Russia and Ransomware: Stop the Act, Not the Actor

A projection of cyber code on a hooded man is pictured in this illustration picture taken on May 13, 2017. Capitalizing on spying tools believed to have been developed by the U.S. National Security Agency, hackers staged a cyber assault with a self-spreading malware that has infected tens of thousands of computers in nearly 100 countries. REUTERS/Kacper Pempel/Illustration

The problem with defeating cyberattacks is that speed and number of threats outpace human-centered cyber defense. That is why a new approach to cyber defense is needed.

Reports have surfaced that the U.S. government has evidence linking hackers working for the Main Intelligence Directorate of the Russian military with stolen emails that harmed the Democratic National Committee during the presidential campaign. While arrests are unlikely, bringing charges that name and shame the hackers might influence the malefactors in the Kremlin. Barack Obama responded by placing sanctions on Russia as well as expelling officials and closing facilities, which led Vladimir Putin to laugh and eventually counter with similar measures. Perhaps it is time to admit that imposing costs on Russia isn’t working and to stop the act, not the actor.

An official report on the hacking that took place during the 2016 elections identified the Main Intelligence Directorate operatives as APT28. Ukraine blamed this group for the outbreak of BadRabbit ransomware in Eastern Europe at the end of last October, but the incident received little attention in the mainstream press except for a few technology columns. That lack of attention was probably because the target was Ukraine, including the Kiev Metro and Odessa Airport. The APT28 ransomware encrypted files and demanded 0.05 Bitcoin (worth roughly $280) as ransom for a key to unlock computers.

BadRabbit appeared not long after the NotPetya Ransomware struck computers in more than one hundred countries in June 2017. It differed in extorting money, while NotPetya wiped out data. Researchers determined that BadRabbit was compiled from NotPetya source code with additions. That meant the same authors, namely Russian hackers, most likely committed both of the attacks, though their incentives vary. The obvious BadRabbit strike could have been a smokescreen for quiet attacks to obtain financial and proprietary information, where NotPetya disrupted energy, telecom and commercial industries in Ukraine to spread panic among the people, which also caught other nations in the crossfire.

Large companies outside Ukraine were hard hit by NotPetya. The shipping giant Maersk and FedEx TNT Express experienced falls in their volume of business of almost three hundred million dollars each. Maersk was forced to use WhatsApp on personal telephones once email services went down and Merck also incurred costs because of shutting down production of adult and pediatric vaccines, which may cause loss of innocent life. The decision to conduct ransomware attacks might have been aimed at achieving regional goals, but their indiscriminate impact had global repercussions. If Russia continues to make such choices sole based on internal benefits, then clearly a more effective way is needed to deny the benefit of the act.

The problem with defeating cyberattacks is that speed and number of threats outpace human-centered cyber defense. In fact, most ransomware completes encryption in under one minute after intrusion, too quick for manual intervention to counter it. Thus, organizations must automate cyber defenses to reduce the time needed to detect and respond to attacks. Moreover, these defenses must be capable of obstructing or interfering with multiple phases in an attack to guarantee success. The cybersecurity marketplace has responded with a number of solutions.