Cybersecurity and COVID-19: The Threat of Ransomware

WHELAN: Hi, everybody. And thanks for joining us today on this Council on Foreign Relations call, in their continued effort to update us on COVID-19. The topic today is “Cybersecurity and COVID-19,” and specifically the threat of ransomware.

Joining us today is Adam Meyers, who is the senior vice president of intelligence at CrowdStrike; along with Rob Knake, who is the Whitney Shepardson Senior Fellow at the Council on Foreign Relations. We will—we thank you for joining us today. And I’d like to remind the audience that the call is on the record. And we have on the phone with us corporate members as well as invited members the press.

So without any further ado, I’d like to turn it over to Adam to give us an update of what you are seeing from CrowdStrike.

MEYERS: Hi. Thanks, everybody, for your time today. From a ransomware perspective it is, I’d say, the single biggest threat that we’ve seen to enterprises today. The trend that we’ve observed over the last eighteen to twenty-four months now is that lot of the critical actors who had previously been engaging in bank fraud, wire fraud, and other types of illicit activity using cyber means, primarily through customized malware, have begun transitioning their operations to conduct ransomware. And this isn’t ransomware as it was in 2016, when it was at the forefront of discussion. You know, the Senate Judiciary had a hearing on it and there was quite a bit of attention that was being drawn towards ransomware. But that ransomware was targeting individuals in many cases. It was going after an individual, encrypting their pictures, their tax records, whatever it might be, their personal documents, and trying to charge a couple hundred dollars to unlock those files.

And I think that those threat actors kind of realized, one, that it was a lot of work to do that. They had to effectively man a help desk in multiple languages to be able to see profit from that ransom activity. And some of the bigger threat actors kind of started paying attention reports in the media about things like health care records and things of that nature becoming encrypted, and as a ransom being, you know, something that they almost had to pay. And we started to see a transition. And so for the last eighteen to twenty-four months, many of the major cyber criminal actors that we track have begun conducting what we call big-game hunting or enterprise ransomware. And what this means is that rather than kind of going after individuals, they’re looking at an organization. It could be in manufacturing. We’ve seen in across pretty much industry at this point—manufacturing, health care. We’ve seen it in printing press cases. We’ve seen it in against state and local governments, school districts.

The kind of common thread here is that it’s an entity that has some sort of operational necessity to be up and running, whether it be for serving the public or creating revenue. And so they take advantage of that necessity to be up and running in order to increase the pressure to pay the ransom. And the technical kind of techniques of what they do is that they come in through any number of means. We see them coming in through exposed services like remote desktop protocol. We see them coming in through malware, banking trojans and spambots that distribute these banking trojans, give them an opportunity to get into the enterprise. They escalate privilege. They move laterally. And they get to effectively a domain controller or someplace where they have administrative control over the environment. And then they push the ransomware out far and wide, and they encrypt many, many systems. This includes database servers. It includes file servers, domain controllers, pretty much everything that’s fair game.

And once they’ve encrypted the entire enterprise, now they can kind of compel the victim to try to pay the ransom. And these ransom amounts have gotten out of control. You know, what started off as hundreds of dollars targeting individuals could now be upwards of $10 million in many cases. And the impact of this on an organization is that there’s downtime, they’re out of business. And there’s a pretty significant cost associated with it. Even if they don’t pay the ransom, there’s a cost associated with recovering the files. There’s a cost of investigation and ensuring that it doesn’t happen again, and the PR hit as well. So the impact of ransomware is pretty substantial.

And we’ve observed ransom activity occurring through actors primarily out of Eastern Europe and Russia. This is strongly evidenced by some of the intelligence that we collect, looking at some of the malware, understanding, you know, the threat actors that are active in this space. But we’re also tracking a set of activity of criminal actors operating out of Iran as well. So this is a threat that is rapidly proliferating across many different geographic regions and criminal actors who are conducting these operations. And they are making a lot of money. There’s—when I talk about enterprise ransomware, I always kind of use that quote attributed to the shameless bank robber Willie Sutton, when they asked him allegedly why do you rob banks? And he said, well, that’s where the money is.

