More frequent disruption operations needed to dent ransomware gangs, officials say
With ransomware gangs proving capable of quickly reconstituting after government takedown operations, an international alliance wants to ramp up those offensive measures even more.
“What we’ve observed is that there is no one operation that’s going to disrupt ransomware permanently,” Anne Neuberger, deputy national security advisor for cyber and emerging technology, told reporters in a call Monday. “Instead, we have to increase the frequency and increase the breadth of these operations, by taking down infrastructure regularly, designating the exchanges that are facilitating money laundering and ransomware activity regularly.”
Neuberger’s comments previewed meetings this week of the Counter Initiative, a U.S.-created organization now composed of 68 countries. The summit’s first two days will focus on disruption operations and policy, Neuberger said. A third day will focus on the nexus of artificial intelligence and cyber defense, with presentations from government agencies and leading AI companies.
The initiative plans to roll out a counter-ransomware fund that USAID will lead, supported by member nations and the private sector; guidance to aid victims of ransomware attacks produced by member nations and supported by insurance bodies; a Canadian private sector advisory panel meant to foster information sharing; an Australian-developed website through which member countries can seek help with ransomware attacks; and the expansion of a cybersecurity supply chain effort for the energy sector from the G7 to the initiative’s member nations.
As long as victims keep paying ransoms, though, there’s always going to be a big incentive for gangs to stay in business, Neuberger said. That in turn drives the need to increase the number of operations against those gangs, she said. A task force within the initiative “drives more and more disruption activity and more countries joining it to try to improve the impact.”
Laura Galante, director of the Cyber Threat Intelligence Integration Center (CTIIC) housed within the Office of the Director of National Intelligence, said it counted 2,593 attacks in 2022, 4,506 in 2023 and 2,321 attacks through the first half of this year.
“What this looks like to us is, we’ve seen a real jump in the number of attacks and proliferation of the type of infrastructure and tools that a variety of ransomware actors have been able to use,” she said. “They have incredibly decentralized models that allow for rebranding and reconstituting even after they’ve been disrupted.”
Still, Galante said, disruption operations have “been really key to making this harder for certain groups to really get deeper and more specialized and mature, and makes the organizations a little bit more chaotic, which ends up being helpful, because it takes more time for them to reconstitute and have successful operations in the future.”
Disruption operations appear to have weakened ALPHV/Black Cat, for example, she said.
The newest members of the initiative are Argentina, Bahrain, Cameroon, Chad, Morocco, Hungary, the Philippines, Slovenia, Vanuatu and Vietnam.
