigger win: the DOJ announced it had seized back $2.3 million of the $4.4 million ransom paid by oil company Colonial Pipeline, and that the task force had coordinated the efforts. Then, in October, its biggest win yet — the arrests of a few alleged members of REvil, a hacking group, by European police forces, and the seizure of over $6 million in funds the department says were linked to ransomware payments.
Still, the sheer volume of attacks means a handful of prosecutions is unlikely to make a difference. Prosecutors need the threat of law enforcement action to scare criminals away from ransomware — and some experts say the scheme is still too lucrative for criminals to give up.
Hackers “prefer to take the risk instead of leaving this lucrative malicious activity behind,” according to Dmitry Bestuzhev, a researcher at cybersecurity company Kaspersky. “So what they try to do is to learn from others’ mistakes and improve their opsec, but there is no evidence they feel intimidated and want to quit.” Bestuzhev says they’ll continue to re-form groups, even as the government works to shut them down — “even with the successful arrest we have recently witnessed, many ransomware groups are just here to stay.”
But not everyone agrees with Bestuzhev. John Fokker, the head of cyber investigations for McAfee Enterprise Advanced Threat Research, is more optimistic that the task force is starting to change the outlook for criminals. For years ransomware “had been relatively untouched,” not getting too much attention from governments, Fokker told The Verge. Now that the task force was starting to crack down, he says, “what used to be a safe space isn’t a safe space anymore. There’s beginning to be an atmosphere of distrust.”
“There’s beginning to be an atmosphere of distrust”
The attention from the task force has also been affecting ransomware groups’ ability to advertise to potential customers, the ones who often use their malware to infect targets. In a blog, Fokker discussed how cybercrime forums have become hesitant to play host to ransomware operators, banning them from advertising in the wake of the Colonial Pipeline attacks. Forum administrators, when they offered an explanation for the decision, said that ransomware was attracting a lot of unwanted attention — as one admin put it, according to The Record, the word “ransom” was now associated with “unpleasant phenomena — geopolitics, extortion, government hacking.” Another forum had a cheekier explanation for why it was banning posts about ransomware: “if it ran somewhere, then you should probably go catch it?”
The ability to advertise on forums cut off the groups’ easy access to customers, made it harder for ransomware creators to get in touch with the affiliates making them billions of dollars, and made the contact that does happen riskier on both sides. Transferring money or giving demos becomes harder when there’s not a (somewhat) trusted third-party platform to help mediate. That, along with bounties for up to $10 million, has started to create “little cracks in the model,” says Fokker. He even mentioned an instance where an affiliate, angry with what they considered to be a meager payout, posted a ransomware group’s entire playbook. “That kind of environment hurts business,” he says.
“We’re taking the fight to the bad guys”
The task force has also been helping the people on the other side of ransomware: the companies and organizations that are targeted by it. Government agencies have been working together to keep industries informed about what actions they’ve taken against ransomware operators, and to issue guidance to help keep companies safe. ”The Department of Commerce, Department of Treasury, State, Homeland Security, and Defense, all of them have taken a very clear, concrete action on ransomware actors to disrupt and each of them have their own press release and their own guidance,” says Vishaal Hariprasad, CEO of cyber-focused insurance company Resilience.
When asked to grade the government’s actions, he says, “I would actually give the government an A for what they’ve done in the past 90 days. I think it’s been pretty incredible to see that we’re actually taking action, we’re taking the fight to the bad guys with disruption, with arrests, with warrants, sanctions, the $10 million bounty for any information.”
Hariprasad says while the government had carried out similar actions in years prior, the publicity was a boon to victims. “I think the task force has helped coordinate it, but coordinating in the back end where nobody can see isn’t valuable. It doesn’t have the motivating psychological impact unless you can talk about it ... the government’s always been doing things, it’s just never been able to publicly talk about it in a clear and concise, coordinated way.”
“A big part of deterrence is making sure they understand that there are repercussions to their actions”
Still others are optimistic that the task force can have an impact if it keeps up its legal actions. “As long as there is a sustained effort against these somewhat decentralized and shifting crime gangs; this isn’t just ‘whack-a-mole,’” says Kurt Baumgartner, principal security researcher at Kaspersky, echoing Fokker’s optimism. “While we are seeing the resurrection of certain parts of the ransomware-as-a-service chain in response,” Baumgartner thinks the “coordinated anti-ransomware efforts are just the start. It is great to see evidence of some ransom payments clawed back, decryption keys obtained, communications infiltrated, successful multi-national law enforcement efforts.”
In particular, Hariprasad thinks massively disruptive attacks could become less frequent. “I think you’ll still have the one or two major coordinated campaigns that will be very sophisticated,” he says. “But as they get a lot of attention and people start focusing on them, you’ll see that happen less, and the younger or the less sophisticated operators will continue to get back to the lower end of the ransoms and just kind of go for quantity over quality.” Better to collect a few $50,000 ransoms without making headlines, the thinking goes, than to bag $40 million and have law enforcement kicking down your door.
It’s hard to say which of the task force’s tactics will end up having the greatest effect, and there’s always the possibility that things get worse before they get better. If ransomware operators wind up desperate, they could end up going after a massive target, in a Hollywood-style “one last job” scenario. Ransomware could also become a more manageable annoyance, as hackers look for the next big cash cow, one that the world’s governments aren’t paying as much attention to. Or attackers could get creative and start developing entirely new ways to make trouble.
Cybersecurity is always a cat-and-mouse game, and the incentives to hack big companies won’t be going away — but as Hariprasad told me, “a big part of deterrence is making sure they understand that there are repercussions to their actions and that the government is actively doing something.” On that point, at least, governments seem to be making progress.