Ransomware actors I think have realized that there’s a cash cow in targeting many of these organizations, particularly when you get down to the state and local governments that may not necessarily have the cyber resources to protect themselves adequately. And so what ends up happening is they’re able to kind of use that to their advantage to compel these organizations to pay and, you know, try to—try to—you know, that they’ll negotiate. It’s kind of becoming a little bit like drive-by kidnappings in Latin America, or express kidnappings, where they come in, they find a high-profile target, and they kind of make it a quick negotiation. And they know pretty much what the negotiating points are going to be, and they move on. So we see this activity fairly commonly.

So that’s kind of the overview of what we’re seeing from a threat space. And now I’ll turn it back to the panel here so that we can move on to hear another perspective.

WHELAN: Thanks for that, Adam. And you planted a lot of great seeds there in terms of opportunity for discussion going forward. I think before we do, Rob, can you give us an overview of where ransomware fits into the broader national security perspectives and critical infrastructure of the United States in particular, but what we’re seeing around the world?

KNAKE: Sure, happy to. I think the challenge with ransomware is until very, very recently it really wasn’t considered a national security risk. It really wasn’t at the same level as, say, Chinese espionage or Russian election interference. Those were the topics that the national security community has been focused on. Ransomware was seen as a criminal issue, best dealt with by law enforcement, where the real onus was left to the victims to clean up their own messes and make appropriate decisions for them. And so we haven’t had good policy around ransomware or what to do about it coming from the federal level. Certainly the states have, I think, been more victims than leaders in this regard because they have been so often targeted, given both the importance of their systems, as Adam noted, as well as their poor investment records for cybersecurity.

So I think what’s happening now is that the progression that Adam talked about is really important, right. This began with personal computers, probably your grandmother’s computer, probably outdated with no antivirus, no protections of any kind on it, to the point at which we’re seeing large enterprises, state governments, and now critical infrastructure being targeted. And suddenly ransomware, I think, is a national-security concern.

The response to that, however, has been, I think, a little bit muted. We really haven’t seen strong leadership coming from Congress or coming from the White House, or, for that matter, the Department of Homeland Security, on what can be done. DHS has some very good materials about what you can do to prevent ransomware, which is just a long list of better cyber hygiene and strong cybersecurity protection. But I think the reality is that we’re almost past the point at which most businesses on their own will be able to protect themselves from these threats.

Early on there was an argument to be made that this was going after the weak, the broken, that this was the only effective form of cybersecurity regulation that we had; that if you did not invest in our cybersecurity, you were going to get hit by ransomware. Now we’re seeing very sophisticated cybersecurity organizations fail to prevent ransomware attacks because now these teams have the full spectrum of offensive capabilities that are rivaling the capabilities of some nation-states. They’re building their own malware from scratch. They are utilizing Zero Days in their exploit kits.

They’re incredibly sophisticated organizations. And they’ve built those organizations starting from that $50 ransomware in your grandmother’s computer, taking that money and reinvesting it in their capabilities. And so what we’re seeing today is the result of that. We have grown these criminal enterprises. We have paid their R&D budgets. And now they are targeting us, and we’re in very bad shape.

WHELAN: Thanks for that, Rob.

And I want to turn back to one of the things we talked about—and Adam, maybe you can comment on this—is actually who are the actors being attacked.

And Rob, also broadening on your statement that we have broadened the community who are victims of this, we’ve added to this hospitals, pharmaceutical companies, school districts, and sort of what their experience is in dealing with this and how the government then would go about factoring this in as part of our critical infrastructure.

If you both could expand on both what you’re seeing and the steps that you would take.

MEYERS: Sure. So I think it’s important to note that there’s really kind of two waivers of enterprise ransomware big-game hunting that we see. The first one is kind of criminal gangs that have been conducting various activities, primarily bank fraud.

One example is a group that we track as Wizard Spider. Wizard Spider is known for a malware called TrickBot, which was primarily used for stealing banking credentials. Stealing banking credentials can be effective, but it’s fairly laborious on the back end in terms of being able to monetize those stolen credentials. You either need to have a whole infrastructure for fraudulent wire transfers or you need to be able to sell those credentials to somebody that might utilize it in such a way. And so it was, I think, a little bit more work, lower return on investment.

These actors, rather than kind of rebuilding all of their infrastructure and changing many of their techniques, they already had effectively wide distribution of their malware. I think many enterprises really kind of saw it as, oh, this is just, you know, banking trojans; nobody’s doing online banking. This is lower-severity threat in our environment. We’re not going to focus on this, because it’s just commodity malware, I think, is the thing you would hear from a lot of organizations.

