While this seizure signals more accountability, there are many reasons to expect that ransomware attacks will quickly get worse before getting better.
There are local initiatives and concerted commitments among mayors that would prevent municipalities from paying ransoms. Meanwhile, insurance carriers have started to remove ransomware payments from policies, and the federal government has placed several ransomware gangs on sanctions lists, making ransom payments illegal under the federal law.
Bitcoin has long been the cryptocurrency of choice for criminal enterprises deploying
ransomware. Cryptocurrency infrastructure itself enables these tactics, but that is changing. This is not because, as some erroneously assume
, Bitcoin is untraceable.
While Bitcoin does offer users extra privacy, it is not totally anonymous — rather, it provides users a form of digital pseudonym. As transactions are logged
on the blockchain, a public ledger, Bitcoin is eminently traceable. Criminal enterprises paid in Bitcoin, however, launder their proceeds
through legitimate coin-swapping services, illegitimate mixers designed
to make it very difficult to “follow the money,” and shady over-the-counter brokers
who turn cryptocurrency into cash.
Lax know-your-customer (KYC) requirements
are, in large part, to blame for cryptocurrencies making extortion scalable. These lax practices are for the most part the hallmarks of a young, under-regulated industry rather than an intentionally malicious oversight. These practices will eventually mature into more robust KYC processes likely as a condition of doing business with larger exchanges like Coinbase.
The Biden administration’s strategic review
of the role of cryptocurrency in ransomware steps on the gas. Moreover, the US is already developing methodologies
to track lesser-known cryptocurrencies to which criminals are gravitating
These factors creates a perfect storm — time is of the essence for criminal enterprises to make as much money as they can. This also puts pressure on the ransomware industry itself.
Operations like DarkSide are part of the ransomware-as-a-service ecosystem
. For a share of the profits, DarkSide deploys ransomware on behalf of other criminal actors who have established illicit access to an organization.
For several years, I have hunted a persistent group that attempted to steal credentials from more than 1,500 entities in the United States, most of which are part of critical infrastructure. More than 300 hospitals, 80 energy sector companies (including pipelines), 60 pharmaceutical companies, 200 state and local governments, 80 school districts, and 100 targets in the food distribution ecosystem of the United States were targeted by this adversary. Slick, efficient, and designed to evade detection, many of these attacks were successful.
Left undetected, a competent adversary will find a way to make access persistent
, which allows an adversary to poke around, find the high-grade ore, and stage an effective ransomware event that may even knock out backups intended to protect
against ransomware. There is a rush to monetize this type of access, given the dwindling lifespan of ransomware — another reason why we can expect a higher velocity of attacks in the short term.
Finally, the risk versus reward calculus is changing. Last month the Justice Department used the Racketeer Influenced and Corrupt Organizations Act to go after service providers that enable cybercrime
. The department is likely to use the same legal theories to pursue those who provide services for ransomware attacks, from server hosts to cryptocurrency exchanges. And US laws about the financing of criminal activities and terrorism may be extended to reach ransomware gangs.
At the state level, legislatures have been debating bills prohibiting ransom payments
and providing criminal penalties for possessing ransomware
. For countries that turn a blind eye to for-profit criminal ransomware enterprises, the United States and its allies are expected to exert significantly more carrot-and-stick influence to discourage such behavior
, including economic sanctions if local criminals are not prosecuted. The days of impunity are, indeed, numbered.
All these reforms are moves in the right direction. But with opportunistic criminal enterprises racing to monetize their illicit access to US organizations, we can expect more short-term ransomware attacks on US organizations. We must be wary that even if ransomware events decrease in the United States, our supply chains are global — ransomware attacks in other countries will inevitably affect US interests.
Things will get worse before they get better. It is my sincere hope that the United States can serve both as a warning to the rest of the world about the dangerous implications of ransomware, and lead by example when it comes to deterring, prosecuting, and cooperating with our allies to stamp out this scourge.