Combating Ransomware Attacks: Which Strategies Hold Promise?Destigmatizing Attacks Key for Moving Forward, Says Cybersecurity Veteran Jen Ellis Mathew J. Schwartz (euroinfosec) • December 14, 2022 18 Minutes
Governments and defenders have made great strides to better understand the scope of the ransomware problem and take steps to disrupt it, says cybersecurity veteran Jen Ellis.
A top challenge remains calculating the extent of ransomware's harm to the economy and people's everyday lives. Obtaining accurate and complete information - including data on who's being affected and how, and by which cybercrime groups - is a challenge. "We know now that there's an iceberg, and we know what the tip of the iceberg looks like, but we don't know what percentage of that iceberg we can see," Ellis says.
It's impossible to gauge what impact external forces - such as U.S. government sanctions on Russia, more restrictive cyber insurance policy coverage, fear of regulatory sanctions, or events such as the Conti leaks - might have on the volume of ransomware attacks or victims' propensity to report them, she says.
In this audio interview with Information Security Media Group at Black Hat Europe 2022, Ellis also discusses:
- Ransomware attackers' latest tactics and strategies;
- Efforts to battle ransomware, including the Ransomware Task Force launched by the Institute for Security and Technology in April 2021;
- The impact of the economic downturn and world events on combating ransomware.
Ellis is focused on advancing cybersecurity by building collaboration between the security community and those outside it. Partnering with security experts, technology providers and operators, civil society and governments, she is committed to driving a greater understanding of cybersecurity challenges and ways of addressing them. She is the co-host of the "Security Nation" podcast and co-chair of the Ransomware Task Force, and she sits on the boards of the Center for Cybersecurity Policy and Law, I Am The Cavalry, the Aerospace Village, and the Rapid7 Cybersecurity Foundation. She is a member of the board of advisers for the CyberPeace Institute and the Global Cyber Alliance. She has testified before U.S. Congress and spoken at numerous security or business conferences, including delivering a keynote speech at Black Hat Europe 2022 in London.
Mathew Schwartz: Hi, I'm Mathew Schwartz with Information Security Media Group and I'm sitting down at Black Hat Europe with Jen Ellis, a cybersecurity - some might say veteran - but someone with deep experience in the field. Jen, great to have you here today.
Jen Ellis: Thank you very much. It's great to be here.
Mathew Schwartz: Thank you. So, ransomware.
Jen Ellis: I've heard of it.
Mathew Schwartz: Yes, I know it is a topic near and dear to your heart.
Jen Ellis: I mean, dear sounds like I really like ransomware. And who likes ransomware? Boo, you know who? The people who are making billions out of it. They love ransomware.
Mathew Schwartz: Well, and that's one of the questions I have is what we do and don't know about ransomware. We don't know necessarily where all of the money's flowing, who all has been hit, how much they're even making. What are some of the big myths that you think we need to talk about?
Jen Ellis: Well it's even more basic than that, right? We have a problem in that, obviously, a criminal's goal is to get away with it. They don't particularly want us to know what they're doing. They also are not particularly hiding, because right now all of the odds are stacked in their favor. And they have nation states that will provide safe havens. So they're thriving in dark markets and not being particularly secretive. Outside of things like Conti leaks, they're also not trying to show us like, you know, everything that's going on. So then we have companies like blockchain analysis companies that are tracking wallets. But they're tracking the wallets they know about. Like, I don't know about you, but if I was a cybercriminal, I feel like I would try and have some wallets people didn't know about, that seems like it would be good idea to me, I'd be like, oh, you know, what's good is when people don't know what I'm doing. That's how I get away with the crimes.
Mathew Schwartz: But some criminals are savvier than others.