Now what is happening is that those commodity infections are being activated by the threat actors to allow them to drop a more functional remote-access toolkit that allows them to move laterally to other systems, escalate privileges, and conduct more significant attacks.

These actors, I think, have been slightly stymied by some people not paying the ransoms. So what we’re seeing now too is a little bit more data exfiltration. And what they’re doing to kind of increase the pressure and to increase the likelihood of payment is they’re also threatening to disclose sensitive information, further extorting the victim.

So that’s kind of the—you know, the full-circle actor that does, you know, everything from distribution to, you know, if you file the cyber-kill-chain actions on objectives, which would be the ransom attack.

The other type of actor that we see is following more of, like, a SaaS model. We call it malware as a service or ransomware as a service. And what they effectively do is they run the back-end infrastructure and they build the ransomware.

A good example of this would be an actor that we track as Pinchy Spider, and they’re associated with a malware called REvil. And so what they do is they effectively—and before that, GandCrab. And so what they do is they’ve got the payment back end and all the malware.

So if you, as a, you know, criminal—I’ll give everybody a free lesson on how to conduct ransomware operations here—(laughs)—if you go into their platform and you can get access to it, then you’re able to create ransomware payloads. And you’re responsible for the distribution of that ransomware payload. Once that ransomware has been distributed, they run the back-end infrastructure, the payment portal and the cartography for decrypting the files once the person pays the ransom, and they take a percentage of that for running the platform.

And so those are kind of the two main modes by which these ransomware actors are operating. And there’s, you know, for the most part, kind of equal success, I would say, between the two modes. There’s the Wizard Spiders and the Indrik Spiders are kind of the groups that we track. Those are names that CrowdStrike has designated. Those are the groups that conduct the ransomware through what was formerly banking trojans like TrickBot and Dridex, respectively. And then there’s kind of the more RaaS or ransomware-as-a-service platform plays, and those are equally successful. But it’s going to depend on the individual actor that’s using that malware’s capabilities to kind of spread and deploy malware.

Outside of the commodity-malware infection, which I alluded to with TrickBot and Dridex, a lot of the threat actors tend to come in through unhardened kind of infrastructure, legacy servers, things that are kind of out there that people didn’t realize were there, and come in through RDP or web services and make quick work of moving laterally and escalating privileges in unsecured environments.

One of the things that can be most effective at stopping that—and I think we’ll get there later—but visibility, understanding or having the ability to see everything that’s going on in the environment on the end point, when it’s happening, because as soon as the ransomware is deployed and starts encrypting, you have, you know, really milliseconds to intervene and stop that before you start losing data.

WHELAN: Rob, did you have anything you wanted to jump on with that one?

KNAKE: Well, I mean, I think the key here—and I think this is a good segue to the hospitals—what we’re seeing within the health-care community, even though we spend—I tried to look this up this morning—I think we’re spending almost 16, 20 percent, depending on how you count, of U.S. GDP on health care.

Health-care systems are not investing in cybersecurity. But, moreover, they’re not investing in their IT environments. And so those legacy IT systems that Adam referenced, they are all over the medical community. They are in every doctor’s office, every dentist’s office, every local clinic, and absolutely every major hospital system. Every time that Microsoft threatens to end of life a server product or a desktop product, it’s the hospital systems that freak out and say, oh my God, we’ve got that everywhere. Our patient portals, our medical records systems, are all built on these ancient platforms. You can’t do that. Please extend the service.

And so I think, you know, in part we’re seeing with the spate of ransomware attacks against hospitals are a—are the result of a lack of investing in our IT systems within these hospitals, not just our cybersecurity within these hospitals.

I will also, as a side note, say that I think some of the difficulties we are having, more broadly, managing COVID is a result of the fact that hospitals really are not the data-enabled organizations that we would hope that they would be. So getting simple things like bed counts, patient counts, inventories of needed medical equipment, those systems, if they do exist, are rather antiquated.

And so we’ve got to find a way not only to increase the investment in cybersecurity within the medical community but to increase the investment that the medical community is making in their IT systems. There are a lot of reasons for why these investments have not been made that I’ve been trying to explore and understand. But I think we’ve got to find a way to get the systems to prioritize those investments.

WHELAN: Well, and you touched on—go ahead, Adam.

