In Aesop’s fable, “The Astrologer,” a man looks up toward the stars for signs about the future. While focusing his gaze upward, however, he trips and falls in a hole on the ground in front of him. While stargazing, he failed to account for the realities of his present environment. Similarly, Western analysts have focused on Russia’s kinetic military advances in Ukraine while overlooking an existing, omnipresent Russian cyberthreat: ransomware. Russian use of ransomware prior to the Ukrainian invasion is well documented but the threat seems to be largely overlooked. Lest we suffer the fate of the Astrologer, the holes in our cybersecurity cannot be overlooked.
In response to Russia’s invasion of Ukraine, the United States levied economic sanctions instead of launching a military intervention. As a result, Russia’s economy and its ruble continue to falter. President Vladimir Putin described Western sanctions as “akin to a declaration of war” and advised his country to brace for unemployment and inflation. While sanctions may help achieve Western goals of punishing and isolating Russia, an unintended consequence of Russia’s weakening economy could be the continued cultivation of a hospitable environment to cyber criminals. The Russian government will likely have little incentive to reign in cyber criminals who attack American businesses and infrastructure.
It would be foolish to think ransomware actors can be geographically isolated. However, a pattern of ransomware attacks emanating from Russia already exists. Chainalysis, a blockchain data platform, reported that over 74 percent of financial payments from ransomware attacks are highly likely affiliated with criminals based in Russia. Cyber criminals who target the West generally enjoy freedom from legal prosecution in Russia. The January 2022 arrest of REvil operatives was a rare exception that is unlikely to be repeated soon.
Ransomware is a lucrative multibillion-dollar industry. In the first six months of 2021, over $590 million of ransomware-related transactions were recorded. Russian economic instability will make the criminal activity an attractive alternative to generate income. Furthermore, hackers can avoid currency instability by extorting payments from Western victims in untraceable transactions using cryptocurrency. Cryptocurrency offers compensation that can be paid in an alternative to the ruble and transcend borders while being anonymous and difficult to trace.
Nationalistic motivations also play a role in the ransomware threat landscape. In late February, the Conti ransomware group, based in Russia, affirmed its support for Russian actions in Ukraine and stated, “We are going to use our all possible [sic] resources to strike back at the critical infrastructures of an enemy.” Conti, among other groups, has been tied to the Russian intelligence services, showing a nexus between criminal and government action that poses a risk to Western interests. One threat is attacks against election infrastructure that would result in a “perception hack.” While a perception hack would do minimal damage financially, it could create psychological insecurity among voters about the integrity of American elections.
Unfortunately, the barrier to entry for ransomware hacking is relatively low. Entrepreneurial services such as ransomware-as-a-service (RaaS) models exist, allowing commoditization of the process. In effect, RaaS licenses existing ransomware to organizations in exchange for a portion of any payment from the victims. As a result, even hackers with minimal skills are ripe for recruitment by organizations like REvil, further expanding the network of potential attackers. Akin to the proliferation of drones at the tactical level, the relatively low-tech RaaS model has larger consequences for US national security.
A rise in ransomware attacks against the West was already expected before the Russian invasion of Ukraine. In November 2021, the Cybersecurity and Infrastructure Security Agency director, Jen Easterly, testified before the House of Representatives’ Homeland Security Committee. In her testimony, she addressed how targeted attacks against fuel supplies and agriculture caused prices to rise. Furthermore, she explained how attacks against local and state infrastructure could cause degradation to critical services and national security. The fragile relationship the United States has with Russia might become even more precarious if a critical infrastructure sector is compromised during a criminal ransomware attack by nonstate actors provided safe haven by an adversary.
The ransomware threat looms even more significantly now that sanctions pressure Russia’s economy. As the United States braces for record-high inflation levels and supply lines stressed by the COVID pandemic, ransomware attacks will affect American prosperity even if not widely covered by the media. Disruption, insecurity, and confusion about the stability of the US economy, internally and externally, will be a geopolitical advantage Russia can exploit.
A whole-of-nation approach to cybersecurity is needed, requiring private and public collaboration. Recognizing the private sector will often endure the brunt of an attack and be able to offer a warning to the broader cyber ecosystem, efforts like the Joint Cyber Defense Collaborative and partnerships with industry will be vital for early detection. Microsoft, for example, identified destructive malware operations in Ukraine. As ransomware attacks are often tied to phishing campaigns, public awareness and cybersecurity protocols are imperative, especially in the work-from-home environment, where the attack surface has increased. Employers, educational institutions, and the government should work together to reinforce simple and strong cyber hygiene skills. Similar to educating the public during World War II with information campaigns like “Loose Lips Sink Ships,” the public needs enduring familiarity with modern-day security behaviors like using multifactor authentication and routinely updating software.
