Head of Data Breach, Kingsley Hayes, discusses how ransomware attacks have become a major geopolitical issue and the growing need for stringent regulation to prevent such attacks.
Kingsley’s article was published in Network Security, August 2021.
Ransomware attacks have become a major geopolitical issue. The recent 2021 G7 summit in Cornwall issued a final communique calling on Russia to “hold to account those within its borders who conduct ransomware attacks” while also committing the G7 to collaborate in order “to urgently address the escalating shared threat”.
When US President Joe Biden met Russian President Vladimir Putin in Switzerland on 16 June 2021, ransomware attacks were a key topic for discussion. Russia has been accused of involvement in several major cyberattacks, including the SolarWinds hack of 2020, which accessed to computer systems belonging to US government departments such as the US Treasury, the Department of Commerce and many major US corporations.
Since the successful WannaCry and NotPetya attacks of 2017 revealed the vulnerabilities of many networks, the frequency of ransomware attacks has grown exponentially. The head of GCHQ’s National Cyber Security Centre Lindy Cameron has recently said that her organisation “supports victims of ransomware every day” and that, although state-sponsored hacking campaigns are a “malicious strategic threat to the UK’s national interests”, ransomware has become the most significant threat.
Ms Cameron recently told the Royal United Services Institute that “For the vast majority of UK citizens and businesses, and indeed for the vast majority of critical national infrastructure providers and government service providers, the primary key threat is not state actors but cyber criminals.” She also advised companies affected by ransomware attacks not to pay over the ransom demanded.
Ransomware attacks are certainly growing in terms of both their frequency and severity. In England, in just the past two years, we have seen significant attacks upon organisations such as the PFEW of England and Wales and Hammersmith Medical Research, trading as London Trials. There have also been direct attacks made with the clear aim of securing sensitive medical data in hacks such as that against Transform group. Medical data is, of course, extremely sensitive to the individual and can lead to many consequences if taken, with blackmail and extortion being two of the most severe consequences.
The Irish health system is still only beginning to recover from a major ransomware attack it suffered in May. In what was called a “catastrophic” attack, the Irish health service had its data encrypted by a gang of criminal hackers, who then demanded that a US$20 million ransom be paid in Bitcoin for the encryption key. The attack caused major disruption to services and put patients at real risk. Nonetheless, the Irish government refused to pay the ransom and, perhaps unusually, the hackers then supplied the encryption key regardless, although it has since emerged that patient data has been leaked online. Perhaps the hackers were content to attempt to profit from the sale of the data, since patient medical data can fetch up to $1,000 dollars per record on the dark web and, when mixed with other data such as identity data, it can cause great harm to the individuals affected. Indeed, it may be possible for hackers to seek ransoms from individual patients even where they cannot obtain one from the entity originally hacked.
Organisations will deploy any security investigation services they have and will seek to institute business critical continuity plans, but they cannot protect the data they have lost control of. There is little a member of the public can do in these circumstances to protect themselves from publication of the data and even sale of the data on the dark web. In most instances, the organisation under attack is more interested in protecting itself than the people whose data has been exposed. It can often be many days or weeks after the data breach that the public is notified. Notification might only occur after the data has been published.
Not all entities threatened by ransomware attacks refuse to pay as a matter principle, as the Irish government did. Mitigating the consequences of a ransomware attack is likely to cost far more than simply paying up. One of the largest US insurance companies, CNA Financial Corp recently reportedly paid US$40 million to regain access to its network. The Brazilian meat company JBS SA recently paid US$11 million to hackers. While the Colonial Pipeline hack disrupted gas supplies in the US before it resulted in a US$4.4 million ransom being paid over to hackers in Bitcoin. However, the US Department of Justice later announced that it had managed to recover most of the Bitcoin ransom which was paid. This outcome shows that cryptocurrencies such as Bitcoin are not always beyond the reach of the long arm of the law.
One of the primary reasons that major governments around the world are now planning to aggressively regulate cryptocurrencies is to prevent their use in frauds such as ransomware attacks. For example, earlier this year, Janet Yellen, now the US Secretary of the Treasury, told the US Senate Finance Committee of her concerns that many cryptocurrencies, “are used, at least in a transaction sense, mainly for illicit financing. And I think we really need to examine ways in which we can curtail their use”.
The EU has also announced a plan to regulate blockchain and digital currencies, alongside plans to launch a digital euro, which will provide users with privacy, but which also looks set to be traceable if used for criminal purposes. ECB President Christine Lagarde said that the proposed new digital euro would enable “people to make payments without sharing their data with third parties, other than what is required by regulation.”
