Fighting ransomware: Breaking down walls between private sector and law enforcement

Accounting firms are an attractive target to ransomware authors. Not only do accounting firms store a lot of valuable and sensitive information, but the vast majority consist of just a handful of people who may or may not have the technical chops to implement and maintain a robust cybersecurity strategy.

Of course, it’s not just accounting firms who are at risk. The number of ransomware attacks on businesses almost tripled between Q4 2018 and Q1 2019, while dozens of county, city and state government systems have already been hit this year.

In many instances, the affected organizations have chosen to pay the ransom — sometimes to the tune of hundreds of thousands of dollars. This willingness to pay a ransom can be partly attributed to a lack of guidance from law enforcement, who have struggled to promote public awareness about ransomware.

How do cybercriminals evade authorities?

Although there are about 4,000 ransomware attacks per day, very few people have ever been arrested for committing a ransomware-related crime. There are a few reasons for this.

Firstly, most ransomware attacks that affect U.S. organizations originate overseas, often in countries that don’t have particularly close ties to the U.S. Coordinating international investigations with foreign law enforcement agencies is logistically challenging, resource intensive and often not feasible. Even in the event that someone is indicted, there’s no guarantee that the accused can be extradited to the U.S. to face their charges, as was the case with the two Iranian citizens allegedly behind the SamSam ransomware attack which affected 200 organizations and caused $30 million in damage.

Secondly, tracking payments to a specific person or group is difficult. Ransomware payments are made exclusively in cryptocurrencies, which are paid to anonymous wallets and often laundered through mixer or tumbler services that are designed to further obfuscate the criminals’ tracks. Local police departments simply do not have the resources to investigate complex cybercrime. In some cases, it’s local police themselves who are the victims of ransomware.

Thirdly, lawmakers are still playing catch up when it comes to ransomware. As it stands, only five states — California, Connecticut, Michigan, Texas and Wyoming — have laws in place that expressly address ransomware. Ambiguous laws make it more difficult to take the appropriate legal action against those involved with ransomware.

Law enforcement is working alongside antivirus companies

Law enforcement agencies aren’t the only ones trying to put a stop to ransomware. Tasked with protecting their users by stopping ransomware at the point of infection, antivirus companies are law enforcement’s natural allies.

Positioned on the front lines, they’re often the first to catch wind of information — say, a new malware strain, or a vulnerability that may allow researchers to crack a particular ransomware variant — which may be extremely valuable to law enforcement agencies.

Antivirus companies also benefit from this sharing of information. In some cases, antivirus companies are able to strengthen the protection capabilities of their software based on the information provided by law enforcement. In other situations, antivirus companies may have access to data that could help authorities catch the criminals who wish to extort their paying customers.

In 2016, the National High Tech Crime Unit of the Netherlands’ police, the European Cybercrime Centre (EC3) and McAfee launched No More Ransom, an initiative that aimed to bring together law enforcement and IT security companies to disrupt the criminal ransomware business model. Since its inception, No More Ransom has saved ransomware victims more than $100 million.

A big part of No More Ransom’s success comes down to efficient communication between the public and private sector. Its partners include 42 law enforcement agencies, five EU agencies and 101 public and private entities.

The need for greater cooperation in the U.S.

It’s a different story in the U.S. At both the local and federal level, law enforcement agencies have been hesitant to cooperate with private organizations, which makes combating ransomware difficult for agencies and antivirus companies alike.

With no established channels of communication between the public and private sector, it's not easy — and sometimes downright impossible — to get the information into the right hands.

However, there are signs that things are changing as policymakers begin to recognize the importance of sharing information. In July, Senator Maggie Hassan emphasized the importance of collaboration while visiting Strafford County, New Hampshire, which was hit by a cyberattack in late June.

“We need to invest in resources that allow there to be information-sharing between and among the private sector, federal government, state, local and county government,” said Hassan, as quoted by New Hampshire Public Radio.

Meanwhile, a bill was recently introduced to Congress which could allow for greater collaboration between public and private entities regarding cybersecurity.

“To make grants to and enter into cooperative agreements or contracts with States, local governments, and other non-Federal entities as the Secretary determines necessary to carry out the responsibilities of the Secretary related to cybersecurity and infrastructure security…” the bill states.

More collaboration between public and private sector

No More Ransom and EC3 are proof that improving the lines of communication between government and private companies can reduce cybercrime.

As ransomware continues to wreak havoc on accounting firms and other organizations around the globe, it’s important for U.S. law enforcement agencies to establish structures that will allow for information to be efficiently exchanged between organizations in the public and private sectors. Improving cross-sector cooperation could ultimately make cybercrime less profitable, disincentivize cyberattacks and disrupt the ransomware cycle.