Two years after the international Ransomware Task Force issued 48 recommendations for governments, the technology industry, and civil society to deter and disrupt the ransomware model, there are mixed signs of success.
The FBI scored a stunning win when it infiltrated and decimated the Hive ransomware gang’s IT infrastructure. The REvil ransomware gang was disrupted. Several criminal cryptocurrency laundering operations have been closed. Governments and businesses are increasingly working together to spread the word on defensive and offensive measures. The U.S. issued a national cybersecurity strategy.
And yet there still isn’t a significant, sustained dent in the number of successful attacks.
In recent weeks alone, news has emerged that a new ransomware gang — Akira — has been born, the city of Dallas, Texas was hit, and a California sheriff’s office felt forced to pay over US$1 million in ransom. Researchers at Emsisoft say this year alone, at least 28 U.S. public school districts with 512 schools among them were hit, as well as at least 32 colleges and universities. And according to the NCC Group, thanks largely to the exploitation of a vulnerability in the GoAnywhere MFT file transfer tool by the Clop ransomware gang, there were 459 publicly reported successful attacks in March — the highest of any month in the past three years.
Arguably, it would have been hard to expect that, after two years of offence, cybercriminals would have fled crying. But by the numbers available — and incidents of all kinds are highly under-reported — there are two facts: First, many organizations still aren’t prepared for cyber attacks in general; and second, for that reason ransomware is still profitable.
Perhaps the number of victims paying is down. But according to Coveware, the average ransomware payment in Q4 2022 was $US408,644, up 58 per cent from the previous quarter.
In its second anniversary report issued on Friday, the Ransomware Task Force (RTF) cited research from CrowdStrike that the use of ransomware itself was down 20 per cent in data theft and extortion campaigns last year, “indicating that encryption was becoming less appealing to threat actors as threats of data leaks rise. Chainalysis, the report adds, said the average lifespan of a ransomware strain in 2022 was 70 days, down from 153 days in 2021 and 265 in 2020.
As of May, 92 per cent of the 48 RTF recommendations have seen some action, with half of them experiencing what it calls “significant progress,” including through legislation and
Still, it had to conclude “ransomware remains a major threat to both companies and civil society, with reports of increasing numbers of attacks against organizations in Latin America and Asia.”
During one of a day-long series of panel discussions from Washington on Friday, hosted by the Institute for Security and Technology — which commissioned the Task Force — even experts couldn’t say if the number of ransomware attacks currently are up or down.
“In between,” said David Ring, section chief of the FBI’s cyber division. The agency believes it only hears of 20 per cent of successful ransomware attacks in the U.S., he added.
“We don’t know,” confessed Allan Liska, an analyst at threat intelligence provider Recorded Future. “We think ransomware attacks have seen a resurgence in 2023 after dipping a little bit in 2022 … We don’t have a complete and total picture. And it’s almost impossible to find that out because there are either no [incident] reporting requirements [around the world] or the reporting requirements are so fragmented that it’s really difficult to navigate the maze.”
In 2021 his firm tracked data from 40 ransomware extortion sites. Today, that’s over 150.
Eleanor Fairford, deputy director for incident management at the U.K. National Cyber Security Centre, suspects that her country will see a “return of business as usual” after a calmer 2022.
On the other hand Valerie Cofield, chief strategy officer of the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said up or down doesn’t matter — ransomware is still a national threat. She hopes attack data will soon improve thanks to the passage last year of the U.S. Cyber Incident Reporting for Critical Infrastructure Act.
In Canada the government has proposed a similar act, C-26, the Critical Cyber Systems Protection Act.
It’s not just data on the number of attacks that’s hard to get. Tracking the number of groups is also difficult, Liska said. Take what he calls ‘FrankenRansomware:’ “There’s so much stolen and leaked ransomware code out there from LockBit, Chaos, Conti, et cetera that some of the new variants that pop up are just re-used old code. It makes it hard to identify which groups are doing what.” In fact, he said, LockBit denied it had hit the U.K.’s Royal Mail in January until Recorded Future told them it was their code.
There are promising signs, however. For example, Cofield said CISA’s ransomware vulnerability warning program, which started in February, was able to notify 93 U.S. critical infrastructure providers to patch their Microsoft Exchange servers to close the ProxyNotShell vulnerability. There’s been a 30 per cent uptake in patching that vulnerability, she added.
Reporting to government agencies is a critical element of fighting ransomware, said the FBI’s Ring, but so are other companies such as incident response firms. “We need to not just collect our information from the private sector through victim reports but also through collaboration, proactive two-way sharing … With that responsibility, we need to share our risk better — if an issue is hitting your organization, that risk it takes on needs to be shared across government and other responsible parties so we can collectively make a true difference.”
Fairford noted CISA also started what she called a ‘pre-ransomware notification initiative,’ using tips from cybersecurity researchers to warn organizations they are either about to be hit or have just been hit. So far 150 notifications have been sent this year, including 40 alerts to firms outside the U.S. “We were able to help a city in Europe,” she said. “They were able to patch their vulnerability so they weren’t encrypted.”
Unfortunately, panelists agreed, many ransomware victims don’t want to tell authorities they were hit, fearing they will be blamed for allowing data to be lost.
Related content: Police are waiting for your call
Don’t know where your firm should start its ransomware defence? The Task Force created a free Ransomware Blueprint for small and mid-sized companies. The 40 recommended safeguards have been selected not only for their ease-of-implementation but their effectiveness in defending against ransomware attacks.
The Blueprint is not intended to serve as an implementation guide, but as a recommendation of defensive actions that can be taken to protect against and respond to ransomware and other common cyber attacks.