Cyber extortion attacks on enterprises have grown exponentially in the last year and the ransomware families behind them have grown at a similar pace. We have blocked more than 100 million since October 2015. New families alone have grown 100% in the first six months of 2016, and we have detected and blocked more than 50 new families since January. By comparison, in 2014 and 2015 only 49 ransomware families were detected and blocked.
This growing cyber threat has not gone unnoticed as evidenced by the recent U.S. Senate, Subcommittee on Crime and Terrorism hearings discussing Ransomware: Understanding the Threat and Exploring Solutions. In these hearings Richard W. Downing, Acting Deputy Assistant Attorney General, Department of Justice testified on the growing surge of destructive cyber-attacks. Downing has long been a great champion leading the fight alongside federal law enforcement to target, investigate and prosecute many of the most notorious cybercriminals over the last 10 years. Downing, in his prepared testimony states:
“The scope of the threat from ransomware is staggering. Between 2005 and 2015, the Internet Crime Complaint Center (“IC3”) run by FBI received over 7,600 ransomware complaints, with nearly a third received in 2015 alone…”
This increase can only be attributed to the proliferation and evolution of botnets. These botnets have enabled cybercriminal networks to deliver highly capable ransomware in a more targeted manner. Actually, you can say some of these botnets have now evolved into ransomware as a service (RaaS) enterprises. The pernicious nature of these RaaS providers has provided cybercriminals, skilled and unskilled alike the opportunity to scale. Where historically ransomware attacks focused on consumers, now with this infrastructure cybercriminals are able to target enterprises and monetize their criminal activity in days if not weeks. Other “traditional” cybercriminal attacks demands more time, to collect, sort and sell stolen data to turn a profit in the cybercriminal undergrounds.
Downing outlines in his testimony that the growing problem facing federal law enforcement and international law enforcement lies partially in its inability to effectively target criminal infrastructure behind these attacks. There’s no comprehensive legal framework from which law enforcement can utilize to investigate and prosecute these RaaS providers. The only law that comes close is the Computer Fraud and Abuse Act (CFAA), which is woefully outdated and inadequate. As it is currently written, CFAA does not go far enough to criminalize the selling of these criminal services. So Downing discusses the need to update CFAA to adequately provide law enforcement the tools it needs to meet the growing destructive ransomware threat.
“Despite these many challenges, law enforcement is actively working to disrupt and defeat ransomware schemes. The FBI currently has over 30 active investigations into different ransomware variants. And this hard work has achieved some notable successes. In 2014, for example, the Department of Justice disrupted a ransomware scheme using Cryptolocker, a highly sophisticated malware that encrypted computer files on more than 260,000 computers around the world. Once infected, victims saw a message on their computer monitors, telling them that their files were encrypted and that they had three days to pay a ransom, usually between $300 and $750, if they wanted to receive the decryption key. By one estimate, more than $27 million in ransom payments were made in just the first two months after Cryptolocker launched.”
To dismantle Cryptolocker and the malware that gave it access to victims’ computers, the Department led a multi-national action that seized computer servers acting as the command and control hubs for the Cryptolocker malware. The Department also identified victims and, working with our partners at the Department of Homeland Security (“DHS”) as well as in foreign law enforcement agencies and the private sector, facilitated the removal of malware from many victim computers.
This is a point that merits emphasis. Our success against Cryptolocker and the associated malware was only possible due to the invaluable assistance provided by technology companies such as Dell SecureWorks, Microsoft, Deloitte Cyber Risk Services, Symantec, Trend Micro, and many others, as well as from universities like Carnegie Mellon and Georgia Tech.”
Of the solutions Downing highlighted and the other testimonies such as expanding the courts authority to issue injunctions to shut down attacks as they are detected; expand and update CFAA to provide law enforcement the needed tools. The one that I did not hear is the overwhelming need for a comprehensive global cybersecurity strategy. A strategy that requires governments and private industry through legal frameworks, treaties and partnerships to eliminate the safe havens in which these threat actors operate. They thrive in the shadows in virtual and physical safe havens. Only by having a global holistic strategy can you bring these cybercriminals to justice and thereby significantly reducing the global cyber risk.