The scourge that is ransomware has had a devastating impact on the lives of ordinary people around the world, but it doesn't have to be that way, according to a panel of experts speaking at the 2021 RSA Conference on May 18.
Ransomware is not a new problem in 2021, and it certainly is not one that appears to be diminishing by any measure; rather, it's growing. Jen Miller-Osborn, deputy director of threat intelligence for Unit 42 at Palo Alto Networks, commented that, according to her firm's research, from 2019 to 2020 the average ransom payment nearly tripled, from $115,123 to $312,493. In that same period the highest ransom payment doubled from $5m to $10m.
"They're just gaining more and more money, and when that happens ransomware becomes more and more popular in the criminal sector," Miller-Osborn said.
The Evolution of Ransomware
Michael Daniel, president and CEO at the Cyber Threat Alliance, explained that over the course of the last decade, ransomware has changed.
"If you look back to, say, 2013, ransomware was typically targeted at an individual's computer, and the average ransom was like 100 or 150 bucks, so it was a fairly minimal affair," Daniel said.
In contrast, in 2021 Daniel noted that the average ransom is more than $300,000, and it's not just individuals being targeted—it's things like schools systems, hospitals and the energy grid.
As the cost and scale of ransomware attacks have grown, so too has the complexity of trying to limit the risk and the ability to shut down attackers. Among the challenges is that the impact of ransomware isn't limited to any one industry or even any one agency within the US government.
Phil Reiner, chief executive officer, Institute for Security and Technology and Ransomware Task Force, explained that one of the primary reasons why the Ransomware Task Force existed was to help deal with the fast-moving threat landscape.
"It takes senior-level, top-down interest in a problem like this to really get after it with the resources that are required, and the prioritization of the issue needs to be raised in order to actually do something differently," Reiner said. "It's not business as usual. This is not just a normal cybersecurity threat—it's a plague."
These threat actors, they feel like they can operate this way because they've got safe haven.Phil Reiner
It Is Time for a Comprehensive Approach to End Ransomware
The panelists all agreed that reducing the growth of ransomware will require a coordinated and comprehensive effort across public and private sectors around the world.
"You're not going to solve ransomware with some little silver bullet that just fixes the crypto payments processing problem, you're not going to solve it by just sending Cyber Command after somebody sitting perhaps in Eastern Europe," Reiner said. "These actions all have to happen at the same time if you're really going to effect significant change and shift the trajectory."
Daniel emphasized that disrupting the cryptocurrency element of ransomware will be a critical part of a comprehensive effort. He noted that it is clear that one of the big enablers for ransomware is the growth of cryptocurrencies.
"Cryptocurrency enables payments to occur in a way that the normal financial system can't track or block," Daniel said. "So clearly you're going to have to address that part of the ecosystem, which has nothing to do with cybersecurity directly. "
Increasing Pressure with Law Enforcement Actions
As ransomware attackers can be anywhere in the world, Reiner said that there are different tactics, including economic sanctions, that can and should be used globally to apply pressure to de-incentivize attacks.
"These threat actors, they feel like they can operate this way because they've got safe haven," Reiner said.
Daniel suggested that for the federal government, there is a need to increase capabilities across multiple agencies and not just those where the focus is on security. For example, he noted that the Department of Health and Human Services (HHS), the Department of Energy and others need to work with organizations within their respective sectors to make them more resilient to ransomware incidents.
Miller-Osborn advocated for more law enforcement actions to help deter would-be ransomware actors. In her view, many ransomware attackers haven't been too concerned about consequences or the risk of ending up in jail. If there is a coordinated response, where ransomware infrastructure, network and payment operations are all taken down and people are arrested, convicted and get jail time, she expects that behavior will change
"Cybercrimes are never going to go away," Miller-Osborn said. "But the more people we can discourage from doing these kinds of activities, the safer everyone's going to be as a whole."