Executive Viewpoint

Disrupting Ransomware and Dismantling the Cybercrime Ecosystem


Ransomware attacks on U.S. critical infrastructure are headlining the nightly news. Within the past month, an attack on the U.S. fuel company Colonial Pipeline by ransomware group DarkSide caused gas shortages along the East Coast and a ransomware attack on the world’s largest meat processor JBS by cybercriminal gang REvil underscored a dire threat to the global food supply chain. The impact of cybercrime is being felt in our physical world and citizens are caught in the crosshairs of these attacks.  

“Collateral damage in the cyber sense is very real,” said Rick McElroy, principal cybersecurity strategist at VMware. “We’re seeing critical infrastructure increasingly become a top target for cybercriminals who are using ransomware to ensure profitability and cause mass disruption. It’s time for organizations to fight back.”   

Our 2021 Global Security Insights Report found that ransomware is one of the leading breach causes for organizations. Ransomware groups are leveraging Ransomware-as-a-Service (RaaS) operations, affiliate programs, and the recruiting of insiders – all of which are driving this surge in attacks.  

And attackers aren’t stopping once they’ve ransomed an organization. Nearly 40% of security leaders we surveyed in January 2021 said that double-extortion ransomware was the most observed new ransomware attack technique. That means attackers are returning to exfiltrate sensitive information and use it for blackmail or selling information on the dark web to ensure financial gain.

“Ransomware gangs will always follow the moneywhich is why secondary extortion has become a popular tactic among these cybercriminal groups. With ransomware payouts in the millions of dollars, and additional extortion methods at their disposal, we don’t expect to see a decrease in ransomware attacks anytime soon unless significant action is taken by both the public and private sector.”

-Eric O’Neill, National Security Strategist, VMware

How cryptocurrency exchanges are fueling the ransomware surge 

We are missing a large piece of the ransomware story if we do not focus on the ransomware payment itself, and how cryptocurrency exchanges are enabling bad actors. In order to effectively disrupt cybercrime and stop ransomware, we must challenge cryptocurrency exchanges to have a higher level of corporate responsibility and implement Know Your Customer (KYC) regulations.  

“We need to draw a line in the sand with exchanges and virtual currencies,” said Tom Kellermann, head of cybersecurity strategy at VMware. “At a minimum, you will abide by two principals of status. First, when called upon by law enforcement to know thy customer, you will have the capacity to do that you. Second, you will also freeze the assets associated with that individual. Additionally, the specific cryptocurrency exchanges that advertise they lie outside of the legal boundaries of Western governments should have pressure brought on them from law enforcement.” 

Because cryptocurrencies do not have the same transparency as U.S. capital markets, cybercrime cartels can operate with a level of anonymity that allows them to continually carry out these attacks without being caught by law enforcement. Ransoms paid in cryptocurrency are untraceable, can cross borders, and have no limit on the dollar amount that can be extorted. If cybercriminals can take off with $40 million and leave behind no trace, it’s clear why ransomware has become a popular form of cybercrime.  

Dismantling the cybercrime ecosystem that has allowed ransomware to flourish 

Combatting ransomware requires an “all hands on deck” approach from both the private and public sector. In October 2020 amid a surge of ransomware attacks targeting the healthcare industry, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory highlighting the risks associated with paying the ransom. Companies that facilitate ransomware payments to cyber actors on behalf of victims encourage future ransomware payment demands and also risk violating OFAC regulations.  

“Whenever a sense of urgency is perceived by organizations and they feel their options are limited, that’s when they’ll consider paying the ransom,” said McElroy. “However, even if a ransom is paid, there’s no guarantee that hackers will restore the data. In fact, the stolen data often ends up on the dark web which is now estimated to be the third-largest economy in the world. For these reasons along with the fact that it allows the ransomware business to grow, organizations should not pay.” 

Even with the threat of costly fines from the U.S. federal government if a ransom is paid, additional government involvement and regulations is critical to dismantling the cybercrime ecosystem.  

On June 7, the Department of Justice in coordination with the recently launched Ransomware and Digital Extortion Task Force announced it had recovered the majority of the ransom paid by Colonial Pipeline to DarkSide.  

“The recovery of ransomware payments is now possible due to the technology provided by companies like ChainAnalysis,” said Kellermann. “It’s critical that recovered ransomware payments be invested back into cybersecurity.” 

At the press conference announcing the ransom recovery, Deputy U.S. Attorney General Lisa Monaco urged business and community leaders to “invest the resources now” given the threat posed by severe ransomware attacks. 

According to Reuters, the U.S. Department of Justice will also be elevating investigations of ransomware attacks to a similar priority as terrorism in the wake of mounting damage caused by cybercriminals. Ransomware investigations will be centrally coordinated with a recently created task force in Washington.  