A key way to undermine the viability of ransomware attacks would be to limit access to untraceable methods of payment, such as cryptocurrencies. Until such effective regulation comes into force – if it ever will be truly effective – we will have to deal with the reality that cryptocurrencies exist as a less-traceable method of payment.
A landmark 2019 English High Court decision offers some hope to companies extorted into paying ransoms to retrieve their data. In 2019, the English High Court held that Bitcoins are legally capable of being regarded as property. This finding was crucial, as it means that Bitcoins can then be made the subject of proprietary injunctions.
This important judgment in AA v Persons Unknown  EWHC 3556 (Comm) arose in the context of a ransomware attack on a Canadian insurance company. Having encrypted the company’s system, the hackers than demanded a ransom of the Bitcoin equivalent of US$1.2 million in order to be given the encryption key. The Canadian company had an English insurer which provided cover against such attacks. The insurer quickly appointed a specialist cyberattack incident response company, which communicated with the hackers. A ransom payment of the Bitcoin equivalent of $950,000 was agreed and paid over to the hackers. The decryption key was duly sent to the company and their data was retrieved.
However, unbeknownst to the hackers, the English insurer was working rapidly to recover the Bitcoins paid. It hired specialist consultants who managed to identify the Bitcoins paid at a particular exchange. They found that 96 of the 109.25 Bitcoins paid over were still in an account in the exchange. The insurer rapidly brought legal proceedings in the English High Court to recover the Bitcoins, on the basis that they they were paid under extortion. The court granted a proprietary injunction over the remaining 96 Bitcoins to enable them to be recovered. It was in the process of this application that the novel decision was made that Bitcoins are legally property, and so capable of being the subject of court injunctions. Cryptoassets are clearly already coming within the ambit of some of the world’s legal systems. However, in order to recover such payments, it is crucial to act with all speed, before the assets are dispersed.
Many cybersecurity experts now argue that significant internationally coordinated governmental action is required in order to push back effectively against the current wave of ransomware attacks. An important recent report, “Combatting Ransomware”, by the US Institute for Security and Technology, argues that the ransomware phenomenon is “no longer just a financial crime; it is an urgent national security risk that threatens schools, hospitals, businesses, and governments across the globe”. The report’s key recommendations include the creation of “coordinated, international diplomatic and law enforcement efforts” to “proactively prioritize ransomware through a comprehensive, resourced strategy, including using a carrot-and-stick approach to direct nation-states away from providing safe havens to ransomware criminals.”
The report, which sourced the views of 60 American cybersecurity experts, says “The United States should lead by example and execute a sustained, aggressive, whole of government, intelligence-driven anti-ransomware campaign, coordinated by the White House. This must include the establishment of 1) an Interagency Working Group led by the National Security Council in coordination with the nascent National Cyber Director; 2) an internal U.S. Government Joint Ransomware Task Force; and 3) a collaborative, private industry-led informal Ransomware Threat Focus Hub.”
The four goals set out by the report are to: “deter ransomware attacks through a nationally and internationally coordinated, comprehensive strategy; disrupt the ransomware business model and reduce criminal profits; help organizations prepare for ransomware attacks; and respond to ransomware attacks more effectively.”
For some, the call for a “global war” against ransomware attacks is not merely metaphorical. Some cybersecurity experts are now saying that an effective response to ransomware attacks will require some level of military involvement. Former FBI agent John Riggi, who is a cybersecurity to America Hospital Association, has said that the governmental response “should include a combination of diplomatic, financial, law enforcement, intelligence operations, of course, and military operations”.
Whether or not such dramatic calls will be heeded, there is no doubt but that cybercrime and ransomware attacks are moving to the top of the policy agenda for many governments. The UK’s National Crime Agency says that because “the distinction between nation states and criminal groups is increasingly blurred, cyber crime attribution is sometimes difficult. Many Russian-speaking cyber groups are threatening UK interests, but home-grown cyber criminals are becoming more sophisticated and therefore a rising threat.” In the face of an amorphous and potent threat, with potential links to hostile powers, it is inevitable that very significant resources will be deployed to deal with the issue in the coming months and years.
New and more stringent regulatory regimes and legal enforcement powers are likely to be created. More severe criminal penalties may be introduced to deter cybercriminals. Sanctions may be imposed on countries seen as safe harbours for cybercriminals. More stringent cryptocurrency regulation could also play a crucial role in disrupting the business model underpinning ransomware attacks. Governments may consider making it illegal to pay ransoms to cybercriminals. What’s more, it seems likely that the introduction and enforcement of such measures will be closely coordinated internationally, given the fundamentally borderless nature of the threat.
The recent escalation in attacks appears to have provoked a determined response from some of the world’s major powers. Only time will tell what precise shape that response will take, and how effective it will be.