Cybercrime

What more can be done to stop ransomware attacks?

A panel of experts debated at the 2024 mWISE conference what more could be done in the wake of police action and tens of millions in ransom payments over the past year.

By Greg Otto

September 19, 2024

(Getty Images)

DENVER — “Drone strikes.”

The comment, made somewhat in jest by Allan Liska, an intelligence analyst at Recorded Future, was in response to a question about what could be done to further deter ransomware actors from carrying out their attacks.

“We only need to hit one ransomware dude with a drone, and then a whole bunch of them will retire very quickly once they know that’s on the table,” Liska said during an expert panel Wednesday at the Mandiant Worldwide Information Security Exchange (mWISE).

While the comment may have been tongue-in-cheek, there was an undercurrent of exasperation when Liska and other experts were asked how to further thwart ransomware attacks, especially as it has been made public that several companies have made eight-figure ransom payments in 2024.

“The rewards of ransomware are so great” for attackers, said Brett Callow, a managing director at FTI Consulting. “We really need a very powerful deterrent or we need very effective mechanisms to reduce the amount of money that’s flowing into the ransomware ecosystem. Until we do one of those two things, or a combination of both, we’re not really going to get to grips with this problem.”

The experts commended the amount of takedowns in 2024 — 14 as of this article’s publication — calling it a step in the right direction. But they also know cybercriminals adapt to these actions, being able to re-tool and quickly resume operations.

Kimberly Goody, head of Mandiant’s Cyber Crime Analysis team, pointed to the Trickbot takedown as an example of how attackers showed some resilience.

“I would say the timing of that Trickbot disruption maybe didn’t have the impact in reducing ransomware in the way we would like, because once [those responsible] had taken action against Trickbot, those actors shifted to these other tools that organizations didn’t actually have adequate defenses against,” she said. “So we kind of saw a skyrocket of victims there, because we didn’t set those organizations up for success with being able to detect the new tools.”

Liska contrasted that takedown with Operation Endgame, a multinational effort that disrupted more than 100 servers and 2,000 domains that were used to facilitate a range of cybercrime.

Operation Endgame “was better timed, better coordinated, and I think it was much more impactful,” he said. “I think not only are we seeing more takedowns, but we’re seeing law enforcement learn lessons from earlier problems to [carry out takedowns] more effectively.”

Is banning ransom payments reasonable?

Over the course of the year, both Callow and Liska have called for an outright ban on ransom payments as a way to deter attacks. But both backed off those thoughts Wednesday when they viewed it through the lens of the current attack landscape.

“I used to be a proponent of a ban, but I think the time to do that would have been [when] ransomware was nowhere near as impactful as it is” now, Callow said. “I just don’t see us being able to tell a hospital that it can’t pay a ransom when it has no means of recovering its systems. The impact on patients would be politically untenable.”

Liska called a ban “a bad idea, but the least bad one,” while also endorsing the UK’s plan to require ransomware victims to contact the government, then grant them clearance to make extortion payments.

“If you have to pay a ransom, at least [the government knows] how much ransom is being paid, and they know what wallets are being paid to, and they can start tracking that information better,” he said.

Insurers’ role in deterrence

In the past few years, cyber insurers have strengthened organizations’ defenses by limiting or avoiding ransom payments and advising on best practices, particularly regarding backups. Goody noted that these efforts reduce attackers’ financial gains from incidents.

“We are seeing those [insurance] companies push organizations to try to restore as many systems as they can as quickly as possible, while the negotiator is kind of stalling,” she said. “That’s important from the perspective of if an organization was hit with ransomware, and the attacker demanded $2 million for the restoration of all their systems, if that [victim] organization is able to actively discover that actually only 10% can’t be restored from backups, they can use that to give them an upper hand in the negotiation, which ultimately helps the cyber insurer, because they might not have to pay out as much.”

Liska noted that insurers are increasingly stringent about companies’ security practices before issuing policies.

“I know that a lot of organizations now before they get their [policy] renewal, they have to go through a much more intensive testing process, not just fill out a checkbox,” he said. “They actually have people coming in and doing pentesting. That allows some of these insurance companies to pick better customers, or have better customers that are not going to be hit as often.”

Visibility above all

Even with the enhanced efforts from both government and the private sector, Callow said there are still way too many attacks that happen out of the public eye to further deter ransomware attacks.

“It is really, really hard to measure the effect of these actions, because we don’t know how many ransomware attacks there are,” he said. “We don’t know the impact of those attacks. We have very, very limited visibility for law enforcement to truly be able to assess the impacts of their actions. And for policymakers, we need to have much better reporting of incidents so that we know how many there are, so that we can see and measure the impact.”