The actions, which temporarily took down REvil, raise questions about using the military to combat ransomware.
Over the weekend, Gen. Paul M. Nakasone, the head of U.S. Cyber Command and the National Security Agency (NSA), confirmed what most cybersecurity specialists already knew: The U.S. military has engaged in offensive measures against ransomware groups. These actions were undertaken to stem the alarming and growing tide of ransomware attacks that have hit U.S. industry, notably Colonial Pipeline in May, and have afflicted hundreds of healthcare and educational institutions.
In October, Cyber Command, in conjunction with the Secret Service, FBI, and allied nations, diverted traffic around servers used by the Russia-based REvil ransomware group, forcing the group to disband, at least temporarily. Among other attacks, REvil targeted the world’s largest meat processor, JBS, in late-May, disrupting meat production for days. Cyber Command and NSA also helped the FBI and the Justice Department seize and recover 75 bitcoins worth more than $4 million that were part of the cryptocurrency ransom Colonial Pipeline paid.
Nakasone said the attacks on Colonial Pipeline and JBS impacted critical infrastructure. “Before, during and since, with a number of elements of our government, we have taken actions and we have imposed costs,” Nakasone said. Cyber Command’s first anti-ransomware effort occurred in 2020 when the military arm worked in parallel, but not in a coordinated fashion, with Microsoft to take down the Trickbot network.
Questions on whether actions are effective or appropriate
With all this increased military effort, part of a multi-pronged, whole-of-government approach by the Biden administration to counter the ransomware surge, the question remains whether covert, military-aided cyber responses have helped deter ransomware actors from further ransomware aggression.
National Security Council officials have said that ransomware gangs are on the run and attacks are on the downswing, although the FBI is not optimistic the ransomware tide has turned. In addition, cybersecurity and Infrastructure Security Agency Director Jen Easterly has said that Russia, which harbors and tacitly supports criminal ransomware gangs, hasn’t changed its behavior since early July when President Biden warned Russian President Vladimir Putin that time is running out to crack down on those gangs.
Another uncertainty is whether the U.S. military should take actions against ransomware operators, given that their attacks do not mostly stem from nation-state adversaries, nor are they part of an ongoing conflict or war. Jason Healey, senior research scholar and adjunct faculty at Columbia University’s School for International and Public Affairs and president of the Cyber Conflict Studies Association, wrote last April that “It is simply not in the model of U.S. civil-military relations to allow the military to have such far-reaching powers, especially when there isn’t a raging military conflict.”
Some ransomware actors are beyond law enforcement’s reach
“I don’t think that’s [Cyber Command targeting ransomware actors] a bad thing,” Chris Painter, former head of the State Department’s cybersecurity office, co-chair of the Institute for Security and Technology’s Ransomware Task Force, and currently president of the Global Forum on Cyber Expertise, tells CSO. “If ransomware is, and I think it is, a real national security threat because of the disruption of critical infrastructure, we need to use all the tools at our disposal, including criminal enforcement, which we’re doing, the economic sanctions, which Treasury is doing, and even the cyber operations tool.”
“The reason [Cyber Command’s actions] may be appropriate in this case is two things. One, international security. This is not just an ordinary criminal threat,” says Painter. “And, two, some of these actors are just simply beyond the reach of our normal law enforcement powers. So, I do think it’s one of the arrows we need to have in our quiver, and we need to use it in appropriate circumstances.”
“I do think there’s a difference between a cyber military action and a kinetic military action,” Allan Liska, intelligence analyst at Recorded Future, tells CSO. “As much as we may joke about drone strikes against ransomware groups, that’s not what the military should be doing. But I do think if the military has the ability to take systems offline and so on and, for whatever reason, the FBI can’t do it, or other law enforcement agencies can’t do it, I don’t see any problem with that.”
Regarding whether Cyber Command’s actions will result in a diminution of attacks, Liska thinks they could have an impact in the long run. “Suddenly, there are costs, if not necessarily enough to start deterring attacks, at least to make some of the ransomware groups think twice. If this continues, if we can keep this momentum up, eventually it will start to deter ransomware actors.”
Some ransomware attacks already on the downswing
Signs are emerging that some ransomware attacks are already decreasing, Liska says. “We’re seeing a downward trend in ransomware attacks against healthcare. Ransomware attacks against healthcare providers are actually down in the second half of 2021.” He also says we’re starting to see the number of attacks against schools going down, even as attacks against manufacturing companies are going up.
On the flip side, the number of ransomware attacks in Germany and France is rising. “In other countries that may be not as been as vocal about going after ransomware groups, we’re starting to see more attacks there in the second half of 2021.”
Painter says the lack of consensus among government officials over whether Biden’s crackdown on ransomware actors is working may be due to a lack of good data. “I don’t think anyone has all the data yet. Even when a ransomware group goes quiet, they just may be reconstituting,” he says. “It’s hard to measure the long-term. We’re still seeing lots of ransomware activity.”
Biden and Putin to talk ransomware today
U.S. President Joe Biden and Russian President Vladimir Putin are scheduled to talk via video call today, mainly about the impending border crisis in Ukraine. However, White House Press Secretary Jen Psaki said cybersecurity is also on the call’s agenda. “We can also walk and chew gum at the same time,” Painter says about the prospect of the world leaders tackling two such ambitious topics on the same call.
Liska’s advice to Biden on ransomware is “the same as it has always been.” Biden should reiterate with Putin, “If you’re going to allow them to operate, if you allow them to continue to operate and you’re not willing to take any action, then we may be forced to take some sort of action, whatever that would look like.”
