Cybersecurity Experts Call for Stronger Action to Disrupt Ransomware 'Business Model'

A ransomware group leaked files it illegally obtained from the Washington Metropolitan Police Department (WMPD) two weeks after the department announced it had been targeted by a cyberattack.

According to an Associated Press analysis of the files, thousands of which were uploaded Thursday to the dark web, the information included within the document dump included officer disciplinary records and sensitive intelligence reports.

DC Police Chief Robert J. Contee III
Washington Metropolitan Police Chief Robert J. Contee III

A Russian-speaking ransomware syndicate called Babuk took responsibility for the attack late last month. WMPD Chief Robert Contee warned employees in an April 28 letter that some "HR-related files with Personally Identifiable Information" were among those taken in the attack, according to a copy of the letter the WMPD shared with Newsweek.

Thursday's data release came amid a crush of cyberattacks reported throughout the U.S. and around the world. On May 7, a cyberattack on the Colonial Pipeline triggered a shutdown, causing panic-buying at gas stations throughout the southeastern U.S. and a nationwide spike in gas prices.

As pipeline operators worked to get the system back up to normal speed. the cyber attackers who claimed responsibility for the hack said they had identified more targets for the future.

Hacker photographed in Paris
Cyber experts are calling for a coordinated effort in the U.S. and among allied countries to prevent and respond to ransomware attacks. In this photo illustration, which is unrelated to the WMPD ransomware attack, a hacker with an Anonymous mask on his face and a hood on his head uses a computer on December 27, 2019 in Paris, France. Chesnot/Getty Images

In Southern California, a healthcare system was also the victim of a cyberattack on May 1 that necessitated the use of offline patient record-keeping for weeks. The healthcare system's website was still down as of May 14.

Other cyberattack targets have included a water treatment center in Florida, a major university system in California and a health system in Ireland. The variety of organizations and locations targeted is part of why a task force assembled to suggest strategies for preventing and responding to ransomware attacks says a coordinated response is needed—not just in the U.S., but among allied countries.

There needs to be a coordinated effort to disrupt that whole business model. "Ransomware is such a big business. It's so lucrative and it's so easy, and the consequences are so small that we really have to change that dynamic.
Michael Daniel, president and CEO, Cyber Threat Alliance, co-chair, Institute for Security and Technology's Ransomware Task Force

"There needs to be a coordinated effort to disrupt that whole business model," said Michael Daniel, the president and CEO of Cyber Threat Alliance. Daniel is one of the co-chairs of the Institute for Security and Technology's Ransomware Task Force, a coalition featuring cyber experts from the public and private sectors that presented a report detailing strategies for addressing ransomware attacks last month.

"Ransomware is such a big business," Daniel told Newsweek. "It's so lucrative and it's so easy, and the consequences are so small that we really have to change that dynamic."

In addition to having support from companies like Amazon Web Services, FireEye and Microsoft, the task force includes members from the FBI, the U.S. Secret Service and the U.S. Cybersecurity and Infrastructure Security Agency, among others.

Earlier this spring, U.S. Department of Homeland Security (DHS) Secretary Alejandro Mayorkas said ransomware poses a national security threat to the U.S. While delivering introductory remarks at the task force's virtual presentation of its report last month, Mayorkas said the DHS plans to work closely with the task force to "turn its recommendations into action."

One of the task force's strongest recommendations is that organizations targeted by ransomware groups do not pay the demanded ransom.

"From the point of view of any individual company or organization, you can always construct circumstances where it might be in the public's interest in the short term to pay off some of these criminal organizations in order to prevent some of these data leaks," Daniel said.

Daniel told Newsweek it's especially important as more of these attacks come to light that organizations keep their sights set on the long-term goals for handling ransomware attacks.

"What it's really about is, how do you actually disrupt the entire criminal ecosystem so that we do not put businesses—and state and local governments, and police systems, and school systems, and your hospitals—in the position where they have to make that choice," he said.

Another element of the problem is that it's difficult to punish the groups responsible for the attacks, many of which are suspected to be based outside the U.S.' circle of allies.

"If we could physically lay hands on you, then you could be indicted—you could be arrested and prosecuted. It's crimes like extortion and fraud, and they carry some pretty serious penalties. These are serious felony offenses," Daniel said. "It's just that, most of the people that are behind these kinds of ransomware efforts are not physically located in the United States, or in any of our allied countries where it's easy to get physical custody of the perpetrators."

Though Daniel said putting diplomatic pressure on countries believed to be harboring cyber threat actors is one approach the U.S. and its allies can take to addressing the ransomware problem, there are preventative measures companies can put in place in the meantime to protect themselves against possible attacks.

These measures include hardening networks and keeping backup copies of files offline. In the event that an organization does fall victim to a cyberattack, Daniel said they should be forthcoming about their experience so responding agencies and groups like the task force can continue to learn from the process.

Yearn.Finance vault exploit hack ethereum millions funds
An unknown person was able to steal $2.8 million from a shared digital "vault" on Yearn.Finance, a service that allows users to deposit their funds in collective digital pools. Vault funds are then used in other "decentralized finance" (DeFi) offerings with the goal of generating additional earnings for the vault's depositors. peshkov/Getty

On an international level, the task force also recommends heightened regulation for cryptocurrencies, which Daniel described as "the oxygen that makes the ransomware market thrive."

"If they want to be legitimate, they're going to have to join the international financial system," Daniel said of cryptocurrencies. "If you start to put more visibility and controls on those cryptocurrencies, then the bad guys won't be as able to get their money out."

With the recent surge of reported cyberattacks, Daniel said it will take a unified and multi-pronged approach to limit the success of ransomware incidents.

"From a long-term, broad social standpoint, we really do not want organizations paying ransoms, because we're fueling a criminal enterprise," Daniel told Newsweek.

"The problem is not going to just solve itself, and there is no magical technical solution," he said. "It is going to take a concerted effort to address this problem."