OPSWAT Announces FileScan.IO Asset Acquisition. Read More

Fighting Ransomware without Borders

In November 2021, the U.S. Department of the Treasury announced a partnership with Israel to combat ransomware. As ransomware attackers build increasingly collaborative global organizations, it is encouraging to see its defenders collaborating across borders as well. The volume of ransomware attacks, particularly on critical infrastructure, has increased government attention and industry oversight. Even though coordinated law enforcement efforts have stifled ransomware gangs in the short term, there is no reason to believe that ransomware is going away anytime soon.

Ransomware has emerged as one of the biggest cybersecurity threats during the past few years. According to the Ransomware Task Force, there were at least 2,400 ransomware attacks in 2020 and ransomware victims paid $350 million – a 311% increase over the previous year. It will be interesting to observe how these statistics are modified when 2021 draws to a close, considering how many high-profile ransomware attacks have occurred in the past year.

For example, the Colonial Pipeline ransomware attack was arguably the most high-profile ransomware attack of the past year since it caused a week-long service interruption for the energy company, in addition to a nearly $5 million ransom. The attack was conducted by DarkSide, a ransomware gang that claimed, “We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for our motives.”

Ransomware gangs, such as DarkSide, have evolved during the past few years to become more organized in their operations and more targeted in their attacks (so-called “big game hunting” for greater financial payments). On the dark net, there is a thriving criminal underground of loosely affiliated partners, each with their own roles and responsibilities.

Initial access brokers specialize in stealing access credentials, which they sell to other criminals. Once a victim is compromised, many ransomware gangs offer a support staff that negotiates the ransom or provides instruction on how to make payment. Ransomware-as-a-service (RaaS) has commoditized ransomware attacks for criminals that lack more technical expertise, a dark mirror to the cybersecurity solutions meant to stop them. The point is that ransomware attackers are operating as international organizations that collaborate with criminals around the world.

An International Response

After the Colonial Pipeline attack, the Biden Administration issued an Executive Order on Improving the Nation’s Cybersecurity, which called on the private sector to partner with the Federal Government to foster improved cybersecurity. A month later, in June 2021, the Department of Justice seized back $2.3 million from DarkSide by tracking its payments. DarkSide crumbled beneath the pressure and announced it would be ceasing operations, leading many security researchers to believe that there had been a coordinated takedown of its infrastructure.

President Biden’s Executive Order set the stage for a series of cybersecurity announcements in 2021, including a National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems, as well as the development of a Zero Trust Maturity Model. The government is urging greater collaboration, but according to a senior White House official, “The point we want to make is: The federal government cannot do this alone.  Securing our critical infrastructure requires a whole-of-nation effort, and industry has to do their part.”

In addition to public-private partnerships, the government is also engaging with its allied countries. The recently announced U.S. Department of the Treasury partnership with Israel to combat ransomware stands to benefit both countries, given that ransomware and cyberattacks operate without borders.

Some of the most advanced cybersecurity solutions in the international community have a presence in both Israel and the United States. One reason that Israel produces so many cybersecurity solutions is that national military service is mandatory for all of its citizens; the offensive and defensive cybersecurity methodologies of the Israel Defense Forces have led to the creation of many innovative technologies. Therefore, this new partnership should enable a bi-lateral exchange of best practices and cutting-edge technologies.

Furthermore, the Israeli National Cyber Directorate recently launched a revamped Cyber Defense Doctrine. This doctrine is based on a common security framework (CSF) from the U.S. National Institute of Standards and Technology (NIST). That means the timing of the partnership between the United States and Israel is ideal to enable an exchange of information, based on Israel’s updated cybersecurity controls, which include specific recommendations to battle ransomware.

As ransomware attacks increase in frequency and have escalated to targeting critical infrastructure, this joint task force is charged with preventing ransomware attacks before damage occurs that cannot be undone. With the recent success in at least temporarily shutting down REvil, BlackMatter, and DarkSide, it should be expected the groups will return with renewed vengeance, and that new groups will emerge to fill their void, including powerful nation-state backed threat actors.

Considering the nation-state aspect of ransomware attacks, this joint task force also has the potential to disrupt the funding of international terrorist organizations and other hostile entities. There are already many established international intelligence-sharing programs in place, so this new task force represents an opportunity for defenders to “shift left” by cutting off ransomware as a source of funding for terrorism and other oppressive regimes.

In cybersecurity, there is no “silver bullet” that can protect organizations, which is why collaboration is so important. Encouraging collaboration between industry and government around the world enables greater synergies so that these organizations have the best countermeasures to protect their operations. As ransomware attackers continue to advance their operations, it is imperative that critical industries advance their protection as well. As ransomware attackers continue to advance their operations, critical industries must advance their protection as well.

Sign up for Blog updates!
Get information and insight from the leader in advanced threat prevention.