The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Think ransomware gangs won't thrive this year? Think again, experts say

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Welcome to The Cybersecurity 202! And greetings from (just outside of) San Francisco, one of my favorite few cities. As I type this, I have a splendid view of the Golden Gate Bridge. 

Reading this online? Sign up for The Cybersecurity 202 to get scoops and sharp analysis in your inbox each morning.

Below: The U.S. sends cybersecurity aid to Costa Rica, and a possible North Korean-linked cyberattack could have thousands of victims. First:

Big majority of the Network expects ransomware to be more dangerous in 2023 than in 2022

There were signs that ransomware gangs mightkey word, “might” — have been on the run in 2022.

But experts from The Cybersecurity 202 Network are far from confident that the trend, if real, will continue in 2023. A big majority of the expert group, 67 percent, expected ransomware to take off again in this calendar year.

Another 23 percent anticipated that the threat ransomware poses will stay the same, compared to last year. And only 10 percent thought the threat would decrease.


U.S. government officials believe they’ve made a dent in these cybercrime gangs.

“I am heartened by the success we've seen on ransomware,” Deputy Attorney General Lisa Monaco said Wednesday at the Aspen Verify conference in San Francisco. “What I think we've shown is that we are determined to use every tool that we can to get after this problem.”

Bruce Schneier, a lecturer and fellow at Harvard University and chief of security architecture at Inrupt, backed up Monaco’s take.

“Law enforcement's ability to track, and in some cases recover, payments is making this a less profitable crime,” he answered. “Also, we are finally engaging the international community in disrupting the infrastructure used by ransomware gangs.”

Schneier said the turmoil affecting the value of cryptocurrency has hampered ransomware gangs because that’s how they demand payment from victims. It’s an idea seconded by John Pescatore, director of emerging security trends at the SANS Institute, who added that many companies have shored up their defenses against these kinds of attacks.

The improved defenses were a factor that Shane Huntley, the director of Google’s Threat Analysis Group, also cited. “Ransomware will continue to be a significant risk but one that is more manageable,” he said, adding that the war in Ukraine has diluted the focus of Russian ransomware operators.


Yet some of those same factors — the strength of cyberdefenses and what’s happening with cryptocurrencies — were cited by the experts who expected the ransomware threat to rise in 2023.

“True, we’ve had success in recapturing ransom payments, disrupting the ransomware gangs, and improving cyberdefenses, but the fact remains that it’s an awfully easy crime to commit,” said Glenn Gerstell, a senior adviser at the Center for Strategic and International Studies who is a former general counsel of the National Security Agency. “Even though many big networks are better fortified and backed up, ransomware criminals will have no trouble finding lucrative targets at minimal cost and risk.”

And that crypto turmoil?

“Cybercriminals have learned where the money is, and no amount of government sanctions or cryptocurrency market volatility can change that in the near term,” said Jay Kaplan, chief executive and co-founder of Synack. “Ransomware criminals keep moving to softer targets as they try to squeeze money out of schools and hospitals. Attackers haven’t run out of targets yet as the same exploitable vulnerabilities keep cropping up in their victims’ networks.”

Several Network members expect artificial intelligence to improve ransomware gangs’ fortunes.

  • “ChatGPT can already write great emails and pass many standardized tests,” said Betsy Cooper, the founding director of the Aspen Tech Policy Hub and a senior adviser at Albright Stonebridge Group. “I expect hackers to find ways in 2023 to exploit this technology to tailor targeted phishing scams so they are even harder for humans to spot.”
  • “The use of these simple to use, but powerful AI engines will improve at least exponentially the ability of criminals/nation-state actors to craft lures that are more accurate, on target, victim specific, and error free,” said Rodney Joffe, a cybersecurity consultant.
  • “The growth of Ransomware-as-a-Service (renting software, sometimes on a franchise business model) had already reduced the barriers to entering the ransomware field, since skill in writing code was no longer needed to launch a malware campaign,” answered Jim Richberg, field chief information security officer at the cybersecurity firm Fortinet. “The growing popularity of OpenAI engines is likely to accelerate this trend.”

And a couple experts said they thought the numbers aren’t telling the whole picture.

  • “The threat will increase, whether it will be observed through official reporting and other analytic tools may not,” wrote Megan Stifel, chief strategy officer for the Institute for Security and Technology. “Despite reports of payments declining, we know there are gaps in actual ransomware incidents vs. the number reported to law enforcement.”
  • “While the sheer number of attacks may be down, the threat continues to grow,” said Allan Liska, senior security architect at the cybersecurity firm Recorded Future. “Overall, the intensity of attacks has increased, with ransomware groups now disrupting entire countries with their attacks and using increasingly repulsive extortion tactics against their victims. In addition, we now see ransomware being used by nation-state actors such as China, Russia and Iran.”
Stay the same

The murkiness of the numbers was a frequent factor among those who answered that they thought the threat of ransomware would stay the same in 2023.

“Overall ransomware attack numbers are somewhat hard to quantify due to lack of visibility and reporting, but what we have seen recently is more targeted and thoughtful attacks,” said Lesley Carhart, a principal incident responder at the industrial cybersecurity company Dragos. “It is not unreasonable to expect less overall haphazard and ineffective attacks, and more concentration on critical industry and less defended targets.”

