Report: U.S. Making Progress in Fight Against Ransomware – Government Technology

The U.S. has spent recent years strengthening its efforts to combat ransomware, yet that specific type of cyber attack remains a problem, with new strains that are harder to attribute and incident reporting gaps that leave questions. Even so, at the same time, there may be new reasons for optimism.

Ransomware has spiked in public awareness of late, with high-profile incidents such as the 2021 Colonial Pipeline panic, and it continues to cause new problems for local government, in places ranging from Dallas to Spartanburg County, S.C. As a result, federal efforts to fight these attacks are ongoing, and they have frequently aligned with the recommendations of the Ransomware Task Force (RTF), a public-private collaboration whose members have previously included the now-acting National Cyber Director Kemba Walden.

RTF released a 2021 report detailing the global ransomware landscape with proposals for how nations could work to disrupt it in long-lasting ways, and the U.S. has made at least some progress on most of the recommendations in that report, speakers said during a recent event hosted by the Institute for Security and Technology (IST), which coordinates the RTF. Among the wins: international partnerships have disrupted some perpetrators, and the U.S. has started pre-emptively warning organizations when they have vulnerabilities that are susceptible to ransomware actors.

Federal security and cybersecurity officials said they want to compel cryptocurrency entities and cloud services providers to keep cyber criminals off their services. Anne Neuberger, U.S. deputy national security adviser, said the U.S. is also mulling a ban on ransomware payments, with exemptions granted to some essential organizations.

But its unclear if any of this marks a lasting shift away from ransomware. The drop in such attacks against the U.S. may have been driven by world events, with Russias war against Ukraine diverting the attention of cyber crime groups in the region, the RTF said.

Officials are cautious about describing the landscape, but some tentatively suggest hope.

The rate of ransomware attacks seems to be somewhat stabilizing, and, I think a level, plateau, steady state is where we've been, said David Ring, head of the FBI Cyber Divisions private-sector engagement and cyber criminal intelligence missions.

However, Allan Liska, intelligence analyst at the threat intelligence platform provider Recorded Future, said the situation remains murky.

We think ransomware attacks have seen a resurgence in 2023, after dipping a little bit in 2022," Liska said, "... but the answer is that we dont know, because theres not enough incident reporting to get a clear picture.

Regardless of the number of attacks, those that do successfully hit can be punishing. Ransomware continues to strike U.S. hospitals, schools and local governments.

Fully understanding the ransomware landscape is challenging, because reporting requirements are often nonexistent or fragmented, making it hard to get a complete view, Liska said. Even the FBI believes it only received victim reports on about 20 percent of Hive ransomware attacks, Ring said.

Michael Phillips RTF co-chair and chief claims officer at cyber insurance provider Resilience said organizations fear being stigmatized if they admit to suffering a ransomware attack, and they also want a standardized way to report. That latter step would make it easier for victims to inform authorities promptly, while theyre still in crisis mode dealing with the effects of an attack.

Mandatory reporting requirements are forthcoming for some sectors under the Cyber Incident Reporting For Critical Infrastructure Act (CIRCIA), which passed in 2022. But the Cybersecurity and Infrastructure Security Agency (CISA) is still paving the way for its implementation, and CISA Chief Strategy Officer Valerie Cofield said we won't see the fruits of that legislation for a couple of years.

Screenshot

Prior years have seen ransomware-as-a-service (RaaS) models proliferate, in which developers create the malware while other cyber criminals called affiliates deploy it and share some of the extortion profits.

We're now seeing a lot of threat actors move away from there, Liska said.

Ransomware code is increasingly leaked and stolen, leading to some new variants that include other ransomware groups code. Liska calls these variants Franken-ransomware and said the code recycling makes it difficult to determine whos actually behind attacks.

That kind of fracturing of the ransomware market has made it harder for us to track and identify what the growing strains are [or] even [identify] who hit us? Liska said. I get this question all the time now Hey, we got hit by this, do you know what it is? Because theres no name in the ransom note, just some random email address. Thats a real challenge for incident response and even for reporting.

