Here’s why ransomware attacks aren’t going anywhere

Identifying the culprits often isn't as big an obstacle as apprehending them.
13 July 2021

Here’s why ransomware attacks aren’t going anywhere. (Photo by DENIS BALIBOUSE / POOL / AFP)

  • Bringing ransomware attackers to justice is a complex process that can take years, with no guarantee of a successful outcome
  • The US Department of Justice has indicted Russian ransomware actors, but struggles to apprehend them

During this year’s Geneva summit, US President Joe Biden and Russia’s President Vladimir V. Putin explicitly discussed a number of cybersecurity topics and made vague agreements to create joint cybersecurity task forces. Biden himself however appeared indeterminate after the summit when asked whether there had been any ultimatums between the two about ransomware attacks — “Are they going to act? We’ll find out.”

That was last month. Situation however escalated when the two leaders spoke by phone last Friday, following in the wake of more attacks by alleged Russian cybercriminals. In Biden’s starkest warning yet, he conveyed in a phone call to Putin that the attacks would no longer be treated only as criminal acts, but as national security threats — and thus may provoke a more severe response, administration officials said.

In short, Biden warned Putin that time was running out for him to rein in the ransomware groups striking the US, indicating that this could be Putin’s final chance to take action on Russia’s harboring of cybercriminals before the US moved to dismantle the threat. The warning came after Russia-based hackers carried out the largest known ransomware campaign to date, affecting between 800 and 1,500 small businesses.

Why is it so tough to halt ransomware attacks?

The ambiguity involved in the latest ransomware attacks has not helped diplomacy. The Biden administration is uncertain if the culprits are controlled by the Kremlin, yet it insists Putin is responsible for stopping the strikes if they are carried out on Russian soil. While the US and Russia have long sparred over state-sponsored attacks — including the SolarWinds espionage operation by Russia’s elite S.V.R. intelligence agency, or the Russian military intelligence unit’s hacking of the Democratic National Committee and its release of embarrassing emails in 2016 — ransomware attacks are another beast entirely. 

A recent research from endpoint security vendor Cybereason examined the short- and long-term effects of ransomware in a survey of 1,263 infosec professionals from the US, United Kingdom, Spain, Germany, France, United Arab Emirates, and Singapore. One of the most significant findings was that 80% of organizations that paid a ransom demand experienced a second attack.

What is worse is that, of those who experienced repeat ransomware incidents, nearly half believed it was at the hands of the same attackers, while 34% thought the second attack was perpetrated by a different set of threat actors.  Over the past 18 months, though, the severity and frequency of ransomware attacks around the world has morphed from a consistent problem to an urgent crisis. 

Attacks on critical infrastructure and supply chains have painted a dire picture of just how far ransomware attackers will go to make money. Yet, tracking down the culprits often isn’t as big an obstacle as apprehending them, and acting on that information typically requires international cooperation. 

The downside though is that Russia does not have an extradition treaty with the US and seemingly goes out of its way not to help. The US has extradition treaties with more than 100 countries, but there are dozens more, including Russia and China, with which it does not. In fact, the Department of Justice didn’t bother asking for assistance from Russian law enforcement in tracking the Colonial Pipeline hackers, according to John Demers, the assistant attorney general for US national security.

In essence, if the ransomware attackers are based in a different country, that requires US officials to pursue international cooperation and diplomacy that can further slow down and complicate the prosecution process. It is also perhaps  part of the rationale behind why the Biden administration is stepping up its effort to finalize a government-wide strategy on how to respond to ransomware attacks, with the National Security Council working to coordinate a plan of action in recent days