What You’re Not Hearing about the Ransomware Tsunami

Ransomware is on the rise, up tenfold from 2020 to 2021. The amounts paid in ransom have also jumped up in the last year. News headlines declare ransomware to be an “epidemic,” though I don’t think it’s not accurate to characterize this invasion of malware as an infection. It’s more like a tsunami – a massive inundation of American computer systems by almost entirely foreign attackers. Victims are paying billions to cybercriminals to get their data decrypted. However, it would be serious underestimation of the threat merely to think of all of this a crime problem. Something much more insidious and dangerous is going on. In my view, the ransomware tsunami is nothing less than a sustained, strategic assault on the sovereignty of the United States.

The hidden penetration piggybacking on most ransomware attacks

A ransomware attack involves the penetration of networks and critical digital assets. As cybersecurity professionals are increasingly aware, however, the payment of the ransom and restoration of encrypted data is only the start of recovering from a ransomware attack. It’s a breach. The attackers leave digital implants behind on the infrastructure they target. After the attacker “upholds his end of the bargain,” so to speak, and decrypts the data, the victim is left with dangerous malware still lurking on compromised systems.

As cybersecurity professionals are increasingly aware, however, the payment of the ransom and restoration of encrypted data is only the start of recovering from a ransomware attack. It’s a breach.

As a colleague from Versa Networks explained, “The attacker uses the ransomware to get access to network and implant broadly. If the root cause of ransomware attack is not identified, there is a high probability of different ransomware attack again using the same entry point. The implant of ransomware is a security threat like data theft, identity theft, and crypto mining. Even if you have cleared the impact of ransomware attack, it is still dangerous for your networks and digital assets that the ransomware might have spread broadly.”

“The implant of ransomware is a security threat.” – Versa Networks

The hard work in remediating the impact of a ransomware attack comes from finding and eliminating the malware implants that have been installed by the attacker. This can be quite challenging, according to experts like Bill Rowan, Technical Director at Skybox Security. As Rowan put it, “Ransomware evolves like viruses, springing up opportunistically to take advantage of changing environments.” He cited an example from last February, when cybersecurity researchers discovered that BendyBear malware that does not leave behind the typical fingerprints for threat researchers to find.

“Ransomware evolves like viruses, springing up opportunistically to take advantage of changing environments.” – Bill Rowan, Technical Director at Skybox Security

Rowan added, “This BendyBear variant has been described as extremely sophisticated because it can elude detection by using a modified encryption algorithm. Indeed, malware now has means of preventing traditional detection, which means organizations must advance beyond the traditional, reactive scan-and-patch playbook.” Rigorous remediation is, for Rowan, “critical for preventing command and control attacks, which lead to further ransomware exposure.”

Understanding the real threat

What’s actually happening with all these ransomware and simultaneous breaches? Are businesses and governments simply the victims of a massive crime wave, the bulk of which is just happening to be coming from Russia? I don’t know the answer for sure. No one does. Certainly, no one in a position of knowledge or authority is saying much. However, some informed speculation can paint a pretty compelling picture of what’s really going on.

First, let’s deal with attribution. The majority of ransomware malware is Russian in origin, as are the most sophisticated ransomware perpetrators. Chainalysis, the blockchain security concern, reported that 92% of ransomware attacks so far 2021 used malware created by Russia’s Evil Corp. According to Kaspersky Labs, Russia is where 75% of the world’s ransomware originates. According to Truesec, the cybersecurity firm, the majority of the big ransomware gangs are Russia-based. They cited the Russian Ryuk group, for example, as netting nearly a third of ransoms collected last year.

The sophistication of the attacks suggests that a state actor is involved.

The sophistication of the attacks suggests that a state actor is involved. The Russian government of course denies any connection to ransomware attacks on the United States. With deniability built into the structure of the attacks, they pay lip service to the idea of rooting out the cybercriminal gangs who perpetrate these attacks. Yet, they are curiously lacking in vigor when it comes to doing much about it. It’s possible that the Russian government simply cannot rein in cyber gangs, but a more plausible explanation is that these gangs are operating with the full permission and awareness of the Russian government.