The U.S. has made strides in the past year toward building intergovernment and public-private collaborations around disrupting ransomware as well as in working to address risks from cryptocurrency entities that facilitate perpetrators payments, per the RTFs report. The U.S. also deepened its focus on reporting and information sharing.

The U.S. has now made significant progress on 50 percent of the task forces 48 recommendations and some progress on 92 percent of them. Thats up from May 2022, when IST CEO Phil Reiner reported significant progress on 25 percent and some progress on 88 percent.

More remains to be done, even on areas that are showing progress. U.S. Rep. Elissa Slotkin called for ensuring crypto exchanges, kiosks and trading desks follow Know Your Customer (KYC) and anti-money laundering practices.

There are gaps in our crypto regulations, and these gaps allow bad actors to evade the law, Slotkin said in pre-recorded remarks.

Acting National Cyber Director Kemba Walden said multipronged efforts can help make ransomware less profitable and less easy for perpetrators to conduct. Addressing illicit cryptocurrency use can disrupt the flow of profits, while requiring cloud services providers to follow KYC practices could help hamper ransomware operations by preventing nefarious use of this digital infrastructure.

Pushing for software and hardware to be secure-by-design and secure-by-default could also make the U.S. more cyber secure overall and do so in a way that lifts the responsibility off of small players and end users, Walden said.

Screenshot

When we talk about, potentially, countering Chinese malicious cyber activity, there are some countries who will say, We don't want to do that publicly, Neuberger said.

The U.S. and its partners have been trying a variety of disruptive efforts and are working to assess just how impactful any of these strategies are, Neuberger said. For example, the U.S. and international partners took actions against the Hive ransomware gang and dark web marketplace Genesis Market. Those included seizing Hive servers and decryption keys as well as 11 of Genesis Marketplaces domain names. But questions of effectiveness remain:

We know it has a disruptive impact for how long? Neuberger said. How do we extend how long that lasts? How do we ensure these disruptions have foundational impact on the infrastructure, on the people, on the money laundering networks, that makes this possible and that drive it?

Whether organizations should be allowed to pay ransom is a tricky question. The U.S. is actively discussing whether to issue a broad ban against this practice, while allowing case-by-case exemptions for essential entities, Neuberger said.

A question that weve grappled with both within the U.S. government and bilaterally, as well as multilaterally is, do we ban ransomware, with a waiver? Neuberger said.

Paying extortion makes the attacks profitable, enabling and encouraging more ransomware. But when victims are critical entities, not paying risks leaving their essential services going down for longer.

For an individual entity, it may be they make a decision to pay. But for the larger problem of ransomware, that is the wrong decision, Neuberger said. Now, there may be an individual entity a major hospital, an emergency services that we just are committed to bringing the services back up as quickly as possible. So [when] we think about banning ransom payments, we asked, Would we do so with a waiver e.g., notifying [and] asking the permission of the relative U.S. government?

The RTFs 2021 report warned that imposing a full ban on ransom payments might prompt perpetrators to initially test this resolve and ramp up their attacks against essential organizations like health-care providers, local governments and other custodians of critical infrastructure.

As such, any intent to prohibit payments must first consider how to build organizational cybersecurity maturity, and how to provide an appropriate backstop to enable organizations to weather the initial period of extreme testing, that report read.

The 2021 RTF report recommended nations require victims to avoid paying unless theyd first conducted a cross-benefit analysis to confirm that doing so would really be worthwhile. Victims should also have to consider alternative options before choosing to pay. Sometimes data is recoverable elsewhere or decryption keys are already available, for example.

Screenshot

For example, the program in February warned 93 critical infrastructure owners and operators about a Microsoft Exchange ProxyNotShell vulnerability and has since seen a 30 percent uptick in patching that vulnerability, Cofield said.

The past two years have also seen ransomware victims become more trusting of federal government support, with the FBIs Ring saying victims are more likely to report attacks.

Two years into this, I think the conversation has shifted to, rather than, Should we report this to law enforcement? to When should we report this to law enforcement?, which is a small change, but a very, very significant change in terms of how people think, Ring said.

Read the rest here:

Report: U.S. Making Progress in Fight Against Ransomware - Government Technology