No easy solutions to the ransomware threat despite takedowns

As ransomware attacks surge, surpassing a record high of $1.1 billion in ransom payments in 2023, the US and UK governments and a wide array of international law enforcement partners are stepping up their efforts to disrupt, take down, or otherwise interfere with ransomware threat actors. In January 2023, the US Justice Department announced it disrupted the Hive ransomware group. In conjunction with German law enforcement and the Netherlands National High Tech Crime Unit, the department seized control of Hive’s servers and websites to communicate with its members, disrupting Hive’s ability to attack and extort victims.

In August 2023, the Justice Department announced a multinational operation involving actions in the United States, France, Germany, the Netherlands, the United Kingdom, Romania, and Latvia to disrupt the botnet and ransomware known as Qakbot and take down its infrastructure.

More recently, concerted actions by law enforcement to address the ransomware threat have targeted two of the most prolific and damaging groups. In December 2023, the Justice Department announced a disruption campaign against the ALPHV/BlackCat ransomware group and offered an FBI decryption tool to 500 victims.

Last month, the UK National Crime Agency’s (NCA) Cyber Division, working in cooperation with the Justice Department, Federal Bureau of Investigation (FBI), and other international law enforcement partners, announced they had disrupted the LockBit ransomware group’s operations by seizing numerous public-facing websites. They also made available decryption capabilities to enable hundreds of victims to restore systems.

Cybersecurity experts agree that, although necessary, these actions are unlikely to reduce the frequency of ransomware attacks permanently. They also agree that there are no easy solutions for effectively addressing the ongoing ransomware threat in the near term.

What’s behind the recent surge in ransomware takedowns?

Like any organized crime wave, ransomware attacks have commanded the attention of law enforcement authorities. However, the latest actions to take down big-ticket ransomware groups such as ALPHV/BlackCat and LockBit represent an evolution in law enforcement capabilities to address the ransomware epidemic.

“The number of high-profile takedowns seems to have accelerated,” Ciaran Martin, leader of the SANS CISO Network and founder of the UK’s National Cyber Security Centre, tells CSO. “There are two explanations for that. One is that they’re putting a lot more effort into it. The other is they’ve been a bit more successful than previously.”

Beyond that, “There are two reasons why law enforcement takedowns are more prominent,” Martin says. “One is cybercrime. Ransomware is far more prominent as a threat to us, causing real observable harm, particularly in areas where human safety is at risk, like healthcare. Secondly, takedowns are something we can do. We can’t arrest them. We can talk about this being a crime and send the police after them, but we can’t do that. [Takedowns are] something we can actually do.”

“The law enforcement actions are certainly getting faster,” Jon DiMaggio, chief security strategist at Analyst1, tells CSO. “I think some of that is just sort of that repetitiveness of where they’re beginning to understand the static steps, meaning the aspects of it that don’t change, like infrastructure and things related to that. They’ve also been doing a lot of outreach with the private sector over the past year or two. That has to help them immensely because, at the end of the day, the private sector has most of this data and information on these groups.”

Bob Kolasky, senior vice president of critical infrastructure at Exiger and the founding director of CISA’s National Risk Management Center, credits the Biden administration’s increased focus on taking down ransomware actors for the recent surge in activity. “I think it’s fair to say that the government has gotten more aggressive at going after perpetrators and ransomware gangs,” he tells CSO. “The administration has tried to put a full range of its capabilities to go after the ransomware risk, disincentivize ransomware, and take down criminals. And I think the administration has made a strategic shift to be more aggressive in dealing with this issue and to try to push back on the trend of increased ransomware.”

How effective have the disruptions to ransomware groups been?

Despite the takedowns and disruptions, ransomware groups are resilient and can quickly shapeshift into new guises even after significant law enforcement takedowns. ALPHV/BlackCat rebounded after its December takedown to attack Change Healthcare and likely walked away with $22 million in ransom, stiffing its affiliates in the process.

Even after LockBit’s February takedown, which law enforcement authorities made particularly humiliating by replacing its leak site with a wall of shame, the gang, or at least its leader, LockBitSupp, put up a new leak site and unsuccessfully attempted to extort a ransom payment from one of its victims, Fulton County, Georgia, in the US.

Despite these seeming revivals, DiMaggio thinks these groups have suffered a “psychological impact” and are facing severe reputational damage, particularly among affiliates. With LockBit, law enforcement “actually went through all the data, repurposed the entire website to send a message to those who log in, and each affiliate hacker who logged into the panel would get their own personalized message with whatever the alias they used to access the panel, with law enforcement telling them they’ve been tracking their logs, seen their communications with victims and with Lock bit and they’ll be seeing them soon,” he says. “In the back of their minds, they’re thinking: Should I continue to work with LockBit when they stand up a new server a week from now?”

