Ransomware Continues to Rise as Nations Struggle to Address Payouts

The nabbing of the Lindbergh baby Charles in 1932 made kidnapping across U.S. state lines a federal offense punishable by death. But curiously, it did not prohibit victims from paying ransoms to extortionists.

This is becoming increasingly problematic as ransomware—an attack method where threat actors infiltrate a victim’s network, encrypt his or her data, and hold it hostage until a ransom amount is paid—is thriving. Between January 2021 and June 2021, the total value of suspicious activity reported in ransomware-related Suspicious Activity Reports (SARs) reached $590 million—up from $416 million for all of 2020, according to the U.S. Treasury Department.

Bitcoin is the most common ransomware-related payment method for reported transactions, which reach a mean monthly average amount of $66.4 million, the department said in the report Financial Trend Analysis: Ransomware Trends in Bank Secrecy Act Data Between January 2021 and June 2021, published in October 2021.

$590M

Value of ransomware-related activity in the first six months of 2021.

“The transition to remote and online work in response to COVID-19 has also exacerbated risks and vulnerabilities of businesses to cyberattacks, such as ransomware,” the department found. “Attacks on small municipalities and healthcare organizations have also increased, typically due to perceived weaker security controls and higher propensity of these victims to pay the ransom because of the criticality of their services, particularly during a global health pandemic.”

The department also highlighted a growing concern that some ransomware threat actors are engaging in “double extortion,” where they exfiltrate data, encrypt it, and then threaten to publish it if the ransom is not paid. For instance, in May 2021, ransomware actors leaked internal information—including intelligence reports and officer disciplinary files—when the Washington, D.C., police department refused to pay the ransom to prevent their dissemination.

Threat actors are also becoming increasingly savvy to ensure that when a victim pays a ransom, the criminals can obtain the funds by using multiple wallet addresses and avoiding reusing wallet addresses to prevent the funds from being seized by authorities.

“Threat actors identified from SARs primarily use foreign centralized exchanges for ransomware-related deposits, including exchanges incorporated in high-risk jurisdictions that may have opaque ownership structures or that may have inadequate [anti-money laundering/counterfeit] compliance standards,” according to the Treasury. “This observation is also corroborated by commercial blockchain analytic companies that note the use of exchanges incorporated in jurisdictions that may not enforce know your customer requirements or require the reporting of suspicious transactions.”

And the issue is not limited to the United States. In her remarks reflecting on her one-year anniversary as the UK National Cyber Security Centre CEO, Lindy Cameron said ransomware poses the most immediate danger to the UK government, businesses, and organizations.

“We expect ransomware will continue to be an attractive route for criminals as long as organizations remain vulnerable and continue to pay,” Cameron said. “We have been clear that paying ransoms emboldens these criminal groups—and it also does not guarantee your data will be returned intact, or indeed returned at all.”

Transnational criminals are most often the perpetrators of ransomware crimes.

Along with the ability for criminals to collect payments and continue to spread ransomware, another main challenge of addressing ransomware, Cameron explained, is that criminals often operate from outside the victim’s nation. International cooperation and extradition agreements are required to prosecute threat actors. This has become increasingly challenging as various ransomware gangs are traced back to Russia, which has largely refused to cooperate with outside forces to extradite these individuals.

U.S. President Joe Biden met with Russian President Vladimir Putin in July 2021 and discussed the rise in cyberattacks from actors living in Russia, and Putin said Russia would cooperate in reducing ransomware attacks.

In a press conference after the meeting, Biden said he “made it clear to [Putin] that the United States expects when a ransomware operation is coming from his soil, even though it’s not sponsored by the state, we expect them to act if we give them enough information to act on who that is.”

Ransomware activity, however, has not decreased, and Russia was not invited to a Ransomware Summit hosted by the White House in October 2021. Instead, officials from more than 30 other nations gathered to discuss the threat ransomware poses and what can be done to counter it.

Representatives from the Czech Republic, Ireland, Israel, and South Korea all spoke about the increase in ransomware attacks they have seen during the past year, targeting healthcare organizations and other critical sectors.

“No one country, no one group can solve this problem,” said U.S. National Security Advisor Jake Sullivan. “Transnational criminals are most often the perpetrators of ransomware crimes, and they often leverage global infrastructure and money laundering networks across multiple countries, multiple jurisdictions to carry out their attacks.”

In response, the gathered representatives pledged to work together to take a multipronged approach to addressing ransomware.

“Efforts will include improving network resilience to prevent incidents when possible and respond effectively when incidents do occur; addressing the abuse of financial mechanisms to launder ransom payments or conduct other activities that make ransomware profitable; and disrupting the ransomware ecosystem via law enforcement collaboration to investigate and prosecute ransomware actors, addressing safe havens for ransomware criminals, and continued diplomatic engagement,” the representatives said in a joint statement.

Europol and the United States had made some progress towards those goals, as of press time. In November, the U.S. Department of Justice announced the arrest of the suspected mastermind behind some high profile REvil ransomware attacks—along with the seizure of $6 million in suspected ransom payments. The U.S. Treasury Department also announced sanctions against Chatex, a cryptocurrency exchange, for its alleged role in facilitating ransomware payments.

At the same time, Europol announced the arrest of five individuals suspected to be involved in the REvil ransomware gang. Another suspect, a Russian national, remained at large.

Officials are also continuing to weigh whether ransom payments should be made illegal. So far, most nations have taken the approach of discouraging individuals from paying ransoms because they create financial incentive for criminals to continue conducting ransomware attacks against lucrative targets with better forms of ransomware.

For instance, new research from cyber firm Ermetic found that Amazon Web Services (AWS) S3 buckets could be targeted to spread ransomware in organizations’ environments.

“AWS S3 buckets are regarded as highly reliable, so they have come to be used with great confidence,” Ermetic wrote. “What most cloud security stakeholders don’t realize is that S3 buckets face a great security risk, from an unexpected source: identities. A compromised identity with a toxic combination of entitlements can easily perform ransomware on an organization’s data.”

Researchers with IBM’s X-Force team are also tracking the possibility of ransomware being used to target cloud environments, furthering its reach, according to its 2021 IBM X-Force Cloud Security Landscape Report.

“X-Force analyzed data from our IR teams to find how threat actors are using cloud environments once they’re inside,” the report said. “Based on our analysis of incidents, cryptominers and ransomware were used extensively, accounting for over half of system compromises.”

And once compromised, many organizations and individuals will choose to pay the ransom to get their systems back online to restore essential services, just like Colonial Pipeline did when CEO Joe Blount decided to pay $4.5 million in cryptocurrency to ransomware attackers that targeted his company in exchange for a decryption tool in 2021.

“You don’t want to pay the ransom. You don’t want to encourage [hackers], you don’t want to pay these contemptable criminals,” he said in an interview with NPR.

“But our job and our duty is to the American public,” Blount added. “So, when you know that you have 100 million gallons of gasoline and diesel fuels and jet fuels that are going to go across the southeastern and eastern seaboard of the United States, it’s a very critical decision to make. And if owning that decryption tool gets you there quicker, then it’s the decision that had to be made. And I did make that decision that day. It was the right decision to make for the country.”