News, news analysis, and commentary on the latest trends in cybersecurity technology.

Why Classifying Ransomware as a National Security Threat Matters

Government actions help starve attack groups of the resources - money, ability to recruit, and time.

An IT Admin talks on the phone in the system control room of a high-tech facility used for surveillance, data mining, and AI.
Source: Gorodenkoff via Shutterstock

National security isn’t just about warfare or physical conflict. Anything that directly impacts economic stability and economic capability are also part of national security — and that includes ransomware attacks.

This year’s ransomware attack against Colonial Pipeline is a clear example of how a ransomware attack can disrupt large portions of the economy. Whether the cyber attackers intended to disrupt the flow of gasoline across the US East Coast isn’t even the point. What matters is they did, resulting in panic buying and gasoline pump shortages.

“Cyber disruption is one of the greatest threats to the economy,” says Marcus Fowler, director of strategic threat at Darktrace. Ransomware attacks can have a “snowballing effect,” he adds, elevating them beyond independent events to a national security concern.

Not helping matters, the wide availability of malware toolkits and ransomware-as-a-service has lowered the barrier to entry for criminals, who have become increasingly more successful at targeting large organizations across a variety of industry sectors and demanding bigger and bigger ransoms.

Government Takes Action
But recent actions by law enforcement and federal investigators have made it more difficult and costly for these gangs to operate. In fact, just by designating something as a threat to national security shows the government is prioritizing the issue, Fowler says.

Some actions involve taking resources away from the cyberattackers. The FBI compromised the servers used by the gang behind the REvil ransomware and forced the group offline this fall. Law enforcement officials have also arrested several perpetrators over the past few months. They include the arrest of a Ukrainian national for taking part in the attack against Kaseya, as well as the arrest of multiple ransomware operators that used GandCrab and REvil-Sodinokibi in their operations.

In addition, a global law enforcement operation — including the French National Cybercrime Centre of the National Gendarmerie, the Cyber Police Department of the National Police of Ukraine, the FBI Atlanta Field Office, Europol, and Interpol — arrested two operators, seized $375,000 in cash, and froze approximately $1.3 million in cryptocurrency.

Last but not least, the US Department of Justice successfully reclaimed $2.3 million in Bitcoin that was paid to the attackers who targeted Colonial Pipeline.

For some ransomware operators, these arrests, takedowns, and recovery efforts are enough to convince them to shut down to avoid prosecution. Others become more resilient. Regardless, applying this kind of pressure is necessary, Fowler says, noting that this was a “resource game.” The purpose is to convince the operators that the ransom payoff is not worth the time and effort of continually setting up infrastructure and putting in new methods to evade detection and capture.

“If we keep them in the position of needing to spend resources to stand up their own [architecture] and recruit new members, does that delay what the threat actors are trying to do?” Fowler asks.

The government’s putting pressure on cryptocurrency exchanges and sanctioning some entities can’t end ransomware, but it does impede attack operations.

“Anything that makes it harder for them to do their job, where they have to put more thought or more effort around their infrastructure or around how they’re going to get paid — that is time that they’re not spending ransoming [someone],” Fowler says.

While the pressure campaign is important, it shouldn’t be considered more important than investing in defensive resources and stopping ransomware. Dealing with ransomware requires better defenses and improved response.

“You have to be putting pressure on the [attackers], while at the same time trying to ensure that you defend well enough so that in an attack you can minimize damage,” Fowler says.

Unlocking Resources for Defense
While there may be a perception that treating these attacks as a national security threat means there will be more offensive actions, such as attacking the ransomware operators, the more important impact is that more resources are unlocked that otherwise would not have been available, says Fowler. Along with increased funding, the government can establish task forces and other support structures to allocate more people to address the issues.

Elevating cybersecurity to a national security concern also makes it easier to work with international partners, which is critical because the attacks often transcend borders, with attackers, victims, and infrastructure often in different countries.

“The national security threat needs to translate to better defensive prioritization and robust activity, and not just going after them,” Fowler says. “To have a cyber strategic advantage, you need to be able to defend better.”

Amid the current surge of ransomware attacks, the fact that the national conversation now includes cybersecurity and defense is a “silver lining,” Fowler says. There was some concern within cybersecurity experts that it would take a major, multiday destructive cyber disruption before defense would be prioritized appropriately. The infrastructure bill that was passed this year has funds specifically earmarked for cybersecurity, for example.

“When you prioritize cybersecurity defense, it’s not just ransomware you are actually defending against,” Fowler says.

To make a dent in the volume of ransomware attacks requires a combination of this kind of pressure campaign and continued investment by enterprises in defense, response, and recovery.

“Defense is going to be what changes the games in terms of ransomware actors, when they just can’t get that many ransoms,” Fowler adds.

About the Author

Fahmida Y. Rashid, Managing Editor, Features, Dark Reading

As Dark Reading’s managing editor for features, Fahmida Y Rashid focuses on stories that provide security professionals with the information they need to do their jobs. She has spent over a decade analyzing news events and demystifying security technology for IT professionals and business managers. Prior to specializing in information security, Fahmida wrote about enterprise IT, especially networking, open source, and core internet infrastructure. Before becoming a journalist, she spent over 10 years as an IT professional -- and has experience as a network administrator, software developer, management consultant, and product manager. Her work has appeared in various business and test trade publications, including VentureBeat, CSO Online, InfoWorld, eWEEK, CRN, PC Magazine, and Tom’s Guide.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights