How To Control Increasing Cyberattacks by Nation-States

Ransomware has become a plague, infecting organizations globally with devastating effects. It has also become an incredibly profitable business model for the cybercriminals and ransomware gangs, mostly Russian, who carry them out. These gangs are comfortable bragging about their techniques, building brand reputation, and pulling in millions (or perhaps hundreds of millions) of dollars in profits each year. The cost of these attacks is estimated to be between $40 billion and $170 billion globally. By encrypting files and demanding payment, hackers have quickly figured out how to monetize illegal access into networks by increasing the pace and sophistication of their techniques while demanding higher and higher ransoms over time, testing what price the market will bear, all with little fear of retribution or prosecution. Ransomware attacks are particularly pernicious and can fundamentally disrupt a government’s ability to deliver critical services to its citizens for prolonged periods of time. We experienced attacks against a series of municipalities, including Atlanta, Baltimore, New Orleans, Greenville, North Carolina, and St. Lucie, Florida, to name a few. The most recent victim of a ransomware attack is Washington D.C.’s Metropolitan Police Department (MPD). 

This week, the MPD was hit with a ransomware attack by the Russian ransomware criminal gang known as Babuk. Babuk is an interesting ransomware-as-a-service criminal organization known and broadly pillared for making it clear that even social justice organizations, like Black Lives Matter and those fighting for LGBTQ rights, are legitimate targets for its criminal activity. The attackers posted a ransom note claiming they had stolen more than 250 gigabytes of data and threatened to publish the material if they were not paid. Interestingly, while ransomware attacks typically lock out the rightful user of a computer or computer network and hold it hostage until the victim pays a fee, in this case, Babuk was not able to encrypt files, making this purely an old-fashioned case of extortion — pay us, or we will leak all the data we have. The MPD’s response to the attack has been swift and impressive to its credit, and there have been no follow-on attacks, as is sometimes the case. The only question that remains is whether there is any reason to consider paying the ransomware demand at all. 

Control of this plague that is infecting our networks requires a willingness to both impose cost on malicious actors by restoring deterrence and improving our defensive capabilities by building resilience. MPD showed tremendous resilience this week in its ability to quickly contain the damage, unlike the dozens of other government agencies and thousands of organizations that have been hit with ransomware attacks over the past few months. Deterrence, however, is the unique purview of the federal government.

The U.S. government must do what only the government can do — deter malfeasance in cyberspace, especially by nation-state adversaries, by using our tools of national power against those who are harming us. The private sector cannot defend itself alone against nation-state adversaries and criminals who are agile, persistent, and creative and who operate with no fear of reprisal. Even the strongest walls will eventually succumb to a capable, well-funded adversary if there is no deterrence. 

In 2018, Peter Singer, a Senior Fellow at New America, wrote about the collapse of cyber deterrence: “Less generously, these trends have created the opposite of deterrence: incentives. The failure to clearly respond has taught not just Russia and China, but any other would-be attacker, that such operations are relatively no pain on the cost side, and all gain on the benefits side. Until this calculus is altered, the United States should expect to see not just Russia continue to target its citizens and institutions … but also other nations and non-state groups looking for similar gains.” His observation is even more true now in the wake of current events. Strong deterrence is the cornerstone of any security framework, and the U.S. government must take up this challenge decisively and consistently. And it should start with ransomware attacks.

The only way to have a meaningful impact on the ransomware industry is to impose high costs on the nations harboring these criminals and enabling them to commit their crimes with impunity and no fear of reprisal or prosecution. In a recent interview with The Record, the online news outlet for threat intelligence powerhouse Recorded Future, a representative from the audacious Russian ransomware-as-a-service hacking group REvil (aka Sodinokibi) bragged, “For me personally, there is no ceiling amount. I just love doing it and making a profit from it. There is never too much money — but there’s always the risk of not enough money.” When asked why he was willing to give the public interview, he replied, “Unusual ideas, new methods, and brand reputation all give good results.” 

If the SolarWinds campaign does not expand beyond its current apparent espionage aim, imposing cost on Russia for this attack may make little doctrinal sense. Imposing cost on Russia, especially with economic tools of national power and policy (sanctions, embargoes, tariffs), for creating a safe harbor for these ransomware gangs is, however, justified and in line with global norms. Without a fundamentally different approach to the problem, we can expect to see the number, cost, and extortion demands of ransomware attacks continue to increase with no ceiling in sight. Stopping ransomware attacks serves the dual purpose of reducing the cybersecurity threat landscape, especially for resource-constrained entities like hospitals, schools, and state and local governments, which are often the target of these attacks, and more importantly, allowing our incident responders and security professionals, who are overwhelmed responding to ransomware attacks, to focus on detecting and responding to more sophisticated attacks like SolarWinds and Microsoft.