Ransomware groups exploit vulnerabilities in how private industry manages information. A proactive governmental oversight role can ensure the efficacy and security within networks so that the weaponization of data is minimized. The government’s role can expand even further to deter malicious actors and shape safety in the environment by providing regulation to software and hardware in the technology sector. This is not unprecedented. Citing past government acts of oversight leading to industrial shifts, National Cyber Director Chris Inglis wrote, “Both the public and private sectors must commit to moving toward true collaboration—contributing resources, attention, expertise, and people toward institutions designed to prevent, counter, and recover from cyber-incidents.”
The possibility of regulation yields arguments about the extent of government intervention, the imbalance of power in the government, the influence industry might have on shaping the environment, and the potential to stifle innovation. However, the absence of government regulation means inconsistency among consumer data protection, content moderation, and software vulnerabilities. With multiple agencies such as the Federal Trade Commission and Department of Justice sharing oversight responsibilities, there are gaps that our adversaries exploit. A federal agency dedicated to protecting data, software, and hardware could offer quality control in a way similar to how the Food and Drug Administration oversees the pharmaceutical industry or the Federal Aviation Administration oversees the aviation industry.
Beyond industry partnerships and increased government regulation, the United States needs to continue investing in developing cyber capabilities with like-minded countries. It is essential that the United States does not focus solely on its internal resiliency and inadvertently shift the burden of ransomware attacks to countries with less capacity to respond. The United States should continue to partner with and take lessons from countries leading in cybersecurity, like Estonia and Israel. As evidenced by Ukraine, neighboring countries to Russia are often testbeds for tactics, techniques, and procedures. The United States stands to learn as much from our partners and allies as we can offer them.
The fight against ransomware also presents an opportunity for the United States to display its global leadership. The National Security Council facilitated a Counter Ransomware Initiative Meeting in October 2021, which brought over thirty countries and the European Union together. The meeting accelerated cooperation on addressing law enforcement for ransomware, countering cyber criminals, using diplomatic norms to disrupt safe haven environments, and addressing abuse of financial systems that facilitate laundering ransom payments. Transparent displays of collaboration will help establish international norms that will force nations to take responsibility for the cyber actions coming from within their borders.
Use of Military Force
Ransomware attackers are becoming bolder, blurring the lines between criminal activity and national security threats. Thus far, the United States has employed diplomatic and economic tools against ransomware attacks but has not used conventional military force as a response. Other nations, however, have. In May 2019, the Israel Defense Forces launched an airstrike against Hamas cyber operatives. The argument is not that the United States should respond to ransomware with military assets or “boots on the ground” but that it must recognize that as the cyber domain evolves, the law of war and use-of-force decisions will be tested beyond just cyberspace.
An increase in criminally motivated ransomware attacks will have dire complications for our national security, damage an already strained supply chain, and work in Russia’s geopolitical favor, regardless of if ransomware is deliberately state-sponsored or weaponized. Fortunately, policymakers and businesses can influence and shape the cyber environment to fortify the defenses against ransomware attacks. Strengthening cyber defenses will increase the costs to cyber criminals while decreasing the benefits.
The Russian invasion of Ukraine created a complex situation for the global community to leverage economic tools to shape Russian behavior. Prophetically, it is impossible to discern what will be the result of such trade embargoes. However, the unintended consequences of anchoring on economic tools could surface in increased criminal behavior that will impact national security and prosperity. Like the Astrologer learned, the lesson is not to ignore the threats that are right in front of us.
Jason Kikta is a major in the United States Marine Corps and is currently assigned as the J56, Division Chief for Public Sector Partnerships in Cyber National Mission Force. He tweets under the handle @kikta.
Laura Keenan is a lieutenant colonel in the District of Columbia Army National Guard and is currently assigned as the J55, Division Chief for Policy and Strategy in Cyber National Mission Force. She has been published by the Modern War Institute, RealClearDefense, and the Strategy Bridge.
The views expressed are those of the authors and do not reflect the official position of the United States Military Academy, Department of the Army, or Department of Defense, or that of any organization the authors are affiliated with, including the Marine Corps, Army National Guard, and United States Cyber Command.
Image credit: WeissenbachPR