After two years of terrorising businesses and governments with apparent impunity, ransomware gangs are finally facing consequences. International stings have led to high-profile arrests and shut down a handful of groups. These busts are sewing doubt and mistrust in the ransomware industry, experts say, and the tide may finally be turning against it. But truly eliminating the ransomware threat requires the cooperation of so-called ‘safe haven’ countries, including Russia and North Korea, who have yet to join in the international crackdown.
Over the past two years, ransomware-as-a-service (RaaS) gangs have terrorised businesses and governments across the world. This year has already been the worst on record, according to security company Sonic Wall, which has identified 470 million ransomware attacks and 3.9 trillion intrusion attempts so far.
The international nature of the ransomware racket - targets are concentrated in the US, while many of the most prolific RaaS gangs are believe to reside in Russia - has frustrated attempts to crack down. "Given the jurisdiction issues that we have around cybercrime, there are challenges in bringing certain sets of perpetrators to justice," says Will Lyne, senior manager for cyber intelligence at the UK's National Crime Agency (NCA).
Recently, though, the tide has been turning, with a number of high-profile stings disrupting RaaS groups. Twenty-three alleged RaaS group members have been arrested or detained so far this year, according to ENISA, and six gangs have been shut down altogether.
These arrests follow cross-border investigations, such as the recent operation coordinated by Europol, the NCA, and the FBI. The sting, which involved seven other national law enforcement agencies and more than 50 investigators, led to five arrests of high-profile figures and the seizure of $52,000 in cash and five luxury vehicles. In June, an Interpol-led investigation named Operation Cyclone, involving agencies in the US, South Korea and Ukraine, detained six members of the ransomware gang CL0P.
Why ransomware gangs are finally facing arrests
Why are law enforcement agencies finally catching up with the RaaS underground? Attacks on public infrastructure made ransomware a matter of national security, explains Steve Forbes, head of cyber product at UK DNS provider Nominet. “When ransomware started to impact the national economy and things like fuel, food and health, a response was expected from the nations," he explains. "Now we're seeing those governments respond in kind."
Joe Biden has been especially effective in catalysing global cooperation against ransomware, Forbes adds. Last month, the White House coordinated a joint statement by ministers from more than 30 countries, including the UK, recognising the need for "urgent action, common priorities and complementary efforts to reduce the risk of ransomware".
[Biden] hasn't been afraid to take to the global stage and talk about cybersecurity in the same context as other warfare issues.
Steve Forbes, Nominet
“Some of the new policies Biden’s put in place around cybersecurity definitely had a massive impact," says Forbes. "He hasn't been afraid to take to the global stage and talk about cybersecurity in the same context as other warfare issues.” Similar moves by the EU, G7 and NATO have also helped to foster collaboration, adds Christopher Painter, a former US diplomat and president of the Global Forum on Cyber Expertise Foundation.
Information sharing between the public and private sectors has also been crucial to the ongoing ransomware crackdown, says Forbes. Operation Cyclone was coordinated at Interpol's cyber fusion centre in Singapore using intelligence from companies including Trend Micro, CDI, Kaspersky Lab, Palo Alto Networks, Fortinet, and Group-IB.
"A lot of the research and findings we get around ransomware come from the private sector and from cybersecurity solutions," Forbes explains. "That intelligence feeds into either a national intelligence function or a global intelligence function. This means that these things can be done much, much quicker.”
How are these arrests affecting ransomware gangs?
These globally coordinated busts are turning up the heat on the dark web sites where ransomware services are bought and sold. In May, dark web forum XXS banned ransomware-related activity, saying it "attract[s] too much attention". "Forums that used to host places for these people to sell their wares are no longer allowing ransomware sales... because they’re just getting too much heat from law enforcement," explains Adam Kujawa, director of security provider Malwarebytes Labs.
The busts are also preventing RaaS groups from fulfilling their orders, angering clients and sewing discord in the ransomware industry. Earlier this year, RaaS group DarkSide lost access to some of its own infrastructure, following disruption by an unspecified law enforcement agency. Threat analysis provider Huntress Labs reported that the group's disgruntled affiliates established a "hackers' courtroom" to settle breach of contract disputes.
We’re seeing shifts in the balance of power in the marketplace.
Will Lyne, National Crime Agency
Sewing this kind of division is an explicit aim of law enforcement agencies, says Will Lyne, senior manager for cyber intelligence at the National Crime Agency. "[E]xploiting opportunities to sow mistrust and combat between cybercriminals... is an important capability for us as law enforcement to try to degrade the threat," he explains. “These groups are faceless [to us] but they're faceless to each other as well, which is why you see infighting and squabbling between groups. I think we’re seeing shifts in the balance of power in the marketplace.”
Will the ongoing crackdown eradicate ransomware?
Law enforcement agencies have made encouraging progress, but there is little chance that they will eradicate ransomware any time soon, says Forbes. One issue is ‘safe haven’ countries, such as Russia, China and South Korea, which allow cybercriminals to operate within their borders. “If they're operating with impunity from safe havens, you can't get them before a court, you can't impose [any] kind of consequences," says Forbes.
Eliminating ransomware entirely would require the cooperation of these 'safe haven' countries. This calls for pressure from the international community, says Painter. “It has to be in their interest, and their interest could either be in a positive way or fear of negative consequences," he explains. This "requires not just the US and the UK, but a suite of countries acting together.”
The US will continue with its current aggressive stance, Lisa Monaco, deputy attorney general of the US Department of Justice, said in an interview last week. “We are not going to stop," she told the Associated Press. "We’re going to continue to press forward to hold accountable those who seek to go after our industries, to hold our data hostage and threaten national security, economic security and personal security."
Truly eliminating ransomware, however, may require a little more diplomacy.