Before my cyber threat intelligence career, I spent over a decade with the Department of Defense as a counterterrorism intelligence officer. It’s amazing how many of my colleagues from those days have also moved into cybersecurity. I think the experience in both worlds gives us a unique perspective on the threats presented in the cyber realm and the actions taken to disrupt them.
The War on Terrorism from the 2000s presents some clear analogies to the increasingly aggressive efforts on the part of allied governments against the continuing scourge of ransomware. These analogies can instruct us in how to assess what actions to take against these ransomware gangs and also what kind of realistic outcomes we can expect. This past week’s disruption of the LockBit ransomware gang underscores these analogies and highlights the most effective aspects of the execution of the War on Terrorism as applied to our efforts against ransomware.
Quick seizure and disruption are critical
The first tactic – and the one that’s arguably most effective at this point – is the increasing emphasis on seizure and disruption of ransomware infrastructure, including the distribution of decryption keys. While law enforcement often primarily focuses on securing arrests and collecting evidence to maximize the likelihood of successful prosecutions, prioritizing disruption of these ransomware gangs allows for increased speed of action. Ant it’s particularly so when many of the individuals associated with these ransomware gangs are outside the reach of INTERPOL, EUROPOL, and other national and international law enforcement agencies.
This approach mirrors the post-9/11 shift in the response to terrorism, as the War on Terrorism marked more aggressive stances focused on making it harder for terrorists to operate and denying them safe haven. While actions against ransomware gangs have obviously not gone kinetic, the seizure of these groups’ infrastructure compares in the cyber realm to the denial of geographical safe havens to al-Qaida and other terrorist groups. The release of decryption keys also serves as a functional disarmament of these organizations. This combination of quick action, denial-of-safe-haven, and disarmament reflects the most successful lessons to the cybersecurity world’s efforts against ransomware.
Long-term successes requires sustained pressure
The next analogy may not be as popular, but it’s important to bear in mind as we realistically weigh the results of these types of operations. There’s no denying that operations like the one against LockBit are incredibly successful and important, delivering important wins for law enforcement and protecting victims of the group.
However, we must remember that it’s a short-term victory. Following major strikes against terrorist organizations, analysts would frequently frame the consequences of these actions as short-term disruptions that were unlikely to result in substantial long-term degradation of these groups’ capabilities. Sadly, the same applies here when looking at the general threat from ransomware. This one major win doesn’t necessarily equate to a long-term impact of the overall threat.
Long-term disruption of these groups will require sustained pressure and a campaign targeting the underlying enabling and motivating factors for these groups. With terrorism groups, this frequently led to a discussion of “centers of gravity,” often leading to a debate over the relative importance of ideology and territorial control. With ransomware gangs, this means a discussion largely around the most effective ways to cut off their finances as well as broaden law enforcement capabilities to disrupt their operations and capture known cybercriminals.
Arresting these individuals present the toughest challenge, as several important countries offer tacit safe haven to these criminals in return for their fealty and support. We have seen an increased push to shut down the flow of money to these groups, primarily through international sanctions and the concurrent pressure on victims to not pay for fear of violating these sanctions – but to date, this has had little impact.
According to a recent Chainalysis report, 2023 was a record-setting year for ransomware payments. This leaves us with the emphasis on persistent and aggressive efforts focused on disruption and denying these groups their safe haven. We see the effectiveness of this tactic in the 2022 dip in ransom collected, also noted by Chainalysis, which was due in no small part to the FBI’s disruption of the Hive ransomware gang that year. But again, the record-setting year that followed underscores the temporary nature of these victories without sustained pressure.
It takes a network to defeat a network
The actions against LockBit are unequivocally a victory, and one we should celebrate. Despite this win, it’s only a matter of time until the next group rises and the cycle starts again. The application of these lessons from the War on Terrorism can help us focus on the most effective aspects of our efforts to disrupt the ransomware threat today.
It’s worth calling out one final lesson from the War on Terrorism, this one from U.S. Army General Stanley McChrystal who would often say: “It takes a network to defeat a network,” emphasizing the importance of working together to fight back against an enemy that was determined and willing to share information, resources, and support.
As we continue to fight the threat from ransomware, let’s remember this lesson by cooperating and sharing information across the public and private sectors, and not letting artificial divisions inhibit the flow of intelligence and cooperation among cyber defenders. Because we know those divisions aren’t holding back the ransomware threat actors.
Mike Kosak, senior principal intelligence analyst, LastPass