“The attacks we’ve seen on critical sectors such as healthcare should’ve been a red line for cybercriminals. To not only target healthcare providers but to do so during a pandemic is an act of terrorism. Any nation-state that harbors these types of actors needs to bring those criminals and terrorists to accountIt is worth noting that the majority of ransomware does not detonate on Cyrillic keyboards.” 

-Tom Kellermann, Head of Cybersecurity Strategy, VMware

Speaking to The Wall Street Journal, FBI director Christopher Wray noted his agency was investigating 100 different types of ransomware and likened the current surge to the challenge posted by the Sept. 11, 2001, terrorist attacks. Ransomware is being prioritized by the Biden administration as an urgent threat to national security that requires the need to dismantle the cybercrime ecosystem that has allowed the ransomware industry to flourish.  

As the U.S. and its allies attempt to contain the threats posed by nation-state groups and cybercriminals, cyberattacks and the use of proxies may grow. This reality forces all organizations—private and public sectors—to take a forward-leaning approach to cybersecurity. Organizations should look to subscribe to Zero Trust architectures that extend across their infrastructure intrinsically to suppress these threat actors. 

“A challenge to making nations that host ransomware operations collaborate in the apprehension of cybercriminals is that there is often collusion between these criminal actors and the local intelligence groups. Access to compromised machines—critical for espionage–is often traded for turning a blind eye.” said Giovanni Vigna, senior director of threat intelligence at VMware. 

In an open memo to the private sector on June 3, Deputy National Security Advisor for Cyber and Emerging Technology, Anne Neuberger, urged business leaders to take immediate steps to address the threat of ransomware and stressed the private sector’s responsibility to strengthen cyber defenses in order to protect the American public.  

“It’s critical that the private sector ensure defenders have the power to protect organizations from ransomware attacks,” said O’Neill. “This has become a threat to our national security, our way of life and our economy.”  

Understanding attacker motivations 

The motivation for ransomware threat actors is at its core about disruption. That disruption can then be leveraged in different ways. For the overwhelming majority of ransomware incidents, the attackers are trying to disrupt the target’s normal business activity for purely financial reasons. This has been wildly successful from the attacker’s perspective, which is why we have seen a dramatic increase in these incidents over the last 4-5 years.  

There are successful ransomware campaigns that occur every day that do not make it onto the news. This is simply because many of the victim organizations have quietly been working behind the scenes to resolve the matter and, in many cases, paying the ransom. This only fuels these types of campaigns further, but from a business perspective, it is understandable why victims pay the ransom. The actions by the FBI recently to recover ransom that was paid by victims could be an approach to slow this massive problem. If more victims communicate the incidents, at least to law enforcement like the FBI, this can allow authorities to recover funds and freeze assets making ransomware campaigns less profitable for criminals. Where this approach is less successful is in the incidents where the disruptions are not to elicit financial transactions but to be destructive.  

These types of incidents are often components of larger operations where groups leverage their cyber capabilities to deploy ransomware or wipers in a way the attackers never intend to undo their actions. The disruption itself is part of a larger mission which is either used as a deterrent or to send a message to the targets, and potentially coupled with real-world military actions, said Jared Myers, Sr. Manager of the Threat Analysis Unit at VMware. 

What organizations can do to protect against ransomware 

Modern ransomware has on average 14 different defensive evasion techniques built in. Here are four best practices from VMware TAU for organizations looking to protect against the increase in ransomware attacks: 

1). Continue to address ineffective legacy security technology and process weakness 

Legacy security solutions and process weaknesses continue to pose significant risk to organizations, and the shift to an anywhere workforce has quickly expanded the threat landscape.  As we emerge from the immediate response phase and begin to see the shape of the long-term future, organizations must identify the critical changes to processes and technology needed to support remote and hybrid workers to work securely and reduce risk. 

2). Deliver security as a distributed service

The world is a more complicated place today with remote workers connecting to applications running on infrastructure that may or may not be managed, owned or controlled by the company. With so many new surfaces and different types of environments to defend, security cannot be delivered as a litany of point products and network choke points. Instead, endpoint and network controls must be delivered as a distributed service. This means delivering security that follows the assets being protected, no matter what type of environment you have.

3). Adopt an intrinsic approach to cloud-first security 

Moving to the cloud is not a security panacea. Not all clouds are equal, and controls need to be vetted because if adversaries want to attack at scale, the cloud is the place to do it. As cloud adoption builds momentum, investment in public cloud security will be critical. When you move to a public cloud, you’re moving to a very tough neighborhood where security is contingent on your own actions and those of your neighbors. You may be able to secure your own resources, but you have no control over those sharing that environment with you. Organizations must prioritize securing cloud workloads at every point in the security lifecycle. as the great cloud shift continues. 

4). Engage with and have an IR partner on retainer 

When it comes to cyberattacks, it’s no longer a matter of if, but when, organizations will be targeted.  A great first step is to reach out to an incident response partner to ensure that you are prepared. 

Additional resources