Challenges Remain in Evaluating Ransomware Crackdowns | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

More Public Data

Another way to measure ransomware operations – and thus the impact of law enforcement crackdowns – is by tracking the attacks via public incident reporting, through the number of victims posted to extortion sites or in privately collected data from incident response.

This data paints a somewhat different perspective of the Hive takedown. Recorded Future’s Liska said researchers tracked a “fairly significant” dip in reported ransomware attacks the month after that disruption, but Hive’s affiliates soon migrated to use ransomware like LockBit or BlackCat (also known as ALPHV), and attacks soon picked back up. Again, when law enforcement disrupted BlackCat infrastructure in December 2023, researchers with Recorded Future saw a “big drop” in January 2024.

“What will be interesting to see is what impact the stacking of these takedowns, ALPHV followed so quickly by LockBit has on the numbers – in other words, how disruptive back-to-back major government actions against ransomware groups really is,” said Liska.

Still, there are challenges here in capturing the full picture and making direct correlations. The current availability of public data is limited, and even with that data available there are several unknowns about who the victims are, if a ransom was paid, and whether any specific aspects of a law enforcement operation – whether an arrest or a sanction – had a more meaningful impact.

“It’s a work in progress,” said Megan Stifel, the chief strategy officer at the Institute for Security and Technology and co-chair of the Ransomware Task Force. “There are facts and figures that have been cited in this [LockBit] press release, but unfortunately any efforts to measure at this stage are still not where we want them to be because we don’t have reporting requirements in place yet. Once we do, I think that it will go a long way toward helping us better measure the impact of arrests and takedowns.”

From a long-term perspective, more consistent cyber incident data reporting could translate to a fuller picture about the scope, scale and impact of ransomware attacks, which in turn could help interpret whether certain steps are effective in hindering cybercriminals, such as sanctions by governments or disruption efforts.

Currently, however, a number of challenges are preventing that full picture from coming together. The government relies on regulatory policies for cyber incident reporting, but the current regulatory landscape is made up of a patchwork of different guidelines across several agencies, adding layers of complexity to the process of reporting incidents. There are also concerns about the government’s realistic ability to process and analyze data once it has been reported – and on the other side, the right incentives are needed for organizations that have historically feared reputational backlash from reporting.

In the meantime, Stifel hopes that a better relationship between the government and private sector will maximize the information sharing needed to track takedown efforts like the one against LockBit.

“The ongoing monitoring of the impact of this takedown is important,” said Stifel. “It’s important here that law enforcement engage with the industry to look for reflections of this takedown. Once you throw the rock there will be impacts – it will create ripples, and it’s important to watch where those ripples reach other targets.”


Click Here For The Original Source.


National Cyber Security