New global model needed to dismantle ransomware gangs, experts warn

Tackling ransomware gangs globally is a tall order, but a path forward is taking shape.
cyber norms
The United Nations flag (Getty Images)

Ransomware gangs are making a killing — they’re encrypting data at schools and hospitals around the world at an alarming rate, and they’re raking in hundreds of millions of dollars’ worth doing it, by some counts.

But it doesn’t have to be that way.

Security experts and former diplomats are in the early stages of urging governments to work together to create a different kind of world — one with fewer examples of hackers taking data hostage or knocking organizations offline to demand ransoms or extortion fees, and one in which hackers are held accountable for targeting vulnerable organizations.

Government officials increasingly have been working together to tamp down on malicious cyber activity in recent years, as evidenced by a European Union sanctions regime focused on hacking rolled out in the past year, and a 2015 agreement among United Nations members that cyberattacks intended to damage critical infrastructure are off limits. But a recent dramatic uptick in ransomware attacks has ignited interest in recasting the playing field so it doesn’t advantage the attackers — and concerns that developing norms alone won’t dramatically shift the balance.


Ransomware victims paid nearly $350 million to hackers in 2020, a 311% increase over the prior year, according to the blockchain analysis firm Chainalysis. The figure does not account for all attacks, and ignores the huge percentage of incidents in which victims like hospitals or municipal governments elect not to pay, only to invest untold millions of dollars in recovery and restoration efforts.

While international officials are currently working through multiple forums at the United Nations to hammer out more cyber agreements, former diplomats and officials with experience on the world stage suggest that diplomatic efforts won’t be enough to stifle ransomware attacks, especially when countries like Russia and North Korea are widely believed to shelter criminal hacking groups within their borders. For now, experts say changing the status quo must involve finding better ways of taking aim at the entire ecosystem that allows ransomware gangs to flourish.

For those involved in the conversations on what the path to a reduction in ransomware incidents looks like, it has to involve norms, but also diplomacy, law enforcement action, public-private partnerships, creative messaging and signaling and perhaps even culture change.

No more safe havens

Part of the solution will necessarily involve ramping up imposing consequences on digital extortionists. But part of the problem with tamping down on ransomware attacks is that gangs are acting without any apparent consequences, particularly in countries that appear to be offering safe harbor against law enforcement action, says Philip Reiner, the chief executive officer of the Institute for Security and Technology.


“These actors have a sense to them of almost impunity,” said Reiner, who is heading up a new taskforce of researchers and companies, including Microsoft and McAfee, which is focused on combating ransomware globally.

In order to hold ransomware gangs accountable, governments somehow need lean into enforcement and accountability actions, says Marietje Schaake, the international policy director at Stanford University’s Cyber Policy Center and president of the CyberPeace Institute, a non-governmental organization. But that’s easier said than done.

“The fact of the matter is this often blends with intelligence and a question of political will to go after the perpetrators,” said Schaake.

The U.S. Department of Justice pegged the infamous 2017 WannaCry ransomware attack to North Korean government-affiliated hackers known as Lazarus Group, a collective that increasingly has turned to ransomware in recent years, according to Kaspersky research.

Several ransomware gangs are also widely suspected to either have connections with or operate out of Russia. (Researchers don’t typically draw explicit connections between these groups and the Russian government.)


But reports of their continued operation in Russia has raised questions about the future of collaboration on joint efforts to take down ransomware gangs.

“Nation states are either doing it knowingly or unknowingly shielding or coddling or allowing ransomware actors to operate from their space,” Chris Painter, the former top U.S. cyber diplomat, told CyberScoop, adding this lack of clear attribution gives the attackers the advantage.

To aid in conversations with nation-states harboring ransomware criminals, policymakers should prioritize identifying who is backing — or ignoring — hackers launching ransomware attacks, a task that could be achieved through governments issuing their own intelligence assessments on ransomware gangs, said Painter.

Rep. Jim Langevin, the co-founder and co-chair of the Congressional Cybersecurity Caucus, told CyberScoop he thinks governments could do a better job coordinating on ferreting out which nations are giving safe harbor to ransomware actors.

