With federal cybersecurity defences focused on nation-state intrigues and industrial cyberattacks, ransomware recovery was often a personal matter. Yet with ransomware’s toll surging through the COVID-19 pandemic, victims have new reasons to hope after ransomware 'cartels' have finally attracted a multi-agency, multi-national response.

“It may not be the most exciting compromise or the most sophisticated attack, and sometimes it’s honestly easily preventable,” Rex Booth, chief of cyber threat analysis with the US Cybersecurity & Infrastructure Security Agency (CISA) said during a panel session during the agency’s recent Cybersummit 2020.

“But when you’re suffering through a ransomware incident, none of that matters,” he continued, recounting an “underlying tone of dismissal” in a previous job that saw many “panicked” companies ignored even when they “just desperately wanted somebody to help them.”

A ransomware strike “is a big deal,” he said. “You can’t access your data. You can’t use your systems, and you don’t know if you’re going to get them back. You’re freaking out.”

It’s an increasingly common experience, with firms like Anglicare, Canon, Toll Group and Fisher and Paykel among the latest regional victims.

The Australian Cyber Security Centre (ACSC) reported an April spike of 318 attacks and actively advises individuals and businesses about ransomware threats that have, it warned in its recent Annual Cyber Threat Report 2020, “become one of the most significant threats given the potential impact on the operations of businesses and governments”.

Fighting the rising tide

With ransomware gangs running ever more-problematic campaigns – a Romanian team called Pentaguard, for one, was caught infecting hospitals while the GozNym group stole over $135m (US$100m) from more than 40,000 victims before being busted last year – ransomware has surged up agencies’ priority lists.

The ACSC “assesses ransomware as the highest threat” of cybercrime categories, the agency noted, “based on the fact that ransomware requires minimal technical expertise, is low cost and can result in significant impact to an organisation.”

“I dislike ransomware so much because it’s just such a violent crime to a network,” said Mike Moran, a Secret Service special agent who applies his network intrusion response and critical systems protection expertise to protect the US President and Vice President at sites around the world.

CISA, for one, has been actively engaging with business and industrial leaders and collaborating with agencies including the Federal Bureau of Investigation (FBI), Homeland Security and Secret Service – more conventionally focused on conventional crimes like fraud, terrorism, money laundering, and forgery.

The agencies are increasingly running specialised teams whose scope has steadily expanded since 2013, as ransomware expanded from being an isolated issue – affecting one computer – into a self-propagating menace that is paralysing companies, driving massive data leaks, and extracting million-dollar ransoms.

“Over the past year or so, we’ve really seen an explosion in ransomware, with new tactics being leveraged and some ransomware actors entering into cartels with each other,” explained FBI special agent Jonathan Holmes, who manages ransomware investigations and strategy within the agency’s Cyber Division.

Increased sharing of information and resources had made those cartels “a bit concerning to us”, Holmes added, as it reflected “a major change among the ransomware actors”.

Despite increasing enforcement success, ransomware’s relative ease of deployment, and its potential for significant returns, will continue to make it an ongoing favourite of cybercriminals.

“If we’re going to be in a global economic downturn as a result of the coronavirus and other geopolitical issues,” said Moran, “people are going to get more desperate – and they’re going to try to go to where they can generate income.”

“If people keep paying the ransoms – and they are actually paying the ransoms – these trends are going to continue.”

Hope for the desperate

Strong inter-agency collaboration – “our agencies do work very well together, despite what you might see in the movies,” Moran joked – had seen ever more-effective investigations that often extended to foreign countries, whose own intelligence and cyber-investigations units have joined the global fight against ransomware gangs.

Investigative networks now offer real support for ransomware victims, said Jason Conboy, a Department of Homeland Security special agent who oversees training and investigations around network intrusion breaches.

“Our agents are uniquely scattered throughout the nation and world for all three of our agencies,” he said, advising victims to “call someone, whoever you know is going to answer the phone, show up, or at least say ‘we’ll be there in a bit’.”

Agencies were far more frequently engaging with ransomware victims whose experiences – once largely ignored – have become instrumental in driving the agencies’ investigations.

“As victims reach out to us, we put them in touch with our case teams and those case teams share the most recent indicators of compromise and intelligence associated with the ransomware groups,” Holmes said, adding that experience had shown the agencies’ support “can provide some real solace” to victims.

Conversely, details of victims’ experiences “can be really valuable”, Holmes added.

“Those are leads in our cases so that we can identify who these individuals are and bring them to justice” using techniques including seizing money “that could potentially get back into the victims’ hands”.

“If I was a victim, I would at least take comfort knowing that there’s potential that some of the money could get returned to me, and that the person who victimised me could be brought to justice.”