Thursday, May 6, 2021

Ransomware – What to Do?

Increasingly, it looks like Washington is finally waking up to the fact that ransomware is becoming a critical problem for the nation. This means that Congress might actually do something to fix the problem. Okay, if you believe that, I have some land for sale about 20 miles south of Key West. But really though, something does need to be done. What are the options?

Scope of the Problem

When ransomware was affecting just individual computers owned by small businesses and private citizens, it was not an issue of national concern. The money was small potatoes, and the effects were of no consequence to the economy. At this level the ‘solution’ was easy; routinely backing up files would allow owners of ransomed machines to erase the affected files and restore them from secure backups. Still, the key to ransomware at this level was the presence of cryptocurrencies, predominantly Bitcoin, that allowed the attacker to anonymously collect their toll.

To make real money, ransomware authors needed targets with deeper pockets, with more to lose from encrypted computers. Those targets would only be found in larger companies, corporations and government agencies. To be effective, the attacker had to be able to gain access to the internal network of the target and either find the most critical computer to encrypt or encrypt large portions of the network. Single computer backups were still effective so network encryption became the key. Network backups are harder to do (but not impossible by any means) and it is much more time consuming to delete and restore as a mitigation measure as more machines are involved. It was just easier to pay the ransom.

As attackers started increasing the amount of money demanded for removing their encryption, it became easier to justify the time and cost of backup, remove and restore. And it did not take long for attackers to realize that they needed to find another incentive to paying ransoms. They quickly hit on stealing sensitive data as part of their network invasion and encryption attack. If the target does not pay up, they just publicly release the data, ransomware has become extortionware.

Security Measures

The most obvious solution is to make it harder for the attackers to gain access to the network. This is much like rich families in Mexico increasing their personal security staffs to avoid being kidnapped. It works, for a while. Lesley Carhart made an interesting point about this tactic on Twitter®:

“The problem is that they are richy mc rich pants now because everyone paid up, and even if people secure mail really well they can sometimes now afford to buy 0days or really good black hats.”

As the attackers’ resources (money and expertise) increase the cost of defending against them increases even faster. The rich in Mexico have to pay their guards more than the kidnappers are able to pay them to look the other way. We are already at the point where a very large number of potential targets cannot afford (money and/or personnel) the security measures necessary to stop the initial intrusions.

Rather than trying to stop the initial penetration, another tactic might be to stop the spread through the network. If you can keep the problem down to a couple of computers with no sensitive information on them, then the remove and restore process becomes reasonable again, and sensitive information can be protected by encryption at rest (with encryption keys stored off the network). One way to do this is to completely rethink the concept of corporate networks and enforce radical (workgroup level) network segmentation with strong security controls for the minimum necessary movement between segments. This would require extensive system redesigns and a change in many corporate mindsets. A less radical level of network segmentation may be providing benefits, but if it does not allow for removal and restore as a workable ransomware response, it will not provide adequate ransomware protection.

Go After the Money

In the United States, kidnapping is not nearly as prevalent as it is in countries like Mexico. That is because law enforcement (particularly the FBI) has become very effective at investigating, arresting and prosecuting these crimes. And they have principally focused on making it difficult to collect the ransom payment by following the money. There are a couple of problems that make that difficult with respect to ransomware.

The first problem is following the money. Ransomware was not really practical until the advent of cryptocurrencies. That provided for an effectively untraceable method of paying the ransom. As with anything manmade, the anonymity of the transactions has decreased with the advent of blockchain explorers and technology like Coinpath®.

The major difference between kidnappers and ransomwarers (new word?) is that kidnappers have to have a local presence to put their hands on their victims. Ransomwarers can be anywhere in the world. This makes it more difficult to track the attackers. More importantly, in many instances it makes their arrest and prosecution practically impossible.

Tracking the Software

Another path to countering ransomware is tracking the software used to enter, transit and encrypt the systems to be ransomed. Federal intelligence agencies are getting better and better at tracking cyberattacks. Unfortunately, those agencies are not used to track criminal attacks. Law enforcement agencies do not have the same level of cyber tracking capabilities found in the intelligence agencies.

Doing Something

Okay, with all of that, what can Congress do? One suggested remedy has been for Congress to make it illegal to pay a ransomware demand. The thinking is that if the crooks cannot make any money with their attacks, they will not waste their time executing those attacks. A couple of problems with that. First, if affected entities do not report the attack, there is no way for the government to know whether or not they paid a ransom. Operations that figure the cost or recovering their networks in the classic method will be more that the ransom plus government fine will almost certainly pay the ransom and try to prevent the government from knowing that they were attacked.

Another approach being bandied about in the nation’s capital is to provide money to State, local and Tribal governments to help them increase the security on their systems to be able to avoid potential attacks. I certainly do not want stand in the way of that funding, but throwing money at the problem will only allow the politicians to look like they are doing something; see my comments above under security measures.

Another money throwing approach is to increase funding in DOJ (mainly the FBI as the action agency) to allow them to increase their capability to go identify the attackers behind the ransomware attacks. This will certainly help, but it will do little to stop the attackers unless the DOJ is provided with more effective tools that indicting cyber-criminals from Russia, China or North Korea that are unlikely to ever appear in a jurisdiction where they can be brought to trial in the United States.

My Suggestion

Here is a radical idea. Congress can define a ransomware attack on critical infrastructure as an attack on the sovereignty of the United States. They would have to tighten up the definition of ‘critical infrastructure’, but this would allow the President to use the intelligence infrastructure and cyber forces of the US military to ‘go after’ the perpetrators of ransomware. They would primarily be looking to empty bit coin wallets, obtain decryption keys and ‘destroying’ stolen files being used to extort ransomware payments. If they could obtain actionable information that could allow the perpetrators to be arrested and extradited to the United States, great, but disrupting the ability of the attackers to enjoy the fruits of their ‘labor’ would go a long way to reducing the level of ransomware.

No comments:

/* Use this with templates/template-twocol.html */