Jen Ellis: Some criminals are much savvier than the others. And then, and then on top of that, we have - so as a security community, we put out a lot of reports, right, and they have value. But what we don't have is context and context really matters. So let's say that I work for ACME Corp, and we're a great security vendor. And we put out an annual report based on data that comes from either our product set, our client base, all the things that we've seen, right, and we put that report out. And then there is my competitor, who will call Competitor Corp., and they're another great security vendor, and they also put out a report. And hey, because ransom was a really big thing, they also put out a ransomware report. So it turns out like my report and their report could be about the same dataset, could be about a dataset with slightly overlaps, it could be about a completely different dataset, we have no idea because we don't necessarily know if we share customers. And the people reading the reports, they also have no idea. So they don't know how to think about my data versus somebody else's data.
So then on top of that, there's, as I said, there's the people tracking the wallets, they put out reports, but they can only see the wallets they can see, that's not all wallets by any stretch of the imagination.
And then there's law enforcement. Now, mostly law enforcement don't like putting out reports, but some do. So like Europol put out a report, and so it's a good read. But law enforcement only has access to incidents that are reported to law enforcement. And hey, guess what? It turns out, most people don't want to report to law enforcement, because they're worried it will slow down the response, or it will cause public outcry and embarrassment, or because they're worried it will lead to some sort of regulatory action.
That brings us to regulatory agents like the ICO in the U.K., they only know about the things that get reported to them. And again, people don't want to report to them because they're worried that something's going to happen. That brings us to cyber insurers. Cyber insurers don't like to share data because their data is really their secret sauce. But sometimes they share it or they put it out in like sort of, you know, more vague terms. The reality, though, is, if you look at cyber insurers' market adoption, market penetration, it's really low. Because it's still super nascent. So even where they've got data and like, hey, normally they have good data, and that's great, but where they have data, it's not just incomplete, it's small, right? So what we've done over the past five years, is we've built this kind of patchwork quilt, where we've gone to these different entities and said, Hey, let's share what we have, and some of some of them have agreed and have jumped in to do that. And that's an awesome step forward from where we were. What it isn't, is in any way complete. So what that means is, we know now that there's an iceberg, and we know what the tip of the iceberg looks like.
But we don't know what percentage of that iceberg we can see. I have no idea how big the iceberg is. And so when a thing happens, like let's say that Rob Joyce who's head of security for the NSA - head of cybersecurity for NSA, I should say - when he makes a statement at CyberUK back in in the springtime that ransomware attacks are down, the first thing that we have to ask ourselves is, How does he know, and is that is that true? And then the second thing we have to ask ourselves is why, if it is true.
So in order to find out the answers to the first question, we can go to law enforcement, and we can go to other governments, and we can go to cyber insurers, and we can go to security companies and say, What are you seeing? Well, I did this, I did this exact thing, and I got different answers from everyone I asked. So the cyber insurers said, claims are down. And law enforcement said, reports have plateaued. And the security companies, particularly the ones that monitor the dark web said: activities are way up. They said, we're working on more incidents than ever. We're seeing more chatter in the dark web, incidents are up . So I was like, huh, that's weird. So now I'm left with a question. Rob Joyce says ransomware incidents are down, and the reason that ransomware incidents are down is because of the sanctions that the U.S. government introduced. But given what I'm hearing, I'm left going: are ransomware incidents down or are reports to the government of ransomware incidents down? And in which case, rather than your sanctions being the reason that incidents are down, are your sanctions the reason people are reporting them?
The reality is, we don't know. What we know, is, the insurance claims are down. But we also know that in the past 18 months, a lot of insurance companies have made their claim requirements more stringent. So what's the cause and effect here? And I'm using these as examples to make the point like, it's not really about the specific example. The point is, we cannot answer these questions in any meaningful way. Because we lack data enough to understand the context. To then be able to point to what is causation versus correlation. Sorry, that was a long answer.
Mathew Schwartz: That's a great answer. I love the detail. Definitely, I will see reports come out with no effort made to tell you what it does and doesn't say - slight marketing angle to it. You get a different report every week? Yep, possibly on the same cybercrime forums, possibly different ones? Like you say: Where are the customers? Where are the sensors?
