The Dual Nature of Ransomware Attacks
Financial Gain and Geopolitical Strategy
Ransomware attacks have evolved from mere cybercriminal activities to sophisticated operations serving dual purposes: financial gain for attackers and advancing the geopolitical objectives of adversarial nations while providing plausible deniability.
This dual nature is especially concerning as we approach an election season marked by heightened public anxiety and the prevalence of disinformation campaigns. Understanding and addressing this complexity is crucial for our national security.
Financial Motivation and Geopolitical Goals
Traditionally, ransomware attacks are seen as financially motivated crimes where attackers encrypt victims’ data and demand a ransom for its release. This motivation is evident in the patterns of attacks on various sectors, including healthcare, utilities, and local governments. The financial success of these attacks is facilitated by their ability to cause significant disruption, pain, and frustration, translating into higher ransom payments.
However, this perspective overlooks the potential for these attacks to also serve larger geopolitical strategies. Adversarial nations like Russia, Iran, China and North Korea likely influence or possibly control some ransomware operator targeting, directing them to attack specific entities that align with their geopolitical interests. This dual nature provides a convenient layer of plausible deniability for these rogue regimes, allowing them to indirectly attack critical infrastructure without direct attribution.
For example, in April 2024 FBI Director Christopher Wray issued a stark warning about Chinese government-linked threat actors infiltrating U.S. critical infrastructure, specifically calling out the Operation Volt Typhoon campaign. This campaign has targeted American companies in crucial sectors such as telecommunications, energy, and water, affecting 23 pipeline operators among its victims. When the FBI attributed the attacks to China, the Chinese Ministry of Foreign Affairs denied any involvement and simply claimed that Volt Typhoon was the work of a criminal ransomware group.
Ransomware and Election Security
The upcoming election season in the United States highlights the pressing need to recognize the dual nature of ransomware attacks. The 2016 and 2020 elections demonstrated the significant impact of disinformation campaigns, primarily orchestrated by Russia, aiming to undermine public confidence in the electoral process. Ransomware attacks could compound this issue by targeting election infrastructure, creating disruptions that could fuel fear, uncertainty, and doubt among the electorate.
A ransomware attack on Fulton County, Georgia in February 2024 forced election systems to be taken offline as a precaution just prior to a local election. Even isolated disruptions in voting systems could have a ripple effect, eroding trust in the electoral process. The threat is not just the direct impact of the attacks but the broader psychological effect on an already anxious public. By targeting election systems in conjunction with disinformation campaigns, adversaries can create further a narrative of chaos and incompetence that undermines democratic institutions. They can do this through ransomware operator proxies and simply claim that it was the work of independent criminal actors who are financially motivated.
The Role of Critical Infrastructure
Beyond election systems, ransomware attacks on other critical infrastructure sectors like healthcare and utilities underscore the potential dual motives. For instance, attacks on healthcare providers during the COVID-19 pandemic not only caused financial losses and operational disruptions but also had a significant human toll, affecting patient care and public health. These attacks could be part of a broader strategy to weaken societal resilience and create widespread panic and instability.
A ransomware attack on Clay County, Indiana in April 2024 and similar incidents targeting state and local governments exemplify this dual nature. Clay county was forced to declare a state of emergency, something typically reserved for the direst of circumstances. While these attacks are financially motivated, the choice of targets suggests a strategic dimension aimed at destabilizing governance and public trust. By crippling local administrations, adversaries can create chaos at the grassroots level, furthering the geopolitical objectives of the nations that provide them safe harbor.
Redesignating Ransomware as a National Security Threat
Given the evolving nature of ransomware attacks, it is imperative for the U.S. government and its allies to reconsider how these incidents are classified and addressed. Currently, ransomware attacks are primarily viewed through the lens of cybercrime, with responses focused on law enforcement actions against the perpetrators. This approach, however, does not fully address the geopolitical dimension of the threat.
Reclassifying some ransomware attacks, particularly those targeting critical infrastructure, as national security threats would signal a shift in strategy. Such a designation would bring these attacks under the purview of national defense and intelligence agencies, allowing for a more coordinated and robust response. For example, Executive Order 13224, which targets individuals and entities involved in terrorism, could then be applicable to ransomware operators linked to attacks on critical infrastructure.
Consequences and Deterrence
Implementing real consequences for both the attackers and the nation-states benefiting from these attacks is crucial. For attackers, this means increasing the cost of their operations through enhanced law enforcement actions, including international cooperation to dismantle ransomware networks. For nation-states, this could involve diplomatic and economic sanctions, cyber countermeasures, and other actions designed to deter state-sponsored cyber activities.
But the U.S. and its allies must also invest in strengthening the resilience of critical infrastructure against ransomware attacks. This involves not only improving cybersecurity defenses but also developing robust incident response and recovery plans. Guidelines and frameworks are nice to have, but they still leave organizations to fight what are clearly nation-state level threat actors all on their own.
Conclusion
Ransomware attacks represent a complex and multifaceted threat that goes beyond mere financial gain motivations. The dual nature of these attacks, serving both the financial interests of cybercriminals and the geopolitical goals of adversarial nations, demands a comprehensive and coordinated response. As we approach a contentious election season, the potential for ransomware to disrupt voting systems and amplify public angst highlights the urgency in addressing this threat.
By redesignating ransomware attacks as national security threats and implementing real consequences for attackers and their state sponsors, we can better protect our critical infrastructure and maintain public trust in our democratic institutions. The stakes are high, and the time to act is now.
Anthony M. Freed, Director of Research, Halcyon
Freed is a strategic communications leader, award-winning author, researcher, publisher and podcast producer. Previously a freelance security journalist leading headline-making investigations that included the Symantec NAV source code leak, the mass compromise of US government agency account credentials, the Libyan psy-ops campaign and denial-of-service attack that took down WikiLeaks orchestrated by hacktivist th3j35t3r, the Heartland payment systems breach and more. Prior to that, Freed was an analyst working with Secondary and Capital markets divisions at the biggest banks around the world and had a front row seat to the bursting of the credit bubble in the late 2000’s.
Freed can be reached online at linkedin.com/in/anthonymfreed and on X (Twitter) @anthonymfreed or through the Halcyon website at halcyon.ai