DiMaggio has been communicating with LockBit leader LockBitSupp. He says LockBitSupp routinely posts little cat stickers in his chats. When law enforcement took down LockBit, they posted a cat sticker icon on the seizure page. That sent a message to affiliates that “not only have we been here, not only have we seen your logs, but we know who you’re talking to, and we know the conversations, and we read them. All of that has had an effect because while LockBitSupp is back, his reputation is significantly damaged.”

Even with this kind of reputational damage, ransomware groups will resurrect themselves sooner or later so long as their Russian leaders remain free and protected from extradition by the Kremlin. Adam Meyers, senior vice president of counter adversary operations at CrowdStrike, tells CSO, “The big challenge I think that we start to see is one, how effective are these disruptions when they’re not also paired with an arrest? If you go back historically, we’ve seen some disruptions with no arrest, and the botnet operator, the threat actor, basically spun back up. Kelihos is a good example, where there was a Kelihos takedown every couple of months. But it kept coming back until 2017, when Kelihos was disrupted, paired with an arrest of Peter Levishav, the main operator of that botnet. And that’s when you saw that botnet finally go away.”

For however long Russia, where many ransomware groups are located, protects the threat actors, they are unlikely ever to be arrested. “There are two strategic problems that we have to face up to with ransomware,” Martin says. “One is almost unsolvable for as long as Putin is in power, or at least for as long as there’s no political change in Russia, which is that Russia is a safe haven. As long as a big country with lots of clever hackers like Russia is willing to host this crime, you’re going to have a problem. The second problem, which I think you can tackle, is the ransomware business model. It works in favor of the criminals quite a lot of the time. People pay, and then they come back for more.”

Tackling the ransomware business model

In his personal policy position on ransomware not affiliated with SANS or any other group, Martin advocates banning ransomware payments altogether as the current best option for addressing the scourge. “We allow people to pay because they panic and are in a really difficult position. They don’t understand what’s going on,” he tells CSO. “I think governments have been very quick to have really tough policies on ransom payments for terrorist kidnapping and so on to make sure that Al-Qaeda and ISIS and all these horrific groups don’t get access to funds. But they keep saying without any serious analysis, at least in the public domain, ‘Oh, a ransomware ban would be too difficult.'”

However, some cybersecurity experts disagree that banning ransomware payments is a good option. “I don’t think [banning ransomware payments is] going to have the impact that people think it will,” Meyers says. “I’ve talked to a lot of companies that were victims of ransomware, and that was their only option. They would’ve either been out of business, and there would’ve been people out of work and people out of having services that they needed because of not being able to pay the ransom. Our guidance is usually not to pay the ransom, but sometimes organizations don’t have a choice.”

DiMaggio thinks that a ban would work but argues that there “would be massive loss economically because it would go from a ransomware attack to a sabotage attack because you’re no longer able even to have the possibility to decrypt your systems or pay for [stolen] data not to be posted. We would bleed out for a while, but then it would just stop because you’re not going to want to work 40-hour weeks doing what you consider to be your job, whether it’s a crime or not if you’re not getting paid.”

Martin says, “I think a ransomware ban tomorrow on its own would be too difficult,” but it’s a policy choice that a proper government mechanism should support. “British healthcare gets hit by ransomware much less than American healthcare. Why? Because British healthcare is publicly run and state bodies will not pay. Why can the National Health Service afford not to pay? Because if it does get ransomware, it gets the wider support of the state.”

Good cybersecurity is always a defense

Aside from banning ransom payments altogether, the only solution to fending off ransomware attacks is to practice good cybersecurity risk management and hygiene practices. With ransomware, the key “thing is backups and operability of backups because if it’s just the availability of service that they’re extorting you for, if you can get backups and run from a backup system, then that’s worthless [to the ransomware attacker],” Martin says. “I think every organization needs to work out particularly more critical issues, such as what would happen if I lost access to the system and what could I do to get back together relatively quickly.”

“The other areas where we could get better are preventing, defending, and having a proactive approach to it,” DiMaggio says. “Granted, it’s not going to stop it, but if the day you’re first impacted by ransomware is the first time you’ve come up with a plan of how to respond, you’re going to be in trouble. And a lot of companies are like that.”

Meyers thinks that “as long as people are still not taking security seriously and they’re not investing in this stuff, they’re going to continue to have these same outcomes. These threat actors are doing this because it’s easy money. Until we raise the barrier, raise the cost for these threat actors, and it’s no longer as easy for them to make money off this as it is today, they’re going to keep doing it, and if they get disrupted, they’ll build again.”