Jen Ellis: Yeah, and I'm not saying that people shouldn't read them, there is value in them, but you have to read them knowing what their limitations are, and what the value is that you will get out of them. And it is not an absolute view by any stretch of the imagination. It's not even really - it's partial to the point where it's, it has value, but it's just, it's not explaining to you really what's going on,
Mathew Schwartz: You need to take it with a big grain of salt. Maybe you can deduce some trends, or maybe not. Regardless, we have to combat ransomware, though. I know you've been involved in those efforts. Attacks are down, attacks are up. It's not clear. But there are still ransomware-wielding criminals at large.
Jen Ellis: Yes, we know that cybercrime still exists, that we can definitely say.
Mathew Schwartz: As long as it's lucrative, and safe havens, as you say.
Jen Ellis: We put out the Ransomware Task Force report at the end of April 2021. And it had 48 recommendations to governments on how to deter and disrupt attackers, and how to prevent and respond or help organizations prevent and respond at scale. Right? And actually, we had really, really, really good response from governments for the main reason that the report went out and a week later, Colonial happened. And I think the HSE was two weeks after that, and JBS a week after that. So we had this like, quite horrible roll of thunder, if you will, that kind of kept the momentum going. And kind of proved exactly what we were talking about, which is that ransomware is impacting society and the economy. And so a lot of governments paid attention, right?
Last year, we saw the governments that are part of the G7 make a commitment around doing something on ransomware. And then we saw the White House launch the counter-ransomware initiative. And I don't know if you've heard, but since then, quite a lot has happened in the global diplomacy area. And quite a few governments have been tied up with other things to focus on. And so I think ransomware has, to an extent, become slightly less urgent of a priority when faced with things like, you know, the potential for nuclear war. So I think and also economic crashes around the world.
Mathew Schwartz: Energy crisis; there are a few small challenges at the moment.
Jen Ellis: Right. And so I think things are moving, but they're moving at the pace of very busy, overloaded governments. So moving along slowly, but the counter-ransomware initiative, which is 30 countries around the world, is still active, they are still looking for solutions. They're still looking at things that can be done to try and advance the agenda around ransomware, and make lives harder for attackers. And we do see that like, you know, there are some notable things that have happened. But certainly not everything that could happen.
There's, there's certainly more, I think, to be done. And I think one of the things that we've seen happen on the attacker side is a very, very, very strong leaning into double extortion, and how attackers have kind of gone back away from attacking the availability piece and much more towards confidentiality again, which actually, like, you know, it can and cannot be a good thing, right? Like, if you decide that you're going to encrypt everything you have, then it gives you a better ability to be able to go like, shrug, do I care if they get it all, but then they'll go back to looking at availability again. So, you know, it's sort of swings and roundabouts. If you it's one of those things, like, it's a little bit like, you know, when you turn the light on, and the cockroaches scatter, I, my analogies are always terrible, I'm sorry. What we what we sort of have to do to an extent is keep turning lights on, and keep making it harder for them to find places to thrive. Because we're never going to eradicate them altogether. I really take this analogy far too far. I'm so sorry.
Mathew Schwartz: I love the concept of having to keep switching on the lights to keep the monsters at bay. There's fertile metaphoric potential there. Talk to me about the RUSI initiative.
Jen Ellis: Yeah, so RUSI is the Royal United Services Institute. It's, I think, the oldest think tank, certainly in the U.K. But don't quote me on that. This is not recorded, right? They are very closely aligned with the U.K. government and have been since inception. And they've been around for a long, long time - over 100 years. And they cover a sort of a pretty broad range of things. But more recently have started to do things in cybersecurity. And they've really actually kind of built up a good reputation in cybersecurity because the work is very credible. So they've been commissioned by NCSC, the National Cyber Security Center, which is part of the U.K. government to look into what the harm is, what the impact is, was caused by ransomware attacks.
