Countering the Future Growth of Ransomware

In the past two years, ransomware has emerged in the public consciousness as a major threat. The United States faced several highly disruptive ransomware attacks in 2021, including an attack against Colonial Pipeline, which paralyzed fuel distribution across the U.S. eastern seaboard for almost a week, and an attack against the meat processor JBS, which led the company to pay an $11 million ransom. While these attacks have largely emanated from ransomware gangs in Russia and other Eastern European states, with North Korea, Iran, and, to a lesser extent, China also contributing to the problem, there is a risk that ransomware could become attractive to cybercriminals in other parts of the world. There are tangible steps the United States can take to prevent the spread of ransomware capabilities, including increasing funding for international institutions, negotiating and expanding treaties, and increasing collaboration with foreign law enforcement agencies. The United States must prepare now for cybercriminals in other regions reaching the technical sophistication of their Russian counterparts.

The growth of Russian cybercrime groups from credit card theft to large-scale ransomware deployments may be repeated in other parts of the world. Russia has a long history of cybercrime, including the world’s first digital robbery in 1994. By the early 2000s, Russian cybercrime groups were creating counterfeit credit cards using stolen or misused data and purchasing thousands of dollars in goods with the cards. Russian cybercriminals grew more sophisticated throughout the early 2000s, while collaboration between U.S. and Russian authorities on cybercrime declined to near zero, as Vladimir Putin and the Russian security apparatus began to take a more suspicious view of the United States. Russian cybercriminals developed closer ties with the Russian security services, allowing them to grow and develop their malware without the threat of law enforcement action. Over time, the cybercrime groups have operated more like businesses, developing specialized supply chains and sophisticated customer service (for a flavor of the professionalization of these criminal groups see leaked internal chats and documents from the Conti group. An unwillingness and inability to disrupt ransomware groups in Russia were major factors in how ransomware groups in the country became a threat to the global economy.

While “big-game hunters” like Conti have attracted much of the attention of news media outlets, the United States and its allies cannot ignore the potential growth of ransomware operators based outside of traditional havens. Simple forms of cybercrime have already proliferated across the globe, including in Africa, where a recent Interpol report showed that online scams, business email compromise, and digital extortion are all on the rise on the continent. As developing countries in Africa, Latin America, and Southeast Asia grow more connected and their populace more digitally literate, the risks posed by ransomware will only grow. The United States and its partners need to create new approaches and work through existing international institutions to ensure that these low-level scammers, while still destructive in their own right, do not accelerate to the sophistication and disruptive capability of major ransomware gangs.

There have been several efforts to address cybercrime at the international level, from the Budapest Convention, first ratified in 2001, to a recent Russian-sponsored attempts to create a new treaty through the United Nations. This Russian effort, and especially the draft UN convention at the center of it, has been met with considerable backlash from the United States and many members of the European Union because of the vagueness of the proposal and the potential for the targeting of dissidents. Indeed, cybercrime laws have already been used by several authoritarian regimes to imprison and harass political opponents. The United States should continue to work with its European partners to advance the Budapest Convention as the main international cybercrime treaty. A number of important digital actors, such as the Republic of Korea, have recently signed on to the Budapest Convention, and it can be made more attractive to developing states by helping potential stakeholders understand the more technical sections of the treaty and demonstrating how the Budapest convention could benefit their own countries.

The role of international institutions in fighting cybercrime can also be bolstered. Interpol has unveiled several programs to give developing countries the tools and training to combat cybercrime. Destabilizing cyber gangs should remain a priority of law enforcement agencies, and programs like the Interpol Regional Working Groups on Cybercrime and the Cybercrime Collaborative Platform (CCP), are useful steps in helping many underserved countries develop the capability to root out ransomware, and cybercrime more broadly, on their own. There are areas that could be improved, however. Interpol should create a program along the lines of the CCP that establishes and deepens ties between law enforcement from developing countries and developed nations. The United States also needs to step up to encourage international collaboration on cybercrime. The U.S. government currently makes no direct contribution towards Interpol’s cybercrime program (although money allocated to the Interpol general fund may be used to fund anti-cybercrime initiatives). Increasing the U.S. contribution could support the expansion of Interpol’s cybercrime collaboration program in developing countries or enable Interpol to better identify and target new threats.

The United States should also establish direct lines of collaboration with investigators in other countries. As part of this effort, U.S. policymakers should work to determine what areas or countries could emerge as cybercrime havens in the future. Operations with these countries should be prioritized to ensure that legal mechanisms are in place and ironed out and that a culture of collaboration exists between U.S. agencies and law enforcement in the foreign country. There are several risk factors that could influence the course of cybercrime in a country, including the growth of technological adoption in the country, already existing cybercrime, weak institutions (or an unwillingness to crack down on cybercrime), high prevalence of organized crime, and a lack of economic opportunity, among others. Identifying countries of concern is vital to targeting growing cyber threats and avoiding a repeat of the situation which has unfolded in Russia over the last twenty years.

This strategy will not be a panacea for all cybercrime, or even ransomware, in the future. However, while other forms of cybercrime are undeniably bad, ransomware is far more disruptive, especially to critical infrastructure such as hospitals and schools. Curbing the threat posed by ransomware would address one of the most damaging and pernicious issues in cyberspace.

Kyle Fendorf is the research associate for the Digital and Cyberspace Program at the Council on Foreign Relations.