NetworkTigers discusses ransomware as a terrorist threat and the Senate Intelligence Committee’s ransomware proposal.
Ransomware trends ebb and flow from quarter to quarter each year. Analysts and security experts attribute changes to the frequency and severity of attacks to factors ranging from an increase in the collaborative, international law enforcement takedowns of major operations to a decreased willingness to give in to attacker demands.
However, ransomware attacks remain a brutal threat to business operations, government agencies, healthcare facilities, and the individuals affected when their personal information is stolen and used against them in phishing attacks or other scams.
The monetary amount ransomware attackers make off with has risen to astronomical proportions, even if the number of successful attacks generally seems to be decreasing.
The first half of 2024 has seen ransomware actors take in a record-breaking $459,800,000 and, if the trajectory continues, the annual total is on track to be the highest yet.
Change Healthcare forked over $22 million to the Blackcat/ALPHV attackers responsible for a February attack and a record-shattering $75 million was paid out by an unnamed Fortune 500 company to the Dark Angels ransomware group.
According to researchers, threat actors now take a more measured approach to their attacks by strategically targeting organizations with enough capital to pay exorbitant amounts of money and the “systemic importance” needed to pressure them into doing so.
The economic damage these attacks cause, combined with the fact that they are often carried out by threat groups that funnel payouts and exfiltrated information directly to adversarial states, has prompted some government officials to propose measures that would equate a ransomware attack to an act of terrorism.
The Senate Intelligence Committee’s ransomware proposal
The US Justice Department had previously elevated the investigation of ransomware attacks to a level similar to acts of terror in response to the one carried out against Colonial Pipeline in May of 2021. A proposal by the Senate Intelligence Committee and sponsored by committee Chairman Mark Warner, D-Va. seeks to be the first law that considers ransomware as a terrorist threat and officially equates ransomware attacks to international terrorism.
Part of the Intelligence Authorization Act for the 2025 fiscal year and using language specific to ransomware attacks, the proposal addresses the damage caused by those responsible by deliberately naming the groups involved and labeling them as “hostile foreign cyber actors.” The proposal goes on to designate countries that shelter and cultivate ransomware gangs as “state sponsors of ransomware” and allow sanctions to be put into place against them. The bill aims to give the US intelligence community greater authority to pursue threat actors by making ransomware a significant national intelligence priority.
Adam Maruyama, former US counterterrorism expert and current field CTO at Garrison Technology, said in a statement made to CyberScoop that “the bill represents an acknowledgment of the economic damage that ransomware is doing to the US and its allies. At the same time, it calls out that there are nation-states in the world, North Korea in particular, who are making significant chunks of their GDP off of being state sponsors of ransomware.”
Proponents of the measure say that the government’s current definition of an act of terror does not measure up to today’s global and cyber landscape. Overall, the bill intends to update what types of actions fall under the umbrella of “terrorism” to accommodate the activities of ransomware operators and the states that act as their beneficiaries and protectors.
The line between a criminal enterprise and a state-sponsored group can be blurry. As described by Ari Schwartz, managing director of cybersecurity services and policy at Venable, “there are entities that are out there that seem to be criminal gangs that are state-sponsored actors. They’re the arm of the state sponsor of terrorism through cyber means… The bill ties it all together, saying, ‘Hey, director of national intelligence and intelligence agencies, this is a national security priority. Go look into ransomware actors.’”
Jon Miller, founder and CEO of Halcyon Security, agreed in a statement made to Computer Weekly that “ransomware operators can walk and chew gum at the same time. While ransomware is lucrative for them, and they need to make money to fund their operations, we should not ignore that many of these attacks are carried out to cause disruption, create doubt, and further geopolitical agendas.”
He goes on to say that “if any state-sponsored actor physically attacked a hospital, water treatment facility, or other critical infrastructure provider, we would not hesitate to call that terrorism. Why should we just because they were cyber attacks?”
While several US agencies handle ransomware attack investigations, officially escalating the level of these threats would give the Federal Bureau of Investigation, the Secret Service, the Cybersecurity and Infrastructure Security Agency, Homeland Security Investigations, and the Office of Foreign Assets Control access to resources previously only reserved for acts of “traditional terrorism.”
What the bill’s opponents are saying
While the Committee’s proposal may seem necessary for the US government to put a damper on and get serious about the prevalence of ransomware attacks, the idea is not without pushback.
Many countries that benefit the most from their domestic ransomware operations are already under US sanctions, causing critics to question the effectiveness of adding more. In truth, it does seem unlikely that a country like North Korea, which is already subjected to international sanctions regarding its weapons development programs to little discouraging effect, would pay any mind to a few more. An argument could be made that the weight of the sanctions against North Korea specifically could be part of the reason why the country depends so heavily on the spoils of cybercrime in the first place.
Critics of the bill also generally agree that sanctions tend to be toothless against countries like Russia and China. These nations have economies strong enough to weather them, and the state entities within them are resilient enough not only to function despite sanctions but also to use their existence to further turn public opinion against those enforcing them.
Maruyama himself also feels that the distinction of terrorism should be applied carefully instead of being used as an all-encompassing designation for any kind of ransomware attack.
“If we’re thinking about attacks that target retail services and outlets, there may be an argument that a nation-state level sanction, particularly if they’re harboring rather than directing the cyber actors involved, could be a disproportionate response to those acts.”
Ransomware as a terrorist threat
Time will tell whether or not the proposal is adopted and, if so, whether or not it truly impacts ransomware actors and the governments that deploy and shelter them. Furthermore, it will be interesting to see if this reprioritization is considered by the other 46 countries that make up the International Counter Ransomware Initiative.
About NetworkTigers
NetworkTigers is the leader in the secondary market for Grade A, seller-refurbished networking equipment. Founded in January 1996 as Andover Consulting Group, which built and re-architected data centers for Fortune 500 firms, NetworkTigers provides consulting and network equipment to global governmental agencies, Fortune 2000, and healthcare companies. www.networktigers.com.
All articles sponsored by NetworkTigers.