MEYERS: If I could just add one thing. I think another important thing to consider is how systems are used at hospitals and large health-care facilities. You know, in a lot of these places security is kind of the enemy of productivity, right. If they have—you know, you go to the hospital. They have these roaming carts that are used for dispensing medicines. You’ve got doctors that need to quickly access the system.

So I think the other thing that these ransomware actors are taking advantage of is the fact that some of these systems are deliberately left in an insecure state because they need to access them quickly. So that kind of is something that helps these ransomware actors and doesn’t necessarily stop anything bad from happening.

WHELAN: Well, and you both indicated sort of, and this is my last question, but it’s a two-part question, before we’ll turn it over to our audience for their questions, but beyond the CISA hygiene and the cyber wash-your-hands list that we’re seeing, what are some steps that you would recommend these organizations take? And then looking to the future, not just, as Rob discussed, the investment but also the other aspect of knowing that part of this is also ransomware getting in and lying in wait until the economy turns back on, and can you talk a little bit about steps that enterprises can take now and in the future to better prepare for this time and what comes after? And then we’ll turn it over to questions.

Adam, do you have—

MEYERS: Yeah. So from my—yeah, from my perspective I think that there’s a couple of things that need to happen. One, organizations need to not kind of deprioritize when they see a malware infection that they think is a banking trojan. You know, I think too many organizations have kind of been, like, oh, that’s not a big deal and let it sit there for months or even years, in some cases.

The other thing is, you know, I think ensuring that you have adequate, you know, best practices in place. The hygiene is critical. I mean, open RDP, which is something that I think as more people are transitioning to kind of rapidly deployed work from home a lot of organizations weren’t planning to move to a remote workforce, have made some security choices that they wouldn’t have normally made but they were under pressure. And so they’ve opened up additional services and additional capabilities that might cause them to be more susceptible to a ransomware attack.

I think another thing that’s absolutely critical for organizations to do is to be proactive and really kind of do some tabletop exercises, working through, you know, as the operational team how would you detect and how would you respond if this scenario started unfolding, and then working with upper management and the PR team and outside counsel to figure out what would your response be from a PR perspective and how you—how do you, you know, disclose what’s going on.

You know, I think there’s a—you know, we’ve seen over the years good examples of what to do and what not to do, and the organizations that have really prepared and kind of gone through these thought exercises have been much better off in situations where something bad has happened. Whether it be a, you know, sophisticated nation-state attacker or ransomware actor, you know, they’ve been prepared and they have gone through kind of the motions. I think, you know, the thing that you always hear is you play like you practice. So organizations should absolutely be running through these scenarios.

And finally, visibility. You can’t stop what you can’t see. So you really need to have the visibility on the end point because I think if you’re waiting to see something at the network level you’re probably too late because that means that the ransomware is already, you know, deploying itself and running and, you know, you’re going to be in a bad spot.

WHELAN: And before we turn it over—before we turn it over to you, Rob, let’s just take a minute and give the operator a chance to queue questions so that people can get in line.

OPERATOR: Thank you. At this time we’ll open the floor for questions.

(Gives queuing instructions.)

WHELAN: Well, and while we’re waiting, Rob, over to you for that. Sort of what is the now and what is the planning for the future?

KNAKE: So I’m going to take this from a national perspective. I mean, I think there are two things that we need to do. We need to come at this from two different angles. One, I think it’s high time that we ban the payment of ransoms. The payment of ransoms is what is fueling this. We are creating this market. We are providing the funding for these operations and for the continued R&D and we know where it is. Now we know what level of capability these groups have. It’s only a matter of time before we see a ransomware group take down a power system, a communication system. They are at that level of capability now in many people’s beliefs and, in fact, we’ve seen some targeting outside the United States of these groups.

So we’ve asked the question before when would it be the Russians’ interest to take down the U.S. power grid. Well, there would have to be geopolitical circumstances that were right for that. You don’t need those geopolitical circumstances to be right for a ransomware group. And so if we know we have those kinds of vulnerabilities, which we do, we have got to stop funneling the development of these capabilities.

The other side of it is as these ransomware groups move from targeting your grandmother, small businesses, medium-sized businesses, as they move to target critical government functions, as they move to target critical infrastructure like hospital systems, we need to treat these ransomware attacks as terrorist attacks.

