The Department of Homeland Security (DHS) is making fighting ransomware a top priority, but law enforcement can struggle to get a handle on the scope of the problem – let alone chase down perpetrators – if businesses suffer these attacks in silence.
Many ransomware victims never report the incidents, said Eric Goldstein, executive assistant director of the Cybersecurity and Infrastructure Security Agency's (CISA) cybersecurity division, during a recent US Chamber of Commerce virtual panel.
"It is extremely hard for us — even as a national cybersecurity community or a national business community - to understand the breadth of the problem, because we know that many organizations are experiencing these attacks and either paying, or not paying and simply suffering through it, and aren't engaging law enforcement, aren't engaging CISA for help with remediation," Goldstein said.
But lack of reporting doesn't mean lack of incidents, and what information is available indicates that small businesses are an exceptionally popular target, said DHS Secretary Alejandro Mayorkas, who has made tackling ransomware the priority for the first of his 60-day "sprints."
Roughly half to three-quarters of ransomware victims are small businesses, Mayorkas said during the event - a figure that presumably only captures known cases.
"Small businesses comprise the backbone of our nation's economy," said Mayorkas. "It is perhaps for that very reason that individuals who seek to pose a threat to our nation, who deploy cyber tools, particularly ransomware as the vehicle for realising that threat, target SMBs as heavily as they do."
Victim and suspect?
Government is ready to help the private sector fight against ransomware, but can find it challenging to convince businesses to work with it.
"The public-private partnership is so important, because we do have tools and resources that we could provide to small business, should those small businesses not have tools to defend themselves," Mayorkas said.
Part of the challenge may be one of image. Companies hit by ransomware can be reluctant to speak to law enforcement about it, said panellist Peter Marta, who advises companies about cyber risk management and investigation in his role as a partner with law firm Hogan Lovells.
Corporations that have begun internal investigations into the attacks against them may be concerned that the government agencies will take away control, Marta said. Other businesses fear punishment, should law enforcements' ransomware investigations also uncover regulatory violations or other issues on the part of the corporate victims, he said.
"When I'm engaged in the early hours of an incident, one of the first issues I address with clients is engaging US government partners," Marta said. "Occasionally, a client will resist a bit and express concern that... law enforcement might begin to investigate it, and – for clients in regulated industries – perhaps share that information it learns from a company with that client's regulators."
Both David Smith, special agent in charge of the criminal investigation division of the US Secret Service (USSS), and Goldstein said this is not the case.
"Entities impacted by ransomware are victims," Goldstein said. "Whether you call the Secret Service, federal law enforcement (or) CISA, you will be treated as a victim who needs assistance and help."
Smith asserted that the USSS's goals when contacted are to first mitigate the damage done to impacted companies and then hunt down the perpetrators.
"We're not a regulatory body; there's no evidence that the Secret Service is sharing any information with regulatory entities or employing any punitive measures against victims," Smith said. "The more information you can give the Secret Service or law enforcement, the better equipped we are to find these people, apprehend them, take them out of the equation and protect you as the victim."
Winning businesses collaboration
Even companies that believe law enforcement is eager to help them may not believe law enforcement can.
Some companies may not be aware of the preventative supports – like tip sheets – provided by federal agencies, while others may not believe it is worth reporting ransomware attacks due to assumptions that law enforcement cannot respond effectively. For example, many perpetrators act remotely from countries with which the US does not have extradition agreements, making pursuit difficult, Smith said.
But even bad actors tend to leave their home countries at some point. If criminals should vacation to a country where the US has tighter relationships, the Secret Service has a chance to capture them, Smith said.
The big picture
Protecting SMBs from ransomware not only helps keep these immediate victims safe but also may help reduce the threat of such attacks in the future.
A recent Ransomware Task Force organised by the Institute for Security and Technology (IST) proposes tackling the growing cyber threat by taking efforts to disrupt ransomware attackers' profit models until the crime becomes more of a hassle for criminals than it's worth. Doing so effectively requires overturning the ecosystem in which the cybercriminals operate - and such efforts could fall short unless both public and private targets improve defences and responses to better starve bad actors. – Government Technology/TNS