Offense will win some battles, but cyber defense will win the war

We are years into a ransomware epidemic with no clear end in sight. 

Policymakers and security researchers are now using combative efforts to “impose cost” on hackers. Sanctions, hacking back, infrastructure disruption, indictments and other offensive activities all have a negative impact on cybercriminals. 

But to have real, long-term impact on these nefarious activities, organizations and governments need to more actively consider the ways that defense can impose costs too: Robust, consistent and well-funded cyber defenses cost adversaries time, effort and the likelihood of success. Defense, and investment in mandatory cybersecurity requirements, is how we will solve the fundamental problems at the heart of the ransomware epidemic. 

Since early 2021, law enforcement and U.S. military activities against cybercrime threat actors, specifically those responsible for ransomware attacks against critical infrastructure, have increased dramatically. The White House also announced this year the creation of a ransomware task force, and dozens of nations have acknowledged the need for urgent action in this space. And this year, Gen. Paul Nakasone, the head of Cyber Command, acknowledged the offensive and aggressive role the U.S. military’s cyber arm plays in combating digital threats, not just state-sponsored activities, but cybercrime as well. 

Cyber Command reportedly played a role in forcing the notorious REvil ransomware gang offline, and the U.S. Department of Justice charged two foreign nationals — a Ukrainian and a Russian — for their role in REvil attacks. The U.S. Department of Treasury sanctioned cryptocurrency exchange Suex OTC, S.R.O. for facilitating ransomware payments. 

But the collection of high-profile takedowns, indictments and financial actions don’t appear to have lasting impact. 

For example, in January 2021, the internet breathed a collective sigh of relief when global law enforcement reported it took down Emotet, some of the world’s most notorious malware, responsible for facilitating some of the highest-profile disruptive ransomware attacks to date. The relief was short-lived: In November 2021, the malware returned, this time with new tricks. Emotet threats are not yet as high-volume as they were in late 2020, but the malware is once again very active and its operators are even collaborating with other malware actors while making their comeback. 

Current offensive operations mean fewer hands on keyboards operating disruptive malware. But the hits keep coming.

Ransomware threat actors and the initial access brokers that facilitate attacks are part of a constellation of cyber criminal enterprises with a lot of associated human operators. Many malware and ransomware groups operate on an affiliate model, where cybercriminals can buy into a program, paying to use pre-packaged malware and services while giving a kickback of any funds earned to the main group. Cyber Command, and other allied offensive and law enforcement operations, are playing whack-a-mole against flexible and dispersed threat actors who can quickly and fairly easily spin up new infrastructure. 

Despite slowdowns in some sectors like healthcare and education, ransomware attacks are still on the rise overall globally, according to research from the security firm Recorded Future.

“Offensive efforts are not impacting core groups — REvil aside,” says Allan Liska who leads the Computer Security Incident Response Team at Recorded Future. “We are however making it more expensive to be an affiliate, especially outside of Russia, like in Canada, South Korea, Romania, and Ukraine. The affiliates that exist outside of the control of Russia are genuinely suffering consequences.”

Liska predicts future ransomware threat activity will blur lines between state and criminal operations. “I think in 2022 we are going to start to see more ransomware move out of Russia and into Iran and China, which presents the same issues,” regarding the inability to have a significant impact on operations relying on military, diplomatic, or law enforcement efforts.

Government-backed hackers already use ransomware. Microsoft recently reported six Iranian threat groups were observed deploying ransomware to achieve strategic state objectives since September 2020. Evil Corp., a cybercriminal gang whose members have been associated with Russian intelligence, also conducts ransomware activities. 

There is no evidence that American hacking has changed Russia’s calculus on ransomware and it’s not clear that economic sanctions are having an impact either. For now, the bad guys have safe harbor in a country where the government knows about and even works with cybercriminals.

“The problem for [disrupting] state and ransomware actors is that you’re not going to catch anyone because they’re in a jurisdiction you have no control over,” said Ciaran Martin, Professor of Practice in the Management of Public Organisations at Oxford, and the founding Chief Executive of the U.K. National Cyber Security Centre (NCSC). He also says sanctions and indictments don’t work as well for Russia, the global epicenter of cybercrime, as they do with other nations. “When you name [cybercriminals], they just don’t care. It seems to be that the indicted people know they’re confined to Russia and they’re okay with it.”

Law enforcement activities against cybercrime operations require thousands of hours of work. They can also suffer from corruption. One infamous operation in Ukraine over a decade ago took years of planning and resource development, only to fail to secure the top cybercriminal targets including Maksim Yakubets who remains one of the most notorious Russian cybercriminals to this day.

Offensive activities get a lot of attention, but there is little public understanding of the amount of resources — human, digital and financial — used, or the scope of offensive campaigns. As national security experts Erica Lonergan and Lauren Zabierek wrote in Lawfare about Cyber Command’s recent efforts, “more clarity is needed on how the role of the military is conceptualized relative to other instruments of power and, importantly, the mechanism that enables coordination of different authorities and resources across the government toward a shared objective.”

It is unprecedented for a military organization to engage in disruption to criminal activity. But despite the surge in offensive action, and public attention paid to these efforts that lack transparency surrounding how they work, military and law enforcement activities are currently a stopgap in preventing cybercrime operations. All organizations should be looking at military, law enforcement and government actions as giving them time to bolster their defenses and focus on investing in defense and improving cybersecurity, because offensive activities do not stop threat actor behavior long-term. 

There is currently no definitive measurement of success for offensive cyber operations. The Emotet takedown was lauded as a major victory over malware, but its return raises the question as to whether the takedown was successful: It opened up space in the threat landscape temporarily, and hopefully gave organizations time to shore up defenses, but they ultimately returned. 

Changing the calculus on defense remains the most important way to prevent attacks, even if it is not as attention-grabbing as offensive efforts. This shift must occur both within organizations by investing in cybersecurity, and more importantly, getting federal governments to approach the problem differently.

Cybercrime actors including ransomware threats typically do not use zero-day vulnerabilities, or flaws in software unknown to the vendor and thus exploitable by hackers. Instead, they leverage social engineering, known vulnerabilities, poor configurations, insecure login portals, and other easily fixable holes in corporate defenses. For example, according to the Cybersecurity and Infrastructure Security Agency (CISA), Conti ransomware uses spearphishing attacks with malicious attachments that lead to malware, stolen or weak credentials for remote access portals, phone calls, fake software advertised via search engines, and common flaws in computers, servers, and other corporate equipment to infiltrate victim environments.

This means most ransomware attacks can be prevented by investing time and money into improving defense, much of which can be accomplished by following basic best practices. Organizations need to start by identifying what they own and operate, then look for gaps that can be fixed. These can include things like vulnerabilities and outdated software, which can be improved by patching and robust vulnerability management policies; poor password requirements and user permissions, which can be addressed via multifactor authentication and the principle of least privilege; or private but internet-exposed assets, which should be removed and configured properly to prevent unauthorized access. 

Solutions to drastically decreasing the impacts of cybercrime exist, but organizations lack incentives, and often resources, to truly change. 

When there’s a free market failure for years that affects security and safety of a population, the best solution has typically been smart government intervention. Cybersecurity regulation that pushes companies to be more secure will make life harder for bad guys.

Selena Larson is a Cyber Project nonresident fellow at the Harvard Kennedy School’s Belfer Center, and a senior cyber threat intelligence analyst.