Ransomware — malicious software that encrypts a victim’s computer files until they pay a ransom — is more than three decades old. For most of that time it was a minor annoyance. Yet over the past four years, the stakes have changed. In 2017, the global shipping company Maersk lost more than $300 million to an attack that devastated its information technology systems. (The costs would have been higher but for a lucky break: The company found a single copy of its data on a computer in Ghana.) In 2019, malware called WannaCry, suspected to be North Korean, weaponized a stolen U.S. National Security Agency tool to shut down computers around the world, causing an astonishing $4 billion in estimated damages. Criminal groups have come into vast wealth on the backs of U.S. and international business, and they are rapidly diversifying. Policymakers fear that these groups will use their funds to form organized cartels, further entrenching their power and making defense even more challenging.
The question is: What can be done about it? Are the increasingly brazen ransomware attacks just something we need to learn to live with — a new normal that Americans will accept, such as wildfires or the rising cost of health insurance? Or, like the coronavirus pandemic, which got so bad so fast that we had to double and redouble efforts to end it, do we need an Operation Warp Speed for ransomware? The recovery of much of the ransom in the Colonial Pipeline attack, announced by the Justice Department on Monday afternoon, might suggest that the latter course is possible, that there is some easy cure that can send ransomware back to the shadows it came from. I’m not so sure.
To answer this question requires understanding the strategies that have been proposed to curb ransomware. Reducing a complicated situation to its essentials, there are basically three options: defend, defund and deter. None will eliminate the threat, but each can slow its growth.
The most straightforward option is to defend companies, making their IT systems more resilient to ransomware attacks. This is probably the most effective of the three courses, but only in the long run. Even better, we know how to do it. Companies will need to maintain well-tested off-site data backups, patch vulnerable software quickly and build networks that make it difficult for an attack to spread.
In some cases, these goals can be accomplished by simply outsourcing critical business software to managed cloud providers with well-funded security teams. Unfortunately, the problem with this approach is that it’s expensive and time-consuming. Worse, the costs are highest for the organizations that are least able to afford them: those with legacy IT systems, such as hospitals and city governments. And there’s no guarantee that these upgrades will be a panacea.
Even as organizations increase their spending on security and backups, ransomware operators have learned new tricks; for example, many ransomware operators now seek out sensitive data and threaten to leak it onto the Internet, making ransomware a costly proposition even for organizations with reliable backups.
A more appealing strategy is to avoid this work, by simply defunding the ransomware gangs that exploit our vulnerable systems. Some experts have proposed banning U.S. companies from making ransomware payments. Others have suggested that we should tightly regulate cryptocurrencies such as bitcoin, which ransomware groups rely on to collect payments. But each approach has costs. Outlawing ransom payments risks turning victims into criminals and may drive companies out of business or harm customers or hospital patients
Some have argued that the problem can be solved with blockchain “tracing” techniques that allow police to track ransom payments on the bitcoin network. This seems promising at first blush. For example: On Monday, the FBI announced that it had recovered much of a $4.4 million ransom payment made to the Colonial Pipeline hackers. But in the long run, successes like this are likely to prove transient. And on close inspection of this case, the FBI succeeded only because the Colonial hackers took few precautions to hide the movement of their funds or to protect the digital “wallet” in which the money was stored. It would be wonderful if the FBI could expect such excellent results for every future ransomware infection, but this is wishful thinking. Future attackers will no doubt learn from the Colonial hackers’ mistakes and simply make better efforts to launder their funds so they are beyond the reach of law enforcement.
Perhaps recognizing this, some radical proposals have called for a wholesale ban on cryptocurrency, which would be quite difficult to pull off. Such a ban would require cooperation from governments all over the world — unlikely in the current climate. (Full disclosure: I have developed cryptocurrency technology and serve on the board of the Zcash Foundation.)
The third option, then, is deterrence. Experts have argued that ransomware attacks represent a genuine threat to national security, and the recent attacks on U.S. infrastructure have only strengthened their case. If American companies can’t defend themselves, they argue, then the government should step up with a good offense.
In this model, U.S. intelligence agencies would identify ransomware operators and target those groups (or their host nations) with retaliatory cyberattacks. Reports indicate that the Biden administration is warming to this strategy. But even proponents of retaliation admit that there are risks. Unlike America’s critical infrastructure, ransomware groups can be too small and nimble to target. These groups possess only minimal amounts of equipment that can be attacked, and sometimes it is located in friendly countries. Retaliatory attacks also risk collateral damage on foreign computer systems, which could invite further tit-for-tat retaliation against our own vulnerable infrastructure. While deterrence may work, this is a business that could also easily get out of control.
So where does that leave us? Will ransomware attacks continue to worsen until we accept them as normal, or will the ransomware epidemic look more like the coronavirus one: an escalating disaster that fades away as we find and deploy a vaccine?
In canvassing many of the smartest security experts I know, I found opinions ranging from pessimistic to apocalyptic. Ransomware is unlikely to disappear anytime soon, because there are simply too many targets and too much work to do. It’s likely that the high-profile infrastructure attacks like the one on the Colonial Pipeline will decline, as fear of reprisal dissuades operators, and enterprising IT investments protect the biggest targets. But this won’t eliminate ransomware as a threat; it will simply drive operators away from front-page targets like pipelines, causing them to attack smaller and less-glamorous businesses that the public won’t hear about. There is simply too much money in this business for criminals to ignore, and far too many vulnerabilities in our digital infrastructure for us to fix speedily.
Of course, this won’t last forever. Smart companies such as Google have developed solutions that harden networks and make them much more resilient to today’s ransomware attacks. Building these new networks will take years and cost billions. But it’s possible that someday we’ll be perversely grateful to those ransomware developers. As awful as ransomware is, it’s ultimately a symptom of a deeper underlying problem: our collective decision to build modern civilization on top of bug-ridden digital infrastructure. This path was always going to end badly for us. Ransomware might be the least painful way for America to learn that lesson.