Congress Needs To Get Over Corporate Ransom Payments

If there was one thing that Congress wanted to hear about from Colonial Pipeline CEO Joseph Blount in his testimony last month it was ransoms. How much had his company had paid to the Darkside ransomware gang to get access to a data decryption tool, the Senators wanted to know. When did Colonial pay the gang and how? Had they considered the legal ramifications of a payment? And, above all, who told them to pay it? Was it the FBI? Or someone else?

Wrong Question

Those are the wrong questions. Asking whether- and when to pay a ransom is a distraction: a contentious debate with little practical value to anyone concerned about the ransomware scourge.

So too the proposal to outlaw ransomware payments. For one thing, outlawing ransom payments will do nothing to stem the tide of ransomware, any more than outlawing alcohol in the early 20th century stopped people from boozing. As with Prohibition: banning ransoms in an effort to stop ransomware attacks confuses cause and effect in a way that ends up hurting everyone. It’s also deeply impractical, as many of those paying ransoms have few other options to recover.

Data from the anti-malware firm Sophos suggests that just shy of a third of all ransomware victims (32%) paid the ransom to restore access to their IT systems in the last year.  Decisions to pay ransoms can hinge on a number of factors, including whether the victim organization has cyber insurance, the quality of their data backups, and the estimated costs of the system outage - factors that are echoed in statements by CEOs at both Colonial and JBS.

Accountability. All Around.

The key to ending the scourge of ransomware isn’t preventing organizations from paying ransom. It is demanding accountability, both from the perpetrators of the crimes and from their targets. For criminal gangs like Darkside, REvil and Ryuk: governments and law enforcement organizations need to work together to bring criminal actors to justice. The recent arrest in Ukraine of members of the Cl0p Ransomware gang suggests that, after years of inaction, the long arm of the law is starting to reach these criminals where they live and operate.

However, if the international community hopes to prod countries like Russia, China, Iran, Nigeria or North Korea to stop providing cyber criminal groups safe harbor to operate, it needs to cooperate and impose severe costs on those nations for their support of criminal gangs, not just for cyber attacks linked to state affiliated groups. To think otherwise invites a return to the kind of sanctioned chaos that characterized the 16th century “Spanish Main,” where pirate ships carried out criminal raids, insulated by “letters of mark” from European monarchies allowing them to act on their behalf.

The Biden Administration clearly gets this. In his recent summit with Russian Prime Minister Vladimir Putin, President Biden made it clear that Russia’s official indifference to ransomware gangs that operated from within its borders was unacceptable and could invite more U.S.-led sanctions on Russian businesses and individuals.  Less than a month after that stern warning, however, the limits of a diplomatic approach to ransomware were clear, as U.S. businesses faced another massive ransomware attack at the hands of a Russia-based group, REvil.  

Raising the Bar

If neither more international cooperation nor diplomatic pressure are enough to staunch ransomware attacks, what is left? Why not start with a better defense?  

Even as we rally allied nations to coordinate takedowns of ransomware groups and coordinate sanctions on their sponsor nations, we can’t ignore the single biggest weapon we have: better cyber defenses. Raising the bar for cyber adversaries won’t just prevent some ransomware attacks. It will also change the economics of the ransomware business, making it less profitable and, thus, less attractive.

What kinds of things are we talking about? Really: the basic ‘blocking and tackling’ of enterprise defense would do wonders. Take patching (please!) Numerous reports have observed that ransomware gangs’ habit of exploiting known, but unpatched vulnerabilities in common platforms to gain a foothold on victim networks. REvil, for example, regularly exploits CVE-2018-8453, a flaw in the Windows Win32k component that was patched in October 2018 and should have been removed by companies years ago. Similarly, a critical flaw in the Pulse VPN software is still being exploited by ransomware groups, almost two years after its initial discovery. So simply “encouraging” (or mandating) timely patching of critical IT systems by firms could pay large dividends to our society by closing off easy avenues of compromise that cyber criminals currently travel.

Then there’s user authentication. The recent Colonial Pipeline attack is an excellent example of how poor user access controls lead to cyber incidents that escalate quickly. As we learned when Colonial Pipeline CEO Joseph Blount testified before the US Senate in June, the breach of that company began with an attack on a vulnerable remote access account. The outdated VPN server through which the Darkside ransomware group initially accessed Colonial’s network didn’t support two-factor authentication. It had also escaped notice by the company’s IT team and penetration testers, where a valid password was stuffed in to great effect.

DarkSide, the group responsible for the Colonial Pipeline attack was known to prey on vulnerable remote access accounts, such as those used by contractors and third parties to access Virtual Desktop Infrastructure (VDI). As noted elsewhere, DarkSide also follows a common playbook for sophisticated criminal- and nation-state attackers: “living off the land” with dual-use and post-exploitation tools like psexec, and Mimikatz and targeting Active Directory and Kerberos to gather detailed information about users, groups, and privileges before taking over with administrative rights.

Work the Problem

As I have observed elsewhere, the “silver lining” of ransomware (if there is one) is that it has exposed the vulnerability of IT infrastructure in the private and public sectors at scale and in a public fashion. With the advent of ransomware “dox” sites, victims can no longer sweep the evidence of their failings under the rug. Indeed, ransomware attacks are forcing defensive improvements faster than any policy initiative.

Cynically, the ransomware epidemic is a kind of decentralized, cross-sector red teaming exercise that we have outsourced to organized crime acting as a digital mob . That wasn’t such a smart idea, but the least we can do as a society and a civilization is to actually take up the findings of that red team exercise that groups like DarkSide have delivered to us and begin to “work the problem,” as the saying goes.

The IST Ransomware Task Force report recommends that governments take a more active role in supporting companies as they deal with ransomware. For example, governments could provide more funding for agencies like the Cybersecurity and Infrastructure Security Agency (CISA) to respond to ransomware-related inquiries from the private sector. Some combination of additional staff and improved technology could allow CISA, the FBI or other agencies to provide a kind of concierge or ombudsman service to private-sector entities seeking guidance on ransomware-related questions, the report noted.

Senators should abandon the archaic notion that “government is the problem” - notes of which can still be heard in hearings like the recent Colonial Pipeline testimony of CEO Blount. We need to embrace the idea that governments have a role to play not just in investigating crimes and pursuing criminals, but in protecting the public proactively by ensuring that critical infrastructure is resilient to cyber attacks and that the owners and operators of that infrastructure are following best practices and well apprised of the risks they face. Only when our elected leaders and our government embrace that bigger vision of security -and their role in keeping us secure - will we make progress against ransomware groups and other online threats.

The most important step is disclosure, as the old adage holds true in cyber that sunlight remains the best disinfectant. Companies and government agencies need to be required to report about “incursions” not just “breaches.” Without this, prescriptive cyber regimes of compliance and standards amount to little more than hot air.