IDSA COMMENT

You are here

Countering the Menace of Ransomware

Dr Cherian Samuel is a Research Fellow (SS) at Manohar Parrikar Institute for Defence Studies and Analyses, New Delhi. Click here for detailed profile.
  • Share
  • Tweet
  • Email
  • Whatsapp
  • Linkedin
  • Print
  • October 22, 2021

    Even as the pandemic was wreaking havoc worldwide through the course of the past year, the ransomware gang REvil was doing the same in cyberspace, locking up computers of multiple companies and government organisations, mainly US-based, till they coughed up a ransom, to be paid through cryptocurrency.1 REvil operations ceased briefly after their websites and infrastructure were disabled by the US government agencies in July 2021, but reappeared soon afterwards. According to the news reports, they have again been taken down through US-led operations with multiple countries.2

    Since assuming office, the Biden Administration has undertaken a number of domestic and international initiatives on cybersecurity, and specifically ransomware, from bringing it on the agenda in the NATO and G-7 summits held in June 2021, discussing the issue with President Putin at the Geneva summit in the same month, to taking action, such as the one detailed above, against ransomware actors and cryptocurrency exchanges through its domestic law enforcement and judicial agencies. This also follows on the large number of ransomware attacks the US has faced in recent years—an estimate by the Treasury Department found that at least $ 400 million had been collected by way of ransomware by actors mainly based in Russia.3

    In a precursor of sorts to the latest action, the US National Security Council held a virtual Counter-Ransomware Initiative Meeting at the White House on 13th and 14th of October 2021. Thirty-two countries were invited to the meeting with the notable exception of Russia. Nonetheless, the United States maintained that this meeting was not targeted against any one country and that they in fact had an existing arrangement with Russia to discuss these issues.4 The goal of this particular meeting was to get international partners together to give an outline of US’ ransomware efforts and to work together to eradicate this scourge.

    US’ efforts have centred around four pillars, the first being to disrupt the ransomware infrastructure and actors. Unilateral actions taken in this regard have included sanctioning cryptocurrency exchanges. The second strategy has been to identify the vulnerabilities which enable ransomware actors to take control of computers, especially those controlling critical information infrastructure and other critical networks. The third strategy has been to intensify efforts to trace ransomware payments, and the fourth, using diplomatic means to address the issue. To highlight that this was not a unilateral effort, four countries led discussions on these issues, these being India for national resilience, Australia for disruption, the UK for countering illicit finance through virtual currency, and Germany for diplomacy. At a background briefing, a senior administration official took pains to emphasise that there was no favouritism or other consideration on the basis of which these countries had been selected and that it was mainly the outcome of many factors including availability and logistics. This was only the first of a series of such meetings planned.5

    As far as the outcome of the meeting is concerned, the Joint Statement released on 14 October 2021 noted that the participating countries had taken note of the “need for urgent action, common priorities, and complementary efforts to reduce the risk of ransomware”.6 Such efforts would include “improving network resilience to prevent incidents when possible and respond effectively when incidents do occur; addressing the abuse of financial mechanisms to launder ransom payments or conduct other activities that make ransomware profitable; and disrupting the ransomware ecosystem via law enforcement collaboration to investigate and prosecute ransomware actors, addressing safe havens for ransomware criminals, and continued diplomatic engagement.”7

    On resilience, the emphasis was on information sharing and best practices. On illicit financing, much of the recommendations centred around using the existing mechanisms for anti-money laundering effectively to combat the use of virtual currencies for ransomware. Recognising that ransomware emanated from identifiable countries, the statement called for taking appropriate steps to counter cybercriminal activity by impressing on countries not to allow the use of their territories for criminal activities and eliminating safe havens for those conducting such disruptive and destabilising operations. As a variation of “all means necessary”, the statement noted that countries could use “all national tools available in taking action against those responsible for ransomware operations threatening critical infrastructure and public safety”.8

    The diplomatic tools outlined were a mix of coercive and cooperative diplomacy. States were to be “encouraged” to take “reasonable steps to address ransomware operations emanating from within their territory”. Coordinated sanctions or “naming and shaming” actions of the type that have already been taken by the US and its allies seem implicit in the commitment to “leverage diplomacy through coordination of action in response to states whenever they do not address the activities of cybercriminals”.9 On the whole, this was an effort to endorse US’ approach towards combating ransomware.

    The Counter-Ransomware Summit has been an attempt to move out of its comfort zone of close allies and mobilise a larger group of countries to discuss ransomware. Despite being the world’s foremost cyberpower, the US has been a laggard when it comes to cooperation in cyberspace, and has preferred sticking to its long-established positions in fora like the UN, and steering behind the scenes in fora such as the ASEAN. As the well-known author and analyst John Arquilla wrote recently, right at the dawn of the cyber age, when Russia was interested in establishing rules of the road for cyberspace, the US demurred from doing so because it did not see it in its interest to be constrained by rules.10

    Whilst this is a good initiative, it remains to be seen whether this is any different from existing efforts or will lead to real outcomes. Actions such as the one against REvil can only be taken by countries with the heft and capabilities of the US and is not a long-term solution to cyber-criminal activities, state-backed or otherwise. It is also at cross-purposes with principles such as sovereignty and jurisdiction which the US has sworn to uphold as the lynchpin of the current world order. Initiatives such as this might work better if all major cyberpowers are brought on board, and more concrete proposals put on the table. Other fora like the BRICS, for instance, have gone beyond summitry to holding workshops on cybersecurity issues, for instance, India hosted a BRICS seminar on “Misuse of Internet for Terrorist Purposes and Role of Digital Forensics in Terrorist Investigations” in April and a workshop on Digital Forensic Analysis in September this year. Ironically enough, even though the actions against REvil were undertaken by Cyber Command only after a determination by the US Justice Department that ransomware attacks on critical infrastructure should be treated as a national security issue akin to terrorism, there was no discussion on terror groups’ use of ransomware and cryptocurrency during the meet.11

    Views expressed are of the author and do not necessarily reflect the views of the Manohar Parrikar IDSA or of the Government of India.

    Top