Further to this point, it’s probable that individuals in the Russian government are getting a share of the ransom payments. This would be in keeping with almost every other proven conception of how things work in Russia. An article in the UC Berkeley Political Review put it this way:  “Since his rise, Vladimir Putin has incentivized gangsters to do his bidding in a new way. Rather than overt collusion, the Russian government, as ABC puts it, ‘make[s] its views known’ and allows gangs to operate within the guidelines set forward by Putin.” People familiar with the Russian system might also opine that Russians making a billion dollars a year, the estimated haul of Russian ransomware attackers, would be compelled to share their income with Vladimir Putin or his designated cronies.

Additionally, the United States is already engaged in a cyberwar with Russia. The attacks go in both directions, and everyone officially denies it, but Americans tasked with dealing with the problem know exactly what’s happening. They hack us. We hack them. It just seems they’re a lot better at it, as demonstrated by the incomprehensively damaging Solar Winds attack and others like it. Ransomware would appear to be just another attack front in a broader cyber-geopolitical struggle.

The breaches—and the implicit backdoor access they confer—are the reason for the attacks, not the ransom payments. The ransom payment is incidental to the breach.

My hypothesis is that the ransomware tsunami is a deliberate, massive and wide-ranging cyber-military campaign to put implants in thousands of critical systems in the United States. The breaches—and the implicit backdoor access they confer—are the reason for the attacks, not the ransom payments. The ransom payment is incidental to the breach. It’s simply how the attacker gets paid for his or her trouble. Indeed, it would cost the Russian military hundreds of millions of dollars to organize and carry out such a complex offensive. Instead, they’re letting the Americans pay for it. The attackers get a financial incentive to carry out the strategy of the Russian military.

The serious implications, if this hypothesis is correct

This is a lot of speculation, I realize. I’m making many assumptions, though they are undergirded by historical experience and expert opinion. I could be wrong, and if I am, then ransomware really is just a crime wave with no basis in geopolitics. If I’m right, though, the question is why would Russia want backdoor access to thousands of American systems?

One answer is simply they want to gain an advantage in a cyberwar. The more systems you can breach, the stronger your position. This is a basic precept of cyberwar. However, the scale of the ransomware wave suggests a more serious objective, one that might be rewriting the rules of cyberwar day by day.

The scale of the ransomware wave suggests a more serious objective, one that might be rewriting the rules of cyberwar day by day.

Thoughtful analysis of cyber strategy posits that cyber weapons—along with cyberwar campaigns—can only have limited strategic value because it is nearly impossible to guarantee a successful breach of multiple systems at the same time. US Naval Academy professor Martin Libicki makes this argument in his excellent book, Cyberspace in Peace and War. Cyber commanders cannot assume that they will be able to penetrate enough systems simultaneously to be confident in achieving a conclusive or long-lasting military objective. At best, they’ll have to settle for a collection of unpredictable and temporary pin pricks against the enemy.

The limited success paradigm has been the established wisdom for years, but the depth of the ransomware phenomenon should cause cyberwar strategists like Libicki to rethink their assumptions. What if you could, in fact, successfully breach every system you wanted in real time? What if you could, for example, be totally confident you could use cyberweapons to shut off electricity, shut down hospitals, police, fire, schools, local government, digital news media and fuel delivery in a targeted area? That would seem to be the cyberattack capability delivered by the pervasive implants delivered by ransomware.

What to do about this

If ransomware is actually a cyberwar offensive, rather than a crime wave, what should be done about it? As Professor Libicki points out, easy answers are hard to come by. The Biden administration is taking action, though treading carefully, at least in what it says publicly. My hope is that it is privately working on the issue with the correct understanding of the attacks’ magnitude and seriousness.

Cybersecurity professionals responsible for defending corporate, government and critical infrastructure should also redouble their efforts to identity the implants left behind after ransomware attacks. Smaller entities, such as municipal governments, will need assistance with such difficult work. It should not be an option to continue on as if ransomware is simply a matter of paying ransoms, restoring data and getting back to business. That is a formula for disaster.