Ransomware could soon be about more than just money

In May 2017, North Korean hackers — allegedly, from the infamous Lazarus Group — unleashed the WannaCry ransomware attack. The malicious code quickly spread to more than 200,000 computers, crippling technology in over 150 countries. Hospitals, railroads and schools were all hit. Locked out of their system, victims received demands for bitcoin payments, in order to buy back access to their data.

The attack put ransomware on the map, but companies and individuals have been painfully slow to shore up their systems against similar assaults. Ransomware attacks increased by 93% in the first six