31 May 2023

It’s Time for the United States to Adopt a New Strategy to Combat Ransomware

Kyle Fendorf Natasha White

Offensive cyber operations have become an increasingly large part of doctrine among Five Eyes members in recent years, as states have grappled with how to deal with the threat of state-backed hackers and increasingly capable ransomware groups. A recently released strategy from the UK National Cyber Force, or NCF, discusses how London is taking a new approach to conducting offensive cyber operations with a focus on disrupting information environments. This new strategy introduces what the NCF calls the “doctrine of cognitive effect,” aims to “change adversary behavior by exploiting their reliance on digital technology,” and conduct offensive cyber operations with the goal of limiting an adversary’s ability to collect, distribute, or trust information.

As the FBI and other U.S. agencies seek to tamp down the threat of ransomware, they should adopt cognitive effect as part of their campaign against operators and affiliates.

Successes to Date

Over the past few years, Washington has tried a number of strategies in a bid to slow the growth of ransomware but has nonetheless struggled to find an effective deterrent. It has indicted individual hackers and sanctioned firms and organizations that supported criminal gangs. These efforts, however, have largely failed either because they were not applied consistently, ransomware groups easily adapted to the measures, or, most importantly, because said groups operated beyond the reach of Western law enforcement agencies. In response, the United States and some of its allies have taken a new tack against ransomware groups by pledging to use offensive cyber capabilities.

The turn to offensive operations manifested itself recently as the U.S. Department of Justice (DoJ) and the FBI announced in late January that they discretely gained access to the systems of Hive—a ransomware group that stole over $100 million from organizations across the globe in its first year of operation alone and ranks among the most prolific such outfits over the last two years. The DoJ and FBI’s successful intrusion into Hive’s systems went on for over a year, allowing government operators to seize decryption keys and distribute them to victims. Likewise, the authorities also took down the dark web site used by Hive to shame victims and leak stolen data when organizations refused to pay a ransom.

The Hive takedown was not a one-off operation either, as the FBI and DoJ have also taken down cybercrime hubs like RaidForums, Genesis Market, and BreachForums, and arrested some of the administrators of these operations.

Yet Washington can go further with this by taking advantage of existing fractures in ransomware groups and creating new ones that can be exploited.

Hunting Big-Game Hunters

Most of the ransomware attacks against U.S. infrastructure come from groups known as big game hunters, who specialize in attacking large businesses with high-value networks that cannot sustain much downtime in their systems. The structure and hierarchy of these groups have become increasingly visible in the past two years as threat analysts have infiltrated the groups and disgruntled members have leaked internal chat logs and documents. The emerging picture provided by these leaks and the work of threat analysts points to major organizational weaknesses in these entities.

Take for example the ransomware group Conti. It is a network of about seventy individuals who know each other by their usernames. The group functioned like a small business, hiring employees for their skillset and then assigning them to teams where they worked on specific parts of their ransomware toolkit. Leaked chat logs reveal tension at the bottom of the group over low wages, long hours, and poor working conditions. This worker dissatisfaction drove frequent turnover at lower-level positions, with openings advertised on several cybercrime forums and little vetting for new hires.

Conti was not alone in having problems with morale and paranoia. The cybercrime group TrickBot is another illustrative example. The Conti leaks, which were released on February 27 after Conti came out in support of Russia’s invasion of Ukraine, spurred TrickBot to completely uproot its operation, migrating all of its employees to new forum accounts, phones, computers, and encrypted chat services. This switch was not enough to save TrickBot, as a leaker began posting files, messages, cryptocurrency wallet addresses, and IP addresses used by the group on March 4.

As such, ransomware groups are quite conscious of the threat that governments’ turn toward offensive operations presents. LockBitSupp, the leader of the ransomware gang LockBit, said that targetting ransomware gangs’ infrastructure is “the most effective way to deal with [big-game hunters],” as it provides a useful method to steal decryption keys, take down servers, and collect intelligence on the operators behind ransomware groups. This is an effective approach and would be even more so if paired with a strategy of using cyberattacks to destabilize the information environment ransomware groups operate in.

There’s less visibility into the reaction to the Hive compromise, but it’s reasonable to assume it had a tangible impact on the operations of other ransomware groups, seeding further paranoia and forcing them to turn away from their usual work of attacking others’ networks to deal with the security of their own.

Adopting the Doctrine of Cognitive Effect

The days of the lone hacker are over—as the leaks from Conti and Trickbot show, modern ransomware groups operate like businesses. The broader ransomware ecosystem is defined by connections as well, where members frequently cooperate on forums, move between organizations, and bring old habits to their new workplaces.

The organizational complexity of ransomware groups and the weaknesses outlined above thus makes the use of offensive cyberattacks for cognitive effect especially useful in combatting ransomware. Cutting off or restricting the flow of information is a great strategy to sever the networks of people that ransomware groups depend on to make and deploy their tools and find their targets.

The Biden administration committed itself to disrupting and dismantling threat actors as part of its National Cyber Strategy. Adopting the doctrine of cognitive effect is the best way to distract ransomware groups from their usual mission of causing havoc in a sustained manner.

Kyle Fendorf is the research associate for the Digital and Cyberspace Program at the Council on Foreign Relations.

Natasha White is a student at the University of Rochester.

No comments: