The US government is setting out on the warpath to dismantle the digital finance infrastructure that supports ransomware cyberattacks, with guidelines on preventing and imposing sanctions on ransomware payments expected to be laid out this week and wider anti-money laundering measures by the end of the year.
The Treasury Department has been concocting heavy sanctions designed to prevent hackers from using digital currency to profit from ransomware attacks, which the government considers “a serious national security threat.”
In Spring this year, high-profile ransomware attacks caused the shutdown of a major US fuel pipeline, disrupted a top meat supplier, and infected scores of smaller and midsize organisations.
These and other crippling attacks on government agencies, utility companies, and healthcare organisations during the coronavirus pandemic have led to calls for sweeping policy and legal changes to combat the booming criminal activity.
In June, two US senators sent a letter to the White House demanding to know what the administration was doing to address the ransomware threat to the country.
Amid these mounting pressures, the Treasury Department plans to unveil sanctions as early as this week.
Expected is a new set of guidelines to businesses on the risks associated with facilitating ransomware payments, bolstered by fines and other penalties. New anti-money-laundering and terror-finance rules are also to follow later this year – all measures aimed at limiting the use of cryptocurrency as a payment mechanism in ransomware attacks and other illicit activities.
Hackers getting bolder, demanding bigger ransom
Ransomware is a type of malware (malicious software) that attacks a computer system by restricting the users’ access to files. It does so by encrypting the data with a key known only to the hackers who deployed the malware, until a ransom is paid.
After the users’ data is encrypted, the hackers direct the users to pay a ransom (usually in a cryptocurrency, such as Bitcoin) in order to receive the decryption key.
In some cases, hackers may deploy ransomware that also destroys or exfiltrates (i.e., moves) data – or they may use ransomware in conjunction with other malware to steal or wipe out data.
The ransom demanded by the hackers, often criminal groups believed to reside in Russia, has grown steadily larger, now reaching into tens of millions of dollars, making the racket one of the most lucrative con games to date.
Government urging victims not to pay ransom
In the crosshairs of the Biden administration is the digital finance ecosystem of traders, exchanges, and other players or elements that have allowed debilitating ransomware attacks to proliferate in recent years.
The strategy is to conduct surgical strikes, singling out specific targets, rather than blacklisting the entire crypto infrastructure where ransomware transactions are suspected to take place.
The sanctions being mulled by the Treasury also aim to deter users from engaging in highly profitable criminal activities – part of the Biden’s administration two-pronged approach that covers both perpetrators and victims.
Cybersecurity experts have pointed out that success in disrupting illicit crypto transactions hinges on the Treasury’s ability to target the digital wallets that receive ransom transactions and the culprit crypto platforms.
These fraudulent crypto platforms help to exchange one set of blockchain coins for another to protect the hackers and the people that own or manage those operations.
Therefore, the Treasury and other US regulatory agencies have been levying penalties and sanctions against individuals and companies facilitating illicit finance through the crypto markets as a warning to others.
The Treasury’s Office of Foreign Assets Control has cautioned victims of attacks, and those acting on behalf of victims, against making ransomware payments, warning they could violate US laws.
Meanwhile, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency has issued similar warnings:
“Paying a ransom may embolden adversaries to target additional organisations, encourage other criminal actors to engage in the distribution of ransomware, and may fund illicit activities.”
Some are calling for extraordinary measures
“Business as usual is not going to work,” Michael Daniel, co-chair of the working group and CEO of the Cyber Threat Alliance, told bobsguide.
“We really need to think about how we can do this differently and what we can change that would actually affect the ransomware ecosystem,” said Daniel, who was a White House cybersecurity official in the Obama administration.
A major hurdle that continues to frustrate US law enforcement officials is that ransomware gangs are often located in jurisdictions that don’t have extradition treaties with the US.
This means efforts at diplomatic level must go hand in hand with other legal and economic measures.
“You go after their infrastructure; you go after their funding. You go after the things that they’re actually relying on that allow them to behave in this way,” he said.
Jon DiMaggio, chief security strategist at cybersecurity firm Analyst Platform, who has studied the cartel-like structure of prominent ransomware gangs, said the scale of their operations and their potential impact means using the strongest legal tools available is necessary.
“If we’re talking about using the RICO Act and those resources, we only do that when we really start to take this seriously. And I think we’re there,” he said.
RICO, the Racketeering Influenced and Corrupt Organizations, is the ground-breaking legislation that helped to disable the Mafia in the US. Over the years, the law has contributed to the dismantling of a variety of criminal enterprises aside from the Mafia.
New legislation aims to treat ransomware attacks as “terrorist attacks”
Given the global scope of the problem, the Biden administration has been trying to internationalise the battle against ransomware.
Late last year, the leaders from the Group of Seven member countries pledged to collectively act against ransomware, denouncing crypto payments in particular.
US officials, including President Biden, have been at pains to point out that the Kremlin may not be directly involved in ransomware campaigns. Nonetheless, they blame Russian President Vladimir Putin for allowing the lawless groups to “permissively” operate within his country.
At a meeting between the two leaders in July, the US President warned that he would take “any action necessary” to defend his country against ransomware attacks emanating from within Russia’s borders.
The summit was followed by bilateral talks between senior US and Russian officials, but those negotiations would have yielded little progress, according to senior administration officials quoted by other media sources.
“There is no indication that the Russian government has taken action to crack down on ransomware actors that are operating in the permissive environment they have created there,” FBI Deputy Director Paul Abbate said last week at an intelligence conference.
In a speech earlier this year, Homeland Security Secretary Alejandro Mayorkas described ransomware as a serious threat to national security, saying:
“Those behind these malicious activities should be held accountable for their actions. That includes governments that do not use the full extent of their authority to stop the culprits.”
A newly proposed legislation in US Congress seeks to treat ransomware as “terrorism,” giving the mainly cross-border shakedown the country’s highest priority.
The bill would punish nations that back cyber attackers and require the President to impose sanctions consistent with those levied on countries that sponsor acts of terror.
UK: ransomware attacks more than tripled in 2020
In the UK, as elsewhere, the secrecy and stigma associated with ransomware attacks makes it extremely difficult to calculate a true picture of the number of attacks and costs.
However, the UK’s National Cyber Security Centre (NCSC), a member of the Ransomware Task Force (RTF), says it handled more than three times as many ransomware incidents in 2020 than in the previous year.
The NCSC, which has issued guidance to help private and public sector organisations, joined major tech companies in April to make nearly 50 recommendations to governments.
Among the recommendation is that governments make it mandatory for victims to report if they do pay criminals.