That is, in fact, what they are. They fit every definition that I can find of a terrorist attack including the sideways political motivations that many of the ransomware groups have posted for their attacks. There’s very much a veneer of Robin Hood to everything they’re doing. And so my perspective is that we’ve got to target some of these actors and go after them outside of the cyber domain.

We used to make a good practice of extraordinary rendition. Snatch and grab in one country, bring them back to the United States, and put them on trial. We spend a lot of time talking about how do we create deterrence in cyberspace. Well, I think if you were worried about a CIA team grabbing you out of your house as you sleep in Ukraine and bringing you back to a New York City courtroom, you might decide to put your technical skills to better use. And so I and others have been pushing the administration to put out some declaratory policy in that area and then to back up that declaratory policy with at least one action in the short term.

WHELAN: Well, thank you, Rob and Adam. And if you’re like me you didn’t need much coffee after this conversation to wake you up. It’s a frightening prospect, and it’s fairly daunting.

But I want to bring other people into the conversation to allow them a chance to ask their question. So at this time, we’ll open the floor for questions. I want to remind participants that this call is on the record, and to ask your questions succinctly to allow as many people as possible to ask a question. And with that, Operator, if you could give us our first question.

OPERATOR: Thank you.

(Gives queuing instructions.)

Our first question comes from Jeffrey Schwartz with Booz Allen Hamilton.

Q: Hi. Thank you, everyone. Those last comments really provide a good introduction to what my question was going to be, which is: Is there, in your estimation, you know, speaking to both panelists, some risk that when companies pay this ransomware they’re making a payment to, ostensibly, an agent of an embargoed country or a sanctioned entity? And that is something that the U.S. authorities, from an enforcement perspective, are taking notice of? And is that one of the ways in which we might see a prohibition, if you will, on making those kinds of payments? Thank you.

MEYERS: Hey, that’s a great question. I’ll take it first since I unmuted first. So I guess that’s absolutely the case. We are seeing a set of activity out of Iran that’s associated with ransomware. The ransomware in question is something called Odveta. And it is—we’ve seen it in a few places. And most recently, actually, it’s been used in targeting health care systems in Europe. We observed them actually mocking one of the victims who was begging for them to let them have their systems back because they needed it to fight COVID. And the ransomware actors kind of thought that was amusing and were joking about it. And so what I think we’re seeing there is that Iran obviously being on our restricted list, we’ve heard from—colloquially, we don’t deal directly with ransom payments at CrowdStrike. But we’ve heard that some people that are dealing with ransom payments have not been paying that particular threat actor because they were worried about running afoul of those acts.

WHELAN: Rob, did you have anything—

KNAKE: Yeah, I will just add that I’ve been very surprised at how the messaging from federal law enforcement, the FBI, and the Secret Service has been all over the place on whether you should pay the ransom. The FBI director has been clear that you should not. At the field office level you can get a shrug of the shoulders that you’ve got to make your own decision about what’s best for your organization. So I think we—you know, we absolutely need to message clearly: Do not pay ransoms. And then secondarily to that, I think if we don’t have a prohibition totally on paying ransoms at this point, it would certainly be a good thing to do to use the existing prohibitions on paying certain actors from certain countries that are known to be associated with the threat actors as a sort of backwards way we can get to a prohibition on paying at least some ransoms.

WHELAN: That was an excellent question. And let’s move onto our next question.

OPERATOR: Thank you. Our next question comes from Derek Johnson with Federal Computer Week.

Q: Yeah. Hi. Hi, there. So you all talked about the federal government not having sort of a real strategy on this until relatively recently. I’m curious what more—you know, because it’s an issue that affects state and local governments and private companies, it seems, more than directly impacting federal agencies, what more can they do? Is it just an issue of making a pot of money available to either states or critical infrastructure? Should that money be dedicated to the front end in terms of building up better protections, or on the back end to help organizations who have been infected and do what U.N. agencies like CISA are advising them to do, which is not pay the ransom. Should there also be money to help them rebuild their IT infrastructure?

KNAKE: I mean, I’ll jump on this. I think one of the most interesting ideas is that as we look at the next round of stimulus, we had cash for clunkers last time. We need cash for COBOL now. If you got old IT systems and you are in a portion of the market, or in a sector in which you just aren’t going to be able to make reinvestments on your own, it would be a good time for the federal government to come in with stimulus funding to support re-architecting those systems. So I think state and local governments are an obvious one in that regard, and then there may be other subcomponents of other sectors where this kind of investment might be necessary.