The balance of good work to counter ransomware and persistent vulnerability led Chris Wysopal, chief technology officer at Veracode, to argue the threat would stay the same.

“There have been some concerted efforts to diminish the impact of ransomware against critical infrastructure and disrupt the ecosystem, but there are no fundamental changes in the underlying vulnerable technology and protections most organization use,” he said. “We still have a stockpile of kindling spread throughout small and medium organizations, which should keep the ransomware operators well fueled.”

Correction: A previous version of this newsletter included an incorrect title for Lesley Carhart. This version has been updated.

The network

A few more answers:

  • Increase: “C-suite distractions of the latest financial headlines coupled with shrinking security team staff and budget resources creates a perfect storm for increased ransomware attack impact,” wrote Elizabeth Wharton, vice president for operations at Scythe.
  • Increase: “It's a growth industry,” said Tor Ekeland, managing partner for Tor Ekeland Law. “Bad infosec will never die.”
  • Decrease: “It appears that the rapid rise of ransomware has lost some steam, but this problem isn’t going away,” said John Hultquist, vice president at Mandiant Threat Intelligence. “Russian and North Korean actors are still at it, safely carrying out attacks from their sanctuary states. Attacks on critical infrastructure are once again on the rise from actors with little to fear.”
  • Stay the same: “Just as covid isn’t going away or even abating worldwide, most organizations have accepted they will eventually fall victim to ransomware at some point, and they are not taking sufficient preventative measures because they likely believe they will emerge healthy enough after a ’mild’ ransomware infection,” said Katie Moussouris, founder and CEO of Luta Security.

The keys

U.S. committing $25 million to Costa Rica amid history of ransomware attacks

The U.S. State Department is sending $25 million to Costa Rica to strengthen the nation’s cybersecurity posture amid a swarm of ransomware attacks that have plagued the country over the past year, according to a senior administration official.

The official, who spoke on background to provide the information to reporters, said the funding was provided “in response to a direct request from President Chaves to President Biden.” 

The money will help Costa Rica’s Ministry of Science, Innovation, Technology and Telecommunications build a security operations center for detecting, responding to and preventing cyberattacks. Funds will also be dedicated to technical support and training, as well as hardware and software provisions. 

  • The official added that the Central American nation applied to join the U.S.-led Counter Ransomware Initiative, a group of 37 governments dedicated to fighting worldwide ransomware threats.

Costa Rica declared a national emergency following an attack from the Russian-linked Conti ransomware group that crippled the nation’s tax and pension systems, as we reported last year.

Possible North Korean-linked supply chain cyberattack could have thousands of victims

A large-scale supply chain attack that modified enterprise installation software is said to have stolen credentials from companies worldwide, AJ Vicens reports for CyberScoop, citing findings from SentinelOne.

“This sort of large-scale attack that takes advantage of a company’s supply chain — similar to how attackers leveraged a flaw within a SolarWinds product update to install back doors inside its customers’ networks — can be difficult to defend against and could lead to devastating consequences for victims,” Vicens writes, adding that such attacks are typically linked to nation-state hackers.

SentinelOne traced the malicious installation software to 3CX, an online conferencing tool provider.

The attack has not been traced directly to a group, though the story says there is budding evidence it may have originated from Lazarus Group, an entity that the U.S. government has linked to hacking operations in North Korea.

Russian-linked group exploiting vulnerability to steal U.S., European email data

A Russian-linked hacking group has been targeting American and European government officials’ email accounts, according to new findings from Proofpoint.

The entity, known as TA473 or Winter Vivern, appears to side with Russian and Belarusian geopolitical views in Moscow’s war on Ukraine, the report says. Since early February, it has been leveraging a vulnerability in email software platform Zimbra that allowed the group to access inboxes of government officials.

“This actor has been tenacious in its targeting of American and European officials as well as military and diplomatic personnel in Europe,” said Michael Raggi, a threat researcher at Proofpoint, adding that the group has “invested an ample amount of time” studying the mail portals of officials closely involved in political affairs and the war in Ukraine.

Government scan

FCC proposes rules to reassess foreign-owned US telecom services authority (Reuters)

White House takes spyware efforts to the international stage (Nextgov)

Securing the ballot

Online voting provider paid for academic research in attempt to sway U.S. lawmakers  (CyberScoop)

Industry report

How TikTok built a ‘team of Avengers’ to fight for its life (Politico)

Arrests spotlight online threats, harassment in hacker community (Bloomberg News)

Global cyberspace

Hackers used spyware made in Spain to target users in the UAE, Google says (TechCrunch)

Cyber insecurity

Exxon’s climate opponents were infiltrated by massive hacking-for-hire operation (The Wall Street Journal)

Lumen Technologies says ransomware attack disrupted call centers (Cybersecurity Dive)

Microsoft patched Bing vulnerability that allowed snooping on email and other data (The Wall Street Journal)

Encryption wars

Free AI programs prone to security risks, researchers say (Bloomberg News)

Privacy patch

The DEA bought customer data from rogue employees instead of getting a warrant (Motherboard)


  • Rep. Jim Himes (D-Conn.), the top Democrat on the House Permanent Select Committee on Intelligence, has a fireside chat at the State Department’s Summit for Democracy, with sessions kicking off at 12:30 p.m.

Secure log off

Thanks for reading. See you tomorrow.