The Institute for Security+Technology released a recommendations report on the 30th April 2021 with the help of a list of industry players, to try to stem the tsunami that is ransomware.
The 81-page report says all the right kind of things, but the reader is left to wonder just how many Zoom meetings will be consumed in the delivery of some of the priority recommendations.
Co-ordinated International law enforcement and data sharing. Tick. That is a box that needs to be ticked, but we seem to gloss over the practicalities of such a sweeping statement.
Will Regulation be the answer?
The report looks to regulation as a possible solution, for both the early reporting of ransomware attacks, and the application of 20th Century anti-money laundering (AML) controls to cryptocurrency exchanges and by implication, to cryptocurrencies themselves.
Regulation is never an easy answer. Anything designed by committee is by necessity a lowest common denominator conversation. Regulation takes years when it has national boundaries, international regulation – much longer, global regulation – sigh, cough.
And so, whilst the ideas within the recommendations are all useful and aligned with a single goal and purpose, they gloss over the practicalities in getting any of them to completion.
Rolling back the clock
Maybe we need to think back further in time to get some ideas into what can be done practically to reduce the ransomware threat.
We can go all the way back to the 17th century to look at a very similar problem that needed to be resolved.
The golden age of Piracy from about 1650 – 1730, had many similar hallmarks.
A lawless time when easy money could be made robbing commercial as well as government shipping across all of the Worlds popular trading routes.
The rewards were huge and many a ship was taken without a single shot being fired, so personal injury as a pirate was relatively rare for the times.
Islands along the trade routes profited from the spending of these pirates and protected and warned them of international interventions.
So what changed to reduce piracy to an acceptable level (after all we still have piracy in known hotspot areas today)?
Deterrents such as capital punishment for those caught as pirates did little to dissuade the behaviour. Life expectancy was short in those times and you were more likely to starve to death in your 20’s than to be hanged for piracy.
Pay pirates to catch pirates
The major improvement came with privateers. Privateers funded by governments, who were paid bounty on the capture of pirates. Essentially pirates being paid legally to capture illegal pirates.
Double agents if you will. The rewards would be substantial, often shared between the Privateers and the Government. And this piracy was all legal. Sir Francis Drake is held up as a hero in British history for attacking Spanish commercial shipping in this way. Less so by the Spanish.
Eventually the World’s navy’s were multiplied to provide escorts to commercial shipping, making piracy a far greater challenge to life and liberty.
So can we apply the same logic to bounty hunt ransomware gangs in the 21st century?
It is in each gangs’ interests to limit the number feeding from the ransomware trough. Can the governments create gangs to hunt down ransomware gangs?
Cyber offence target practice for nation states
Clearly there is a need for cyberattack type scenarios that target enemy forces across the Internet. And every nation is building their capabilities to launch and defend against nation state sponsored cyberattacks.
Maybe this is the sort of target practice that would actually serve a useful purpose and may come with additional benefits if the gang is actually a nation state actor.
We have seen plenty of third-party supply chain exploits recently. Will we see nation states implementing the same sorts of exploits in the underground ransomware kit market? Could ransomware tools be impacted from within, so any users of these tools would be exposed?
Embedding trojan tech into ransomware kits being sold on the Darkweb seems like the way to go. Maybe it’s there already?
Stopping the money
If we look at removing the fungibility of ransomware payments by fixing cryptocurrencies so that wallets can be frozen to all transactions (incoming and outgoing) on the request of a national agency in any country, this would be the AML equivalent for the 21st century.
This would effectively mean that the means of payment is removed completely for ransomware and without a viable means of profit, the value proposition reduces drastically.
Dark cryptocurrencies would materialise quite quickly but if payments to unregulated cryptocurrencies were made illegal, then businesses would have no means of paying a ransom demand. And one of the downsides of all blockchain tech from a criminality point of view, is all the evidence of a transaction is recorded in the blockchain itself.
The reality of all of these measures is that they will likely weaponise ransomware gangs to the extent that they all eventually become state sponsored. On capture, the gang would be given the option of prison time and substantial fines or decide to use their skills more productively working for the state.