Pressing Problems and Slippery Slopes: Developing an Offensive Response to Ransomware
The other day, I saw a poll on Twitter about if it was reasonable to employ lethal force on ransomware operators. I had a number of thoughts, which I shared at length:
It came to my attention today that there appear to be some misinterpretations of my remarks, specifically that they amounted a blanket rejection of offensive measures to respond to ransomware threats. To be clear, my previous comments were focused on advocating against kinetic measures, not every option under the offensive sun. But in discussing these misconceptions with colleagues, I came to a set of personal assessments that I think impact this debate.
It seems with regard to pursuit of offensive measures to respond to ransomware, the challenge is at least three-fold.
First is that there is a lack of symmetric and sufficient defenses across the potential victim landscape. This is essentially the oldest and most persistent problem in information security. As established as the problem is, it is equally obvious that it also remains one of the hardest to solve given the scale and resource gaps between individual potential victim entities. I won’t pretend to have a silver bullet idea here, but I will say that I see this problem as being a driving factor behind the desire for an offensive means to address ransomware: the defensive challenges are so great that one can’t help but look for a potential offensive alternative.
The second challenge is that while defenses are so individualistic on a victim-to-victim basis so as to lead people to scramble for offensive means to disrupt ransomware operations, law enforcement lacks such a demonstrable capacity for rapid and proactive containment of the ransomware threat generally. On the other hand, the U.S. military — specifically CYBERCOM — has demonstrated such at least elements of such a capacity. Thus Title 10 activities become attractive solutions rather quickly. And those activities are not without precedent:
- CYBERCOM itself reportedly targeted the Trickbot network on the grounds of bolstering security surrounding the 2020 election, particularly in relation to ransomware threats.
- That reported CYBERCOM activity very likely was conducted in concert with publicly acknowledged actions by Microsoft that also targeted Trickbot. The targeting of Trickbot did result in some operational degradation but these impacts were not sustained. However, the apparent coordination does contribute a significant element of public-private coordination to the “offensive Title 10 solutions” precedent.
- From a foreign perspective, Australia’s ASD has conducted operations to disable the infrastructure of cyber criminals operating abroad.
The third challenge, which relates to the second (i.e., law enforcement lacking a standing capacity to expeditiously and proactively contain the ransomware threat) is that law enforcement approaches tend to be case-centric: build cases that can secure indictments that prosecutors can take to court fairly assured of a conviction or at least a plea. In the case of ransomware, this is at loggerheads with the need to swiftly interdict ransomware operations at all phases of an intrusion so as preempt disruptive impacts of successful ransomware deployments. Meanwhile, Title 10 options — like disabling C2 infrastructure or conducting other degradation measures (such as influence operations, including hinting at a doxxing capacity) — offer that attractive quality of being able to confront ransomware’s disruptive potential directly.
The overarching problem I see moving forward is how we can pursue an offensive approach to ransomware while avoiding the slippery slope of a totally militarized response. While I don’t have a silver bullet idea here either, I think Chris Krebs’s comments in the Financial Times offer a good starting point for discussions on how to shape that approach.
At the end of the day, I think Yoshi has proffered the end state I’d most like to see when it comes to having a proactive/offensive mechanism to counter ransomware operators and their activities:
But it’s gonna take a lot of work.
Acknowledgements: My gratitude to Chris Krebs, Yoshi/ChicagoCyber, 不動智 — TechnoPrimitives, Viking_Sec, and Coleman Kane whose perspectives and dialogue helped shape my views as expressed in this blog.