Ransomware’s Unintended Consequences

The information security industry finds itself, as of this writing, in the midst of a ransomware pandemic. While Business Email Compromise (BEC) likely remains more financially successful overall, much of this success is due to far wider scope and selection of victims. Ransomware, while potentially less costly in a direct fashion, adds additional concerns such as operational disruption, data loss, and costly network rebuilds that amplify expenses beyond mere ransom demands. When combined with the increasing tendency of ransomware entities to target critical services, infrastructure, and industrial entities, the possibilities for dislocation and broader societal impacts begin to multiply rather quickly.

Continuing ransomware operations and follow-on impacts produced a number of efforts to inform defenders or policymakers about such activities through 2021:

• The Cybersecurity and Infrastructure Security Agency’s “Stop Ransomware” effort.
• The Institute for Security and Technology’s Ransomware Task Force.
• Various commercial and training efforts, such as a centralized ransomware repository for the SANS Institute.

Yet for all these educational efforts and attempts to improve the security posture of many organizations, many analysts assess ransomware remains continuing problem for political reasons. Foremost of these concerns is the discrepancy between where many ransomware entities operate (in Russia or other Eastern European countries) and where their victims are located (largely, but not exclusively, Western Europe and North America). This difference, as well as some indications of efforts to spare “local” entities from ransomware impacts, leads to an initial, obvious situation where the responsible entities are seemingly unmolested by law enforcement and other concerns within their home countries.

Where matters turn more interesting (and potentially problematic) are assertions – either largely unfounded, reliant on various circumstantial connections, or based on a handful of limited actual examples – that ransomware is not merely tolerated by Russian state authorities, but actively encouraged. Such unsupported conclusions (at least in publicly available evidence) lead to various follow-on arguments that ransomware operations can be deterred through retaliation or holding Russian state interests at risk. There are a number of avenues of follow-on analysis to pursue with respect to this discussion – but the one I wish to follow in this post seems largely (if not completely) ignored in public discourse: would even state toleration (let alone active encouragement) of ransomware operations be in the best interest of Russia’s cyber-nexus operations against the United States and others?

On its face, the ransomware pandemic appears to be an excellent (if not especially surgical or well-directed) weapon for sowing disruption and uncertainty among Russia’s rivals and perceived enemies. Such activity would appear to blend in well with much-hyped concepts of Russian “hybrid warfare” from social influencing to information operations to outright disruptive cyber operations. While such activity, when executed against an entity well capable of retaliation in both overt and covert fashion such as the United States, may come close to “tickling the dragon’s tail,” there seems to be an allure and logic behind such operations to discomfort and confuse a much stronger entity in a semi-deniable fashion.

Yet the consequences of ransomware are relatively short-term: disruption of a given entity’s network until it can be restored. While some organizations may find this crippling, others (especially large organizations with their own resources and resiliency, or critical entities that can rely on external support) can leverage various mechanisms to persevere in the face of such threats. At present, the “most disruptive” events in the field of ransomware appear to mostly be items that are clearly state-directed, or disruptive operations that are (or could be) a state-directed entity masquerading as ransomware for deliberate destructive impacts. The continuing, seemingly unending campaign of “commodity” ransomware operations – even so-called “big game hunting” incidents – are certainly expensive and discomforting, but hardly rise to the level of outright destructive activity such as NotPetya.

Yet as a result of these events, many organizations are either independently pursuing more robust security controls, or will likely be required to do so through government or regulatory mandates. The latter is most insightful as this concerns so-called “critical infrastructure” sectors ranging from healthcare to electricity to pipelines. Given that a very real and noticeable aspect of public interest and likely follow-on impacts adhere to these sectors, authorities and similar entities have strong incentive to encourage or require these entities adopt a more resilient security posture.

The concluding statement above is not mere supposition, but represented in recent events. One of the more spectacular ransomware events of 2021 took place at Colonial Pipeline. Although the ransomware event did not directly impact pipeline operations, various considerations led to a suspension of product delivery, which then induced panic buying across significant portions of the United States yielding a noticeable, disruptive impact. From this event, public and private outcry resulted in an overhaul of cybersecurity guidance – and potentially future requirements – for pipeline operations.