“If the international community can identify areas where a country is clearly looking the other way and it has a concentration of bad actors and they’re not doing enough to shut down these bad actors, there’s a role for international, multi-nation effort to hold nations accountable,” said Langevin, a Democrat from Rhode Island.


While American authorities have unsealed indictments against some suspected hackers, such as two Iranian men accused of orchestrating the so-called SamSam ransomware attack against the city of Atlanta, experts say that security-minded officials should be cautious that indictments of individuals involved in ransomware attacks well after they have been carried may not drive more systemic change.

“We’re way too slow at enforcing … so if we can shorten that time between when something happens and we hit back by way of enforcing norms, imposing sanctions, things of that nature,” that would be ideal, Langevin said.

Shifting infrastructure and culture

Tackling ransomware hackers at the source — their infrastructure — is an increasingly attractive route for joint takedown efforts, experts say. In recent months, law enforcement entities in the Netherlands, Germany, the U.S., the U.K., France, Lithuania, Canada and Ukraine joined up to take control of infrastructure belonging to Emotet, a network of computers controlled by criminals that has led to ransomware infections in the past.

As part of the takedown, police made at least two arrests of alleged criminals involved, according to Wired.


While Emotet is likely to be disrupted, rather than completely eviscerated, the teamwork was evidence that such joint efforts can be successful, even if the task is a tall order. This kind of coordinated takedown moving forward is key to systematically and strategically dismantling ransomware operations, Schaake said.

“Beyond the application of international law and international norms, the main thing has to be enforcement and accountability,” Schaake said.

Political incentives to address ransomware attacks could be shifted moving forward, too, says Painter. The fact that victims of ransomware attacks are reticent to publicize they’ve been hit helps to drive a culture of secrecy in talking about ransomware, which Painter says feeds into how the international community fails to prioritize ransomware discussions.

“The full scope of it has not really been revealed yet because a lot of folks don’t report they’re victims of ransomware,” Painter says, adding the fact that there is still no national data breach notification law compounds the problem. “Even the very high numbers we see in the press are underestimating the scope of the problem.”

The U.S. military and the private sector — U.S. Cyber Command and Microsoft, in particular — have also taken steps in recent months to tackle other infrastructure, the Trickbot botnet, which has previously been used by hackers to deploy ransomware.


But government officials and private sector entities would do well to expand the scope of what kinds of collaboration they invest in to really put a dent in ransomware attacks, experts say.

Multinational efforts could kneecap hackers’ tools, such as the use of malicious hosting sites, or payment processing systems. Chainalysis previously found that hackers sent some 80% of the funds they didn’t launder through mainstream sources through 199 bitcoin deposit addresses in 2020. Scammers’ reliance on a relatively concentrated set of accounts presents an opportunity for investigators, experts told CyberScoop. 

Some experts have suggested that working with cryptocurrency exchanges to ferret out ransomware gangs’ payment streams as a possible solution. The Dutch, who in recent weeks sent messages to ransomware actors on criminal forums warning them against their grift, could serve as an example for other nations looking for creative ways to tackle the problem, experts say.

These kinds of approaches can “seem fairly tactical,” Reiner notes. “But as part of a broader overall strategy to reduce the volume and efficacy of these types of attacks, you have got to address the messaging piece. You have got to address the ease of use that these criminals have seen in these marketplaces.”

Of course, buy-in to reducing ransomware attacks on a global scale has to come from the top, Reiner says.


Discussions about working to abate ransomware incidents on a global scale offer a reminder of the Obama administration’s 2015 deal with Beijing, in which the U.S. and China agreed to not conduct cyber-enabled intellectual property theft against companies in each other’s countries, according to Reiner. The deal did not permanently end China’s attempts to use cyber means to steal American IP, though experts assessed at the time that it led to a temporary drop-off in targeting.

If the Biden administration were to take up ransomware as a serious issue in high-level diplomatic talks — especially where nations may be offering safe haven to ransomware gangs — perhaps some real ground could be gained, as in the case with China and IP theft, Reiner suggested.

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts