Pressing Problems and Slippery Slopes: Developing an Offensive Response to Ransomware

Rarely serious enough to warrant a Hellfire as opposed to deactivation of C2 infrastructure.

The other day, I saw a poll on Twitter about if it was reasonable to employ lethal force on ransomware operators. I had a number of thoughts, which I shared at length:

TL;DR — I don’t think JDAMs are the answer to ransomware.

It came to my attention today that there appear to be some misinterpretations of my remarks, specifically that they amounted a blanket rejection of offensive measures to respond to ransomware threats. To be clear, my previous comments were focused on advocating against kinetic measures, not every option under the offensive sun. But in discussing these misconceptions with colleagues, I came to a set of personal assessments that I think impact this debate.

It seems with regard to pursuit of offensive measures to respond to ransomware, the challenge is at least three-fold.

First is that there is a lack of symmetric and sufficient defenses across the potential victim landscape. This is essentially the oldest and most persistent problem in information security. As established as the problem is, it is equally obvious that it also remains one of the hardest to solve given the scale and resource gaps between individual potential victim entities. I won’t pretend to have a silver bullet idea here, but I will say that I see this problem as being a driving factor behind the desire for an offensive means to address ransomware: the defensive challenges are so great that one can’t help but look for a potential offensive alternative.

The second challenge is that while defenses are so individualistic on a victim-to-victim basis so as to lead people to scramble for offensive means to disrupt ransomware operations, law enforcement lacks such a demonstrable capacity for rapid and proactive containment of the ransomware threat generally. On the other hand, the U.S. military — specifically CYBERCOM — has demonstrated such at least elements of such a capacity. Thus Title 10 activities become attractive solutions rather quickly. And those activities are not without precedent:

The third challenge, which relates to the second (i.e., law enforcement lacking a standing capacity to expeditiously and proactively contain the ransomware threat) is that law enforcement approaches tend to be case-centric: build cases that can secure indictments that prosecutors can take to court fairly assured of a conviction or at least a plea. In the case of ransomware, this is at loggerheads with the need to swiftly interdict ransomware operations at all phases of an intrusion so as preempt disruptive impacts of successful ransomware deployments. Meanwhile, Title 10 options — like disabling C2 infrastructure or conducting other degradation measures (such as influence operations, including hinting at a doxxing capacity) — offer that attractive quality of being able to confront ransomware’s disruptive potential directly.

The overarching problem I see moving forward is how we can pursue an offensive approach to ransomware while avoiding the slippery slope of a totally militarized response. While I don’t have a silver bullet idea here either, I think Chris Krebs’s comments in the Financial Times offer a good starting point for discussions on how to shape that approach.

At the end of the day, I think Yoshi has proffered the end state I’d most like to see when it comes to having a proactive/offensive mechanism to counter ransomware operators and their activities:

A world I’d like to live in.

But it’s gonna take a lot of work.

Acknowledgements: My gratitude to Chris Krebs, Yoshi/ChicagoCyber, 不動智 — TechnoPrimitives, Viking_Sec, and Coleman Kane whose perspectives and dialogue helped shape my views as expressed in this blog.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store