While the impacts of this initiative are not noticeable at present, their results will likely be material overtime as asset owners and sector regulators move to “raise the bar” of cybersecurity within the pipeline sector. Most interestingly, while all available evidence indicates the Colonial Pipeline event was “just another” ransomware operation, evidence exists of previous pipeline intrusions with likely more direct and outright disruptive intent. Originally published in the early 2010s but only publicly revealed (with attribution statements) in July 2021, CISA identified a persistent intrusion campaign targeting multiple pipeline companies linked to Chinese entities from 2011 to 2013. 

The report was pilloried by the Cyber Threat Intelligence Mafia for relating to old events and for publishing the original roughly verbatim (except for new additions on attribution), including old indicators of compromise. Yet the report is significant for several reasons. First, US government entities were aware of and tracking state-directed operations – albeit likely limited to prepositioning and information gathering for a future attack, as opposed to for a direct attack – on the pipeline sector in the United States. Second, despite this identification and the clear danger this would present to the functioning of the US economy, very little concrete action was taken in response to secure the targeted sector. Third, CISA (and the Department of Homeland Security) published information on this campaign only after the very public, very noticeable event at Colonial Pipeline. So – what’s going on here?

Based on what we can observe and infer from threat actor campaigns and responses by either victims or the authorities overseeing these victims, overt actions following a state-directed campaign targeting critical infrastructure sectors seems rather difficult. Many possible reasons exist for this: the required, damning evidence to link intrusions (with no direct impact) to concerning outcomes is likely classified or otherwise incapable of being shared; the lack of obvious, immediate impact makes calls for action hard to justify for asset operators; the absence of publicly accessible results or risks makes more general support for increased oversight or regulation difficult to present. Thus for likely “prepositioning” or similar early-stage campaigns, even against very sensitive areas of modern economies, follow-on, required actions become “tough sells” – clearly observed in the case of the Chinese pipeline intrusions, but also observed in the more recent Palmetto Fusion campaign against US and European electric utilities.

Yet when a very public, noticeable event happens such as a ransomware incident, calls for action become clearer, easier to justify, and can be based upon readily grasped evidence and outcomes. As seen in the pipeline example, while a deeply concerning event such as the early 2010s intrusions into the sector directed by a state entity resulted in no discernable action for nearly a decade, a ransomware incident induced action within only a few months. The very obvious and hard to hide nature of ransomware events on public-facing critical infrastructure, from hospitals to the energy sector, make these incidents nearly impossible to hide, and result in public calls for action and response.

From the perspective of a threat actor that would like to hold a critical infrastructure entity at risk, this becomes problematic. Ideally, such entities remain relatively weakly defended and accessible to allow for future disruptive or destructive scenarios in the event of conflict. Yet public, noticeable incidents spark both identification of concerning vulnerabilities, and the potential to either build support for or outright require addressing such security holes. As a result, indiscriminate ransomware operations would appear to be a net negative for a state authority hoping to use cyber capabilities for future disruptive purposes as they have the very real consequence of improving or hardening the security posture of organizations most desirable for future campaigns.

Certainly, there are exceptions to the above. While ransomware has existed for decades, and been a persistent problem for at least the last five years, many organizations remain vulnerable to such actions, and many continue to do little (or nothing) to meaningfully improve their security posture. But in most cases, these organizations “standing still” represent other areas of society and the economy that, while certainly desirable for what they do and contribute, are not necessary in the same sense as a utility or healthcare organization. Thus, we can make a provisional argument that ransomware operations in critical infrastructure sectors – which appear to be increasing – represent a net negative and potential risk for any entity wishing to conduct more covert operations in such networks to prepare for future, disruptive events as part of state policy.

With this argument in mind, the idea that Russian authorities would either desire or turn a complete blind eye to ransomware operations targeting sensitive sectors in rival states seems to work against more fundamental goals and purposes. While certain degrees of disruption against non-critical entities, ranging from commercial enterprises to school systems, may be desirable for the disruption and dislocation produced, going after more sensitive targets that also represent valuable nodes for wartime preparation or attack execution appears to spark a defensive response that could ruin meticulous intrusion plans.

So we must ask ourselves: Does Russia (or any other state entity) benefit from the indiscriminate actions of ransomware gangs? Based on the above analysis, we should question any answer in the affirmative as such operations may just as likely provoke a more robust defensive response than allow for a (temporary) disruptive incident in the locations where they occur. From the perspective of a Putin or Xi, uncontrolled, indiscriminate ransomware operations may represent a very real risk to more important operations than a benefit. We therefore should be cautious before blindly asserting that such leaders encourage through either positive action or benign neglect for such activity, as their impacts and subsequent defender responses may result in long-term disasters for these authorities.