So you might decide that, OK, Exelon is a very large, very well-financed power company. They don’t need federal funding to rebuild their IT systems. They’ve been doing that on their own. But a small cooperative power company in Minnesota, let’s say, they might need federal support for these efforts. And I think we could do the same kind of analysis within the health care sector and look at, OK, what kind of organizations aren’t going to be able to make these investments on their own. Where would—where should federal funding come into that?

WHELAN: Rob, before we move—oh, go ahead, Adam.

MEYERS: Sure. I was going to just kind of point out one area that I think that the federal government’s doing a great job is on the law enforcement side. The FBI has been very proactive in looking at how to disrupt cybercriminal actors. There’s been some pretty good cases. You know, and I would even point out that in one case sanctions actually had some impacts here, when the U.S. sanctioned several Iranians who they associated with ransomware activity, which was one of the earliest ransomware actors that was out there, actually. And they sanctioned them and identified how they were accepting cryptocurrency. And those actors completely disappeared. They went to ground in, I believe it was, November of 2018. And we haven’t seen them pop back up. So there has been some effective measures, I think, from a—not that sanctions are the answer to every solution—or, problem here.

But, you know, in that case I think sanctions had an impact on that threat actor. We’ve also seen where disruptions of botnets and disruptions of infrastructure have had an effect. In the case of Evgeniy Bogachev there was a botnet that was used to target individuals with ransomware, in part, called GameOverZeus. And 2014 there was a disruptive action that occurred that effectively knocked that entire infrastructure over. And he is also not really been heard from since, having been put on the FBI’s ten most wanted cybercriminal list. And then finally, the 2017 incident where the Department of Justice, and FBI, and Spanish authorities were able to coordinate the takedown and disruption of the Kelihos botnet, which had been ranging for many, many years, going back to Storm or Waledac. A similar set of activities. And that threat actor was actually on vacation in Spain with his family. And the botnet was disrupted in, I think it was, May or June of 2017. And as the botnet was disrupted, he was also arrested. And that was Peter Levashov, who was arrested in Spain and ultimately deported to the United States to stand trial.

So, you know, there has been some effective law enforcement activity. And I think that, you know, it should certainly be acknowledged and noted that they’re rapidly adapting their crime fighting techniques and engaging private industry and starting to make a difference.

WHELAN: Well, and that is worth noting, thanks for that, of the increased level of activity. Before going to our next question though, Rob, I wanted to go back to—kind of go back to one thing you said, based on Adam’s input here, which is just that the current state of affairs is unprecedented. That word is getting a bit tired, of course. But we’re seeing a level of activity so high that I wonder if you can give our participants a sense of the sense of urgency that’s out there. That once companies, once governments got through the initial effort of immediate financial relief, are you seeing any prospects for relief to help improve IT systems, all the way to fundamentally changing the way we look at ransomware? Are you—what’s your sense of that?

KNAKE: Well, I mean, I think right now we are still in triage mode on the economy. And so I don’t think we’ve begun really thinking about what the long-term plan is for stimulus and economic rebuilding. From that perspective, it is probably too early to expect the administration to have pushed out stimulus programs that might cover these kinds of areas. I do think it’s the point at which they need to get on the radar so that there are planned investments. I think one of the things about—as I’ve looked at this issue—one of the things about these kinds of investments is relative to large infrastructure projects, these are as close to shovel-ready as you can get.

Mostly you don’t, in fact, need shovels to invest in them. You don’t typically have the kind of permitting and the long tails of design to associate with an IT upgrade. That’s not to say that an IT upgrade is a simple thing for an organization to go through, but it’s probably a fairly effective way to start spending funds. And to spend funds in areas of the economy that are—that are being hit fairly hard. So I think it’s a—it’s more a call to arms at this point than a criticism to say that we don’t have a plan in this area.

WHELAN: Can we go to our next question, please?

OPERATOR: Thank you.

(Gives queuing instructions.)

Our next question comes from Eric Polowski (ph) with (Shell ?).

