When Team Cymru's James Shank worked with the Ransomware Task Force to come up with the worst-case scenarios for a ransomware attack, the group focused heavily on impacts: How could attackers endanger people or cause significant damage to infrastructure?
However, the group also focused on vectors - including an exploitation chain that amplifies attacks by compromising the software supply chain, infecting managed service providers and propagating too quickly for defenders to react. In short, the scenarios the group came up with looked very similar to the attack against managed service providers using a vulnerability in the Kaseya Virtual System Administrator (VSA) servers that happened on July 2.
The ability to use existing update and control mechanisms to propagate an attack is often referred to in military jargon as "force amplification," Shank says.
"That was one of the identified vectors that we explicitly called out, because it has wide-ranging impact," he says. "Force amplification that is one of the things that we explicitly did identify as a technique that should be considered part of the worst case of scenarios."
The attack—along with attacks on oil-and-gas transport network Colonial Pipeline and meat packer JBS USA—highlights the capability of ransomware groups to affect large numbers of people, and the bottom line that attack techniques are evolving. Without any fear of retribution, the groups behind the schemes will likely only get better. Individual companies have little recourse except to improve their defenses, stay on top of the latest techniques, and prepare to minimize business disruption in the event of an attack.
Yet, governments are hobbled as well. On Friday, US President Joe Biden discussed the attacks with Russian President Vladimir Putin, requesting cooperation and pledging consequences for any inaction, according to reports. What those actions will be are unclear.
"I made it very clear to him that the United States expects, when a ransomware operation is coming from his soil even though it's not sponsored by the state, we expect them to act if we give them enough information to act on who that is," Biden told the White House press.
The Cyberspace Solarium Commission (CSC), a bipartisan group of legislators and cybersecurity experts, recommended more than 80 policy initiatives that aim to improve US cybersecurity in March 2020. Among the foundations of the recommendations, the CSC focused on deterrence to shape rival nations' behavior, deny benefits to attackers, and impose significant costs on any successful attack.
So far, at least 27 of those recommendations have been turned into US policy, and another 30 are hoped to be introduced as legislation and executive action this year.
While companies need to better defend themselves, the government can help them by recommending cybersecurity measures and passing along threat information and by taking actions to dissuade attackers, whether it is sanctions against collaborating countries, indictments against individuals, or offensive attacks against the infrastructure used by criminals and their financial windfalls, says Mark Montgomery, senior director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies (FDD) and the executive director of the Cyberspace Solarium Commission.
"No one of them can solve it alone—you have to do all three," he says. "We need to be working consistently across all three of those lines of effort."
The Ransomware Task Force recommended five policies: Coordinated diplomacy and law enforcement efforts, an aggressive whole-of-government campaign by the United States to dissuade ransomware groups, the establishment of cyber response funds to help business, an international framework for responding to ransomware, and more regulation of cryptocurrency. The recommendations cannot be done piecemeal but need to be pursued all at the same time, says Team Cymru's Shank.
He has high hopes for such an approach. While companies and nations may seem to be at a disadvantage compared to cybercriminals operating in other jurisdictions, the vast majority of interests lie in solving the problem of ransomware, he says.
"The attackers—compared to the army of people who have an interest in them not being successful—they are way, way out numbered," he says.
Ransomware as Terrorism
The United States is not the only nation whose government has put a spotlight on ransomware. On July 8, INTERPOL put the threat of ransomware on par with terrorism activity, as a priority for collaborative law enforcement efforts.
Ransomware for sure is a worldwide problem. WannaCry and NotPetya, two cyberattacks that mimicked ransomware, caused tens of billions of dollars in damage, shutting down operations not only at US companies, but European and Asian firms as well. The vast majority of businesses affected by the Kaseya ransomware attack were outside the United States, with 45% of downstream attack attempts detected by Kaspersky occurring in Italy and 15% in Columbia. The United States ranked second, with 26% of detections of the REvil ransomware payload.
In its annual conference this week, INTERPOL called for tighter partnerships between countries to combat ransomware and other threats.
"A global strategy in response to the threat of ransomware is critical – one where we successfully build trust, see effective exchange of data, and maximize rapid operational assistance to law enforcement agencies," INTERPOL Secretary General Jürgen Stock said in a statement.
Companies also need to do more to protect themselves from attacks. As automation and cost savings are implemented, those funds should be reinvested, says FDD's Montgomery. Colonial Pipeline benefited from significant automation of its operations, but it did not invest that into cybersecurity to keep that its oil-and-gas transport network safe, he argues.
"They let go dozens and scores of people when they automated, and when they were attacked, Colonial Pipeline could not have reverted back to the 1960s when their pipeline was manual," he says. "So when you move toward more automation, invest in the security of your operational systems."