If you have read our Digital Security Magazine article The impact on ransomware attacks on business, you will already be familiar with the following statistics:
The frequency of businesses falling victim to ransomware attacks is predicted to reach every two seconds by 2031
Ransom payment demands are constantly rising, with a 8% increase in 2022
80% of companies that paid a ransom were attacked a second time
Not only has the number of attacks increased over the years (as has the ransom demanded) but even if organizations decide to pay, they are unlikely to get their data back and are likely to be targeted again.
So, what is there left to discuss when it’s clear that paying the ransom is a no-win situation? Well, there are two key aspects, specifically:
How to prevent ransomware from infiltrating your organization in the first place by implementing the best anti-ransomware defenses. You can read all about this in our article: A comprehensive approach to ransomware defense.
How to utilize the ransomware protection that governments and law enforcement agencies can provide through different measures and initiatives. This article aims to cover this very aspect.
What is a ransomware attack and how does it work?
Ransomware is a type of malware that encrypts the victim’s files and demands payment in exchange for the decryption key. You will see a message on your screen that can look like the one below, asking you to pay to recover your data. Quite often, payment is requested in cryptocurrency like Bitcoin, since cryptocurrency provides anonymity and a lack of traceability.
How do governments help combat ransomware?
Providing guidance and resources
There is no shortage of information on the internet about how to protect against ransomware. In fact, CISA, NCSC and ANSSI all provide guidance on:
- How to protect against ransomware in the first place by implementing a defense-in-depth approach and cyber crisis management exercises.
- Steps to take if your organization is already infected, such as immediately disconnecting the infected computers.
Some national authorities also advise or require reporting the incident, such as the NIS Directive, the proposed Cyber Resilience Act and the US Critical Infrastructure Act of 2022. Some countries like Australia and the United Kingdom have developed special websites where you can report ransomware attacks. In the US, CISA’s dedicated Stop Ransomware webpage states that organizations should report ransomware attacks to federal law enforcement authorities, such as IC3 or a Secret Service field office, or provide information to CISA through their reporting forms.
It is important to note that most government agencies recommend against paying ransoms, emphasizing that there is no guarantee that the data will be returned in any case — whereas paying contributes to the financing of the cybercrime rings. Organizations, however, are likely to pay when they do not know who else can help them. In addition, these government websites don’t always clearly explain how to get help from national authorities when an organization or individual is under attack.
Cybermalveillance.fr offers to connect ransomware victims with certified private service providers, but i’’s not clear how fast this help is provided. The same goes for NCSC, which runs a commercial scheme called Cyber Incident Response, where certified companies provide support to affected organizations. Australia provides more direct assistance through a 24/7 hotline.
Disruption and enforcement
Resources, guidance and assistance from government entities are all vital to help organizations prevent ransomware from infiltrating their infrastructure, and dedicated webpages like those created by CISA, are quite helpful. But in the context of this rising threat, governments have been struggling with how to respond most effectively.
It is interesting to note that, following a series of ransomware attacks in the United States targeting critical infrastructure like the Colonial Pipeline, the ransomware threat shifted from a law enforcement matter to a national security one.
The Biden administration in September 2021 presented a strategy around three key steps:
- Attempting to disrupt criminal networks and virtual currency exchanges responsible for ransomware laundering. On September 21, 2021, they sanctioned Suex, a virtual currency exchange suspected of facilitating financial transactions for ransomware actors.
- Encouraging improved cybersecurity across the private sector – helping build you’re the effective defenses that are vital in ransomware prevention.
- Increasing incident and ransomware payment reporting to US government agencies, including both treasury and law enforcement agencies. In the context of the Hive takedown, FBI director Christopher Wray said that “only 20% of Hive victims reported their attacks to authorities,” indicating that we still have a long way to go before every victim reports a ransomware attack.
On the other side of the Atlantic, the French National Cybersecurity Agency ANSSI has partnered with France’s Ministry of Justice to publish a comprehensive ransomware guide. It includes recommendations on how to strengthen your defense and respond to an attack, as well as what to do after being attacked, stressing the importance of filing a complaint. Filing a complaint is necessary to launch an investigation, potentially to decrypt the altered data, but also to identify the perpetrators.
There is also an initiative led by the French Ministry of Economics and Finance to compensate victims for ransom payments through an insurance scheme, under the condition that the victim has filed a complaint. Although intended to encourage the filing of complaints, some argue that it will instead encourage the payment of ransoms. According to Catherine Pignon, Director of DACG, filing a complaint enables the identification and arrest of perpetrators, ensures justice for the victims and helps end the sense of impunity among ransomware gangs.
This sense of impunity is quite significant given the nature of their crimes. They are remote, difficult to track and not restricted by borders, making it difficult for law enforcement authorities to not only identify the perpetrators but also bring them to justice.
In 2021, United States launched the International Counter Ransomware Initiative, an intergovernmental coalition that unites over 30 countries and the European Union to develop a collective and coordinated approach to counter ransomware. At its second summit, the partners made a commitment to use all appropriate tools at their disposal to hold ransomware actors accountable, combat their ability to use the proceeds from ransomware, disrupt their operations and bring ransomware actors to justice. This demonstrated the urgency of sharing a common commitment and working together across borders to address the motive and sense of impunity of ransomware gangs.
The success stories of law enforcement authorities as a result international cooperation in the last few years demonstrate the importance of nations working together to protect organizations against ransomware. The recent takedown of the Hive ransomware group was the result of cooperation between the US, Europe, Germany, the Netherlands, Lithuania, Portugal, Canada, Romania and other nations. Such takedowns can make ransomware groups nervous, especially when they have been infiltrated. Ultimately, servers are replaceable, so the key to destroying the sense of impunity that exists among today’s ransomware gangs is to bring them to justice, one-by-one.
The importance of governments and law enforcement authorities in ransomware prevention and protection is undeniable. They provide resources, guidance and assistance in the event of ransomware attacks, and facilitate incident reporting to understand the scale of the problem. They can also take measures at the national and international levels to impact the motives of attackers and break the impunity cycle. All of these are part of the story, and contribute to reducing the impact of the ransomware on organizations.
About the author
Head of institutional partnerships, events and communication
Laurence has held several roles in the European parliament as political advisor, working on regulations related to the digital single market (GDPR, e-privacy, contract law, etc). In her last position at the ANSSI (French national cybersecurity agency), Laurence was European and International Policy Officer, managing the international relations of ANSSI on cybersecurity key topics such as Cloud, IOT, 5G. At Atos, Laurence is responsible for relations with institutional partners and communication for Digital Security.