The Race to Counter the Growing Ransomware Menace

Ransomware has evolved rapidly and is now big business with experts from multiple cybercriminal groups working together as part of a growing, agile ecosystem, notes Stéphane Duguin.

The CEO of the CyberPeace Institute should know, having previously led major international counter-cybercrime operations that have investigated cyber threat actors at Europol. Today, the non-governmental organisation (NGO) he founded offers free cybersecurity assistance to other NGOs and organisations in critical sectors for a safe and secure cyberspace.

Traditional law enforcement works at a different pace from ransomware gangs, and this dichotomy is a challenge for investigators tasked to tackle the scourge. Duguin puts it this way: "The criminal model evolves at the speed of light. But the response evolves, at best, at the speed of law."
 

An ecosystem of cyber criminals

But how exactly has ransomware evolved? According to Duguin, ransomware has moved towards a "Ransomware as a Service" model over the last decade. “We are not facing a single foe anymore, where a criminal group will work individually. Today, they have joined forces and are franchising their capabilities to one another,” he explained.

"One group might develop the intrusion malware, another could weaponise the malware to penetrate systems, a third could develop the ransomware itself, and yet another group would deploy the operation. All of these actors are working together in a criminal supply chain."

This collaboration and specialisation among criminal groups not only speeds up the production and distribution of ransomware but also fosters competition, which has the unfortunate effect of enhancing the quality of the malware.

"Because they need to convince potential criminal partners that they are the best to work with. You have this rush to improve the technology such as improving the encryption, and it creates a perverse effect that increases the threat."

Indeed, a ransomware enterprise today looks like a successful technology company – think individual developers seeking to outdo their peers, performance assessments, and bonuses. Law enforcement agencies often end up with their hands full after unearthing a network of criminal groups as they investigate the original perpetrator.
 

Targeting the victim

Duguin warned of an ominous evolution known as “Ransomware 3.0”, in which hackers attempt to extort from victims of data theft. This might come on top of “double extortion”, in which the cybercriminals exfiltrate data before encrypting it, then threatening to disclose the compromised data if the organisation does not pay a second time.

Finally, it does not help that it can be difficult to determine if a ransomware attack was done with criminal intent or to obfuscate a geopolitical motive aimed at inflicting economic or political harm. Using the Colonial Pipeline ransomware attack in 2021 as an example, Duguin pointed to the repercussions when the pipeline was shut down for several days: "Ransomware can be a systemic threat for the stability and security of cyberspace."
 

More needs to be done

It is increasingly clear that the rapidly evolving ransomware landscape is a systematic problem that demands a coordinated global response to effectively combat this growing threat.

"Criminals are working together. But in a lot of cases, they don't know each other. This is a different situation from traditional crime. If you dismantle one part of the network, it doesn't mean that you're going to gain useful information on the other parts."

And it doesn’t help that victims who have paid up might not be keen to cooperate. NGOs, for instance, might fear their funding drying up if they admit publicly to succumbing to ransomware extortion. "Ransomware is one of the few crimes which require the victim to be an accomplice. It is unique in how it can result in the victim not cooperating with law enforcement once the ransom is paid."

"We can investigate and identify specific criminal groups today. The problem is what do you do after the investigation?  And what can you do with this information to prosecute the cybercriminals?" said Duguin as he outlined the difficulty of prosecuting cross-border crimes.

"The [limited] cooperation done to date does not match the scale of the issue. We have a phenomenon that is global, interconnected, and extremely agile with a franchise system. But the way we investigate ransomware is siloed, very slow, and requiring evidence that can only be obtained through a very thorough and lengthy forensic process that consumes a lot of resources," he summed up.
 

Countering ransomware

Fortunately, the international community is waking up to the threat of ransomware. A counter-ransomware initiative is gaining steam, with 36 countries, and the EU getting together for the Second International Counter Ransomware Initiative Summit in November last year.

An International Counter Ransomware Task Force is currently being established to coordinate resilience, disruption, and counter illicit finance activities. ICRTF members will commit to contribute to the joint work of the coalition through information and capability sharing, as well as joint action in the fields of resilience, disruption, and countering illicit finance.

In Singapore, a Counter Ransomware Task Force (CRTF) was convened in January 2022 and has since released a report in November setting out its findings and recommendations to guide the Singapore Government and various agencies to secure Singapore from ransomware attacks.

As ransomware continues to evolve and pose new challenges, it is crucial that we remain vigilant and united in the fight against this malicious form of cybercrime. Governments, law enforcement agencies, and the industry must work together to dismantle the intricate networks of cyber criminals by fostering international cooperation, sharing information and resources, and developing innovative strategies.