Q: Hi, guys. Thanks very much for doing this. I guess I’d just ask sort of two sort of related questions, which is, one, what you could say about the bulk of the workforce of these criminal enterprises and Western, non-Western, and our ability to target them. And then the second is just a follow-up on the point about banning ransom payments. You know, I’ve worked on a number of hostage circumstances and the ransom question is a continually difficult one for the U.S. government. I think it’s—views that are expressed are always at great variance, I think. I mean, maybe there’s been a little bit more unity since 2015-2014. But I think there’s still a fair bit of variance. Whether the amount of U.S. government help is equivalent such that one could really ban—so, in hostage situations you could certainly point to the U.S. government assistance as a rational for not helping. Thank you very much.

MEYERS: Can we get some clarification on what part of the workforce? I’m not sure I fully understood that part of the question.

Q: So the criminal organizations making the malware, the ransomware.

MEYERS: OK. So you know, I think the criminal organizations tend to be, depending on which mode you’re looking at, they tend to be a smaller group of pretty technical individuals, in the case of the criminal actors that have begun taking some of these operations. So kind of the smaller cells that I referred to as the, right, the Wizard—the Wizard Spider and the Indrik Spider, those tend to be small kind of clusters of individuals who have some role that they play in the larger organization. And then oftentimes we see them kind of being affiliates of the end products. So think of it as kind of a collective set of capabilities that are developed, and then different individuals have different access and usage of that kind of collective product.

On the ransomware as a platform kind of mode, we don’t really have a tremendous amount of insight into that at this time. I think it tends to be probably a similar set of activity. But they’ve decided that the way in which they’re going to monetize that product, that end result, is to open it up for others to access rather than keeping it for their own capability. Generally for the most part in Eastern Europe and Russia we observed this from some of the advertising, where they kind of open up the affiliate models of different individuals who might want to use it. We have observed it from other places where we’re able to collect information about these threat actors. And even in the malware itself, oftentimes you’ll see that the malware will look for Cyrillic language in the keyboard or the localized settings on the computer, and they avoid deploying their tools if they observe that Cyrillic language.

And I think, you know, that speaks to the fact that they understand that if they’re not causing a problem locally, then the local law enforcement probably has more important things to worry about, is kind of the best and least problematic scenario there. And so they know that if they don’t cause a problem locally then nobody’s going to come after them, and they can conduct these operations. And as Rob alluded to, a lot of these individuals have an interesting and complex identity—

WHELAN: Rob, do you have anything to add?

KNAKE: Let Adam finish what he was saying. I want to know what he was going to—

MEYERS: Yeah. So they have an interesting and complex identity. And that is—that is the—they see themselves—I think Rob alluded to them being kind of like the Robin Hoods of the world. And so the way in which they kind of see themselves is, you know, negatively impacting capitalism, and the U.S. and the West to—who rob and do these things to the rest of the world. And so that’s part of their kind of identity. And the other part of it is they actually present themselves as business professionals, information security professionals. And that’s kind of the interesting things, when you read some of these ransom notes where they basically kind of say: You got a free security assessment. And all you have to do is pay this ransom to get your data back and we’ll tell you how we got in so that it doesn’t happen again. So it’s a pretty complex kind of identity that they’ve created for themselves.

And then, real quick, as far as, you know, banning ransomware, there’s—banning the ransom payment, I think that would be really interesting to see how that gets implemented, because most of these ransom payments are done through cryptocurrency, which really is decentralized. There’s not a lot of ways that the government, you know, from what I’ve seen, can actually put a stop to somebody paying the ransom when they have no control over the mechanism by which the ransom is paid. So I’ll turn it over to Rob.

KNAKE: Yeah. I mean, I think on the point of who these groups are, what we saw very interestingly is that a couple of the groups said: We are not going to target hospitals in this. And then they gave their rationalization for why they would continue to target other organizations. And you know, what they said about the pharmaceutical companies was really, really interesting. It was essentially, you know, well, we’re going to target pharmaceutical companies because they have plenty of money. And if they’re not spending that money on their cybersecurity then, you know, it’s kind of our job to expose that fact. Like, we’re going to do your shareholders a service here by showing that you have poor cybersecurity. So it’s a very, very interesting dynamic.

On the issue of the ransomware payment, I think that there is more that the government can be doing. The government does not have the magic decryption keys, as people hope that they would. Typically the cryptography is pretty solid on this. But I do think that if you make this a national security priority and an intelligence collection priority, you could end up in a situation which not only are we able to identify the actors and expect to potentially extract them, bring them back to the United States, create some deterrence there, but you might have the ability to disrupt their operations. You might have the ability to with intelligence means collect the decryption keys. And so from that perspective I think we need much tighter coordination between the private sector, law enforcement, and the IT in order to handle this threat.

