Ransomware, Critical Infrastructure Security

The known unknown: Meager data on ransomware continues to stifle urgency, progress

Fuel holding tanks are seen at Colonial Pipeline’s Linden Junction Tank Farm on May 10, 2021 in Woodbridge, New Jersey. (Photo by Michael M. Santiago/Getty Images)

The influential Ransomware Task Force saw its inaugural report, released 13 months ago, become the backbone of global debates on ransomware. But its new report, titled "One Year On" acknowledges one of the harsh truths of gauging progress: Data on ransomware is unreliable no matter who you get it from.

As governments realized the magnitude of ransomware affecting supply chains last year, the RTF started to fill a global ransomware think tank-type of role in policy discussions. In part, that was due to the diverse stakeholders that made up the group — everyone from government officials to vendors, insurers to targets, academics to industrials. In part, it was due to odd timing: The group released its first report a week before the ransomware attack on Colonial Pipeline that briefly stunted oil delivery along the East Coast.

A lot of their policy ideas and other ideas were put into motion over the past year. But it is hard to gauge what has worked.

"The lack of clarity and agreement on overall attack trends highlights one of the most significant challenges in understanding and addressing the ransomware scourge, namely the insufficiency and inconsistency of reporting," reads "One Year On."

Conflicting perceptions of the ransomware threat

Ask security vendors, ransomware negotiators or blockchain analysis firms tracing criminal wallets, and ransomware incidents accelerated over the past year. Ask governments or insurers, and they will tell you incidents either declined or plateaued. The contradiction comes from each group's limited windows into the activities of ransomware gangs.

"The only way that someone would have that knowledge is if they're embedded with all of the ransomware gangs," Jen Ellis co-chair of the Ransomware Task Force and Rapid7 vice president of community and public affairs told SC Media.

Governments gain insight into ransomware trends through victim reporting to law enforcement — something which the FBI has routinely said is incomplete. Organizations are worried about the reputational and legal ramifications of alerting governments. Insurers gauge ransomware events based on claims, but claims are dependent on skewable factors. Ransomware affiliates at one time specifically targeted insured customers because of consistent payouts, and — if strategies changed — uninsured victims would not be reflected in reporting statistics.

Meanwhile, said Ellis, the vendor community bases its statistics on incidents it responds to, something that can shift based on the whims of market share and the propensity for enterprises to diligently use services after an attack. Blockchain analysis relies on cryptocurrencies that are easily tracible, which may fluctuate if attackers trade-off the anonymity of niche coins for the convenience of the Bitcoin. And blockchain analysis continues discovering new criminal wallets — higher ransomware totals could conceivably mean more ransom or that the researchers are doing a better job harvesting visibility.

Ransomware response: Where's the urgency?

The lack of conclusive data makes it hard to baseline whether or not ransomware incidents are rising or falling.

"As we build over time, what we'll look to see is how the quantitative shapes up against the qualitative. I don't think we can lose sight of the value of the anecdotal evidence — we have to keep talking to people to keep understanding what their experiences have been. But we want to also have that quantitative data that enables us to measure," Ellis said.

Several governments have instituted or are debating instituting breach reporting requirements, requiring victims of any kind of breach to alert the government. The goal is to assemble threat intelligence, but could also be a starting point for more formal quantitative research. The United States passed its own version in March, albeit one that gives CISA two years to solidify the rules for, and another 18 months after that before taking full effect.

Ellis said the measures were good ideas implemented without the requisite urgency.

"We can't really wait three years or four years to find out what the answer is going to be to get reporting going."

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.