National security is more than war or physical conflict. Anything that directly affects economic stability and economic capacity is also part of national security-including ransomware attacks.
This year’s ransomware attack on Colonial Pipeline is a clear example of how ransomware attacks can damage most of the economy. Whether cyber attackers intend to disrupt the flow of gasoline on the East Coast of the United States is not even the point. The important thing is that they did, which led to panic buying and a shortage of gasoline pumps.
“Network outages are one of the biggest threats to the economy,” said Marcus Fowler, Darktrace’s director of strategic threats. He added that ransomware attacks may have a “snowball effect”, elevating them from independent incidents to national security issues.
To no avail, the widespread availability of malware toolkits and ransomware as a service lowers the barriers to entry for criminals, who are increasingly successfully targeting large organizations in various industries and demanding higher and higher ransoms.
The government takes action
But recent actions by law enforcement and federal investigators have made the operation of these groups more difficult and expensive. In fact, Fowler said, simply designating something as a threat to national security shows that the government is prioritizing the issue.
Some operations involve taking resources away from cyber attackers. This fall, the FBI compromised the servers used by the group behind the REvil ransomware and forced the group offline. In the past few months, law enforcement officials have also arrested several perpetrators. These included the arrest of a Ukrainian national who was involved in the attack on Kaseya, and the arrest of multiple ransomware operators who used GandCrab and REvil-Sodinokibi in their business.
In addition, global law enforcement operations including the French National Gendarmerie Cybercrime Center, Ukrainian National Police Cyber Police Agency, FBI Atlanta Field Office, Europol and Interpol arrested two operators and seized $375,000 in cash , And frozen about 1.3 million U.S. dollars in cryptocurrency.
Last but not least, the U.S. Department of Justice successfully recovered $2.3 million in bitcoins, which were paid to attackers targeting the Colonial Pipeline.
For some ransomware operators, these arrests, deletions and restoration efforts are enough to persuade them to shut down and avoid prosecution. Others become more resilient. Regardless, this pressure is necessary, Fowler said, noting that this is a “resource game.” The purpose is to convince operators that the return of the ransom is not worth the time and effort to continuously build infrastructure and adopt new methods to evade detection and capture.
“If we put them in a position where it takes resources to stand up [architecture] And recruiting new members, will this delay what the threat actor is trying to do? Fowler asked.
The government’s pressure on cryptocurrency exchanges and sanctions on some entities will not end the ransomware, but it does hinder the attack.
“Anything that makes it harder for them to complete their work, they have to put more thinking or more effort in infrastructure or how to get paid-that is, they don’t spend ransom time [someone],” Fowler said.
Although the stress campaign is important, it should not be considered more important than investing in defense resources and preventing ransomware. Dealing with ransomware requires better defenses and improved responses.
“You have to put pressure on them [attackers], While trying to make sure that your defense is good enough so that you can minimize damage during an attack,” Fowler said.
Unlock defense resources
Fowler said that although some people may think that treating these attacks as national security threats means more offensive actions, such as attacking ransomware operators, the more important impact is that more resources are unlocked, otherwise they will not be available. As funding increases, the government can establish working groups and other support structures to allocate more people to solve these problems.
Elevating cybersecurity to a national security issue also makes it easier to work with international partners, which is crucial because attacks usually cross national borders, and attackers, victims, and infrastructure are usually located in different countries.
“National security threats need to be translated into better defense priorities and active activities, not just chasing them,” Fowler said. “To gain a strategic advantage in the network, you need to be able to defend better.”
Fowler said that with the current surge in ransomware attacks, the National Dialogue now includes cyber security and defense as “a silver lining.” Cybersecurity experts are somewhat concerned that a major, multi-day disruptive network outage will be required before defense can be properly prioritized. For example, the Infrastructure Act passed this year has funds dedicated to cyber security.
“When you prioritize cyber security defense, you are actually defending more than just ransomware,” Fowler said.
To reduce the number of ransomware attacks, this pressure movement needs to be combined with the company’s continued investment in defense, response, and recovery.
“With ransomware participants unable to get that much ransom, defense will change the rules of the game,” Fowler added.
