The ransomware unicorn
When the final numbers are tallied for 2021, ransomware will pass a grim milestone: Reported payments to ransomware groups last year will top $1 billion, making ransomware the most unwelcome unicorn enterprise. This exponential growth is explained in part by the rise of ransomware groups operating like enterprises — offering ransomware-as-a-service, a business model through which ransomware groups lease their malware to affiliated groups for a fee or a share of the profits.
The nature of threat – as an enterprise rather than an ideology – presents an opportunity. Ransomware groups by and large have shown themselves to be rational actors that engage in cost-benefit calculus, affording the government and private sector levers to change their behavior. If 2022 is to mark an inflection point in the fight against ransomware, we must do more to change the incentives.
First, the U.S. government needs to enforce the red lines it has drawn to protect critical infrastructure. The Biden administration made it clear which targets raise heightened levels of concern when it provided Russian President Vladimir Putin with a list of 16 areas of critical infrastructure that it considers off-limits, including the energy, health care and agriculture sectors.
The only way to obtain compliance with those lines is to raise the costs of crossing them. That includes criminal charges, disruptive cyber operations, payment seizures and arrests of individuals connected to such actions. Earlier this year we saw this kind of decisive action to shutter the REvil ransomware group that was responsible for the Colonial Pipeline attack, among others.
Second, ransomware groups must be denied safe havens. They largely operate out of jurisdictions – in particular Russia – where governments tolerate their activities to the point of complicity. The inaction of those foreign governments means would-be hackers face little risk for perpetrating the next attack. To achieve lasting results, costs must be imposed not just on the individual actors, but also on the governments that fail to hold them accountable.
Although President Biden raised the issue of ransomware in his bilateral meeting with Putin, the United States has not imposed any significant direct costs on Russia or other governments for failing to take action to stem ransomware attacks originating from their jurisdictions. The U.S. foreign policy establishment is appropriately focused on the Ukraine crisis as we start the year, but we should not let that single issue occupy the field when it comes to our foreign policy toward Russia.
The United States should signal foreign policy action connected directly to the issue of ransomware. For example, the U.S. government could expand existing sanctions to prohibit U.S. institutions from participating in the secondary market for Russian sovereign bonds, which would deny the Russian government access to capital and would depreciate the value of its bonds. In the alternative, the U.S. government could sanction a Russian financial institution or defense sector company, which would more directly impact the interests of Russian decisionmakers. Critically, the U.S. government should communicate to Russia the measurable conditions that would result in the removal of the sanctions.
Third, we can lean on the insurance industry to alter the circumstances and dynamics that have resulted in so many victims paying ransoms to recover their data. Too often, insurance has been seen as part of the problem, with some suggesting that cyber insurance coverage for ransoms should be prohibited because it fuels the rise in ransoms.
But the insurance industry plays an important role in incentivizing better cybersecurity practices that make the private sector less susceptible to attack. As any company that has recently searched for cyber insurance can attest, insurers’ requirements for obtaining cyber insurance have become more exacting. These underwriting requirements – which often look at whether companies employ cybersecurity best practices like multifactor authentication, endpoint detection tools and encryption of sensitive data – are an opportunity to incentivize private sector practices that will collectively reduce the prevalence of attack.
Thus, rather than banning cyber insurance, which would unreasonably force victim companies to bear the entire cost of recovery, the U.S. government could work with insurance carriers to ensure that underwriting requirements are making the private sector more resilient to ransomware attacks, and that insurance policies provide incentives to companies to recover from incidents by means other than paying a ransom.
The actions we propose would be significant – and they require careful deliberation – but to make inroads on the threat of ransomware, we need to start treating ransomware like the billion-dollar problem it is.
Alex Iftimie (@aiftimie) and Brandon Van Grack (@BVanGrack) are former senior national security officials at the U.S. Department of Justice.