And I can tell you from the Ransomware Task Force point of view, we really wanted to get to grips with this right, we really, really wanted to be able to make it much more tangible for people and say, This is the impact on the economy, or this is the impact on people's lives. And to be able to both, I think, quantify it in some way and qualify in some way, and really kind of humanize it. And it's really hard because people don't want to share their stories. And law enforcement doesn't want to share data. And nobody wants to share data. And so we found it extremely difficult to get to that point of being able to do that. And so now RUSI has taken that challenge up and said, we are going to see if we can come up with something, and they're partnering with an academic institution. And I think that gives them an ability to really kind of go at this in a very sort of stringent way with high discipline. And I think if anybody listening to this has a story they want to share, then you should definitely get in touch with them or you can reach out to me and I will get in touch with them for you. I'm at InfoSec Jen on either Twitter or LinkedIn or in fact, Mastodon now, depending on which Mastodon you're on, what they need us to hear from people who have experience and are willing to share their stories, and they're super happy to keep them anonymous. Everything's gonna be aggregated. So it's not, you don't have to stick your neck out too much to do it.
Mathew Schwartz: You delivered a keynote speech at Black Hat Europe and one of the things you emphasized was the need to de-stigmatize this sort of thing. Will RUSI help on that front, do you think or hope?
Jen Ellis: I would like to think that anytime we do any of these things, it helps move us forward. I don't think RUSI in and of themselves, you know, are going to be able to solve this problem. One of the things I've talked to the Information Commission on, the ICO, who are, you know, our data protection authority in the U.K. and who are the sort of enforcement body around cybersecurity - they are the main central enforcement body, not the regulators in certain sectors, right. They have this thing that they do, where it's basically, it's quite a steep pyramid where they're like, here's all the incidents that are reported to us. Here's the ones who actually bothered investigating, here's the ones that actually led to any kind of, you know, ruling on them. And here's the ones actually led to any kind of enforcement action. And actually, the top of the peak of the pyramid is very, very, very small, and people need to understand that more. They need to understand that what GDPR tells you to do is take reasonable steps. It doesn't tell you you need to be bulletproof, because actually, most people who know anything about security know that that's just not a reality. And the ICO doesn't expect you to be bulletproof, they don't expect mistakes never to have happened. They don't expect you to have had perfect knowledge. What they expect, is for you to have unreasonable things, and to be open with them about it.
So I think there is a fear that people have about reporting. And there's also a fear that people have about loss of customer confidence, loss of reputation, stock value, all these kinds of things. And the reality is, it's not going to go away quickly or easily. And a part of it is because even when people understand, even when people have the sophistication enough to go: anybody can fall victim to a cyberattack, anybody can have a vulnerability in their technology, these things are normal. Even when people have the sophistication to understand that, it doesn't change the fact that if you are an organization that has a cyberattack, then chances are there'll be negative outcomes for your customers. And that's annoying to them. And so there is always going to be that stigma there, right?
My mum just got in a situation where her water provider let her know that her bank details were compromised in an incident. Now, I'm gonna say, I don't think that her which provider necessarily covered themselves with glory in the way they've handled it, because it's taking them three months to notify her that bad guys have her bank details, which is not really acceptable. But nonetheless, even if they hadn't done that, the chances are because she's now in a situation where there's, there's very little she can do preventatively - everything's going to be about monitoring now, unless she just closes that bank account and opens another one. And so she's gonna be annoyed by that. There's no two ways around that, and the company knows that, which is why they really kind of don't want to have to disclose. And so every company is like that, right? And so that's the problem: that level of stigma, we will probably never get rid of. But there are things that we as a community can do to not amplify or not make it worse. We've got to stop mocking victims, we've got to stop blaming victims for being victims, and I think that we also have to get to a point where people understand that anybody can be a target; everybody will be. These are things that we can do to help people kind of get to a better baseline and make it less stigmatized.
Mathew Schwartz: Well, Jen, it's always a pleasure. Thank you so much for your time and insights.
Jen Ellis: Thank you very much. I appreciate it.
Mathew Schwartz: I've been speaking with Jen Ellis. I'm Mathew Schwartz with ISMG. Thanks for joining us.