Finally, I’ll say, on the issue of banning ransomware, I don’t think I’m looking at this from a technical perspective of, well, if you paid a ransom and nobody found out about it, could you still do it? Yeah, probably. The question is, would you if you were a state and local government? Would you if you were a Fortune 500 business, an upstanding American citizen? Would you want to take on that personal legal risk of violating the law even if you might not get caught doing it?

The other thing is I think it’s typically fairly hard to hide the fact that you’ve been the victim of ransomware. And so if you’ve been the victim of ransomware and then the problem goes away six hours later, I think it’s going to be pretty obvious that you paid a ransom.

So I think we could fairly easily prohibit the payment of ransomware and have a fairly high percentage of companies that would abide by that prohibition.

MEYERS: At the risk of—at the risk of kind of being argumentative here, what—like, a lot of the organizations that are hit tend to be kind of international organizations. So I could see how organizations might pay the ransom outside of the U.S. jurisdiction and not have any sort of repercussions. No?

KNAKE: We could very easily craft a law to be extraterritorial in its dimensions. I mean, think about GDPR is an example of that. So I don’t think that there’s any issue with that. There are many laws that apply to so-called multinational companies. If you operate in the United States, the reach of federal law is pretty strong and pretty far, even outside of the United States. You can’t get around our bribery laws by saying, oh, this foreign subsidiary of our company actually paid the bribe to the foreign official. And I think we could easily construct the law to address that kind of loophole.

WHELAN: I want to ask our operator if we have any other questions in the queue.

OPERATOR: There are no additional questions at this time.

WHELAN: Then before we close this out, I wanted to just put a question to both of our panelists and ask, you know, here we are. The economy is shut down. This is a playground for ransomware. Is this your worst-case scenario, or should we be prepared for it to get even worse?

MEYERS: I’ll let Rob take that one first.

KNAKE: Yeah, I mean, my worst-case scenario is not what we’re seeing now. I think the worst-case scenario is really as the capability of these groups increase, do you have the potential for a much larger, much more destructive ransomware attack where it’s not simply a question of getting your data back but maintaining your critical or vital operations?

We’ve seen in NotPetya what destructive malware can do to an organization. I think that there are scenarios of which ransomware actors could really put at risk very significant functions of the economy, of our critical infrastructure. And so that is, I think, my worst-case scenario.

Again, we’ve largely looked at what nation-state actors might be able to do in a worst-case scenario, and largely concluded that those things would only happen in extreme geopolitical circumstances. Ransomware groups may not feel that kind of geopolitical risk. And so I think that’s the real danger. That’s the real worry that I have.

MEYERS: I don’t—

WHELAN: Adam.

MEYERS: Yeah, I don’t really have a worst-case scenario as it applies to the criminal-threat actors. I think we continue to see them evolve. It’s really interesting, I think, from an evolutionary perspective, that they went from targeting individuals’ bank accounts and company bank accounts to going after—conducting ransom attacks. And now we’re seeing them really move into extortion. And I think that that’s kind of the next trend that we’re starting to see. And there could be some significant repercussions if that takes off.

So I think my short-term kind of scenario that kind of gives me some concern is the largescale extortion by leaking of sensitive data. That could have broader impacts to organizations legally and in terms of intellectual property and things along those lines. So I don’t know that that’s a worst-case scenario, but it’s the next thing that I see happening.

WHELAN: Well, and thank you both for those comments. Hopefully, we take some actions. And this action or this activity that we’re seeing will spur some activity by the government to increase responsiveness.

I want to take a moment and thank everyone for joining us today. Again, just because we are all just voices on this call, I am Moira Whelan, the founding partner of BlueDot Strategies and a former DAS at the State Department for Digital Strategy. We were joined today by Adam Meyers, who is the senior vice president of intelligence at CrowdStrike; and Rob Knake, who is the Whitney Shepardson Senior Fellow at the Council on Foreign Relations.

So we hope you enjoyed this call. I hope you will join us for the next event tomorrow, which is at 3:00 p.m., on “Asia’s Response to Coronavirus.”

And with that, we will close our meeting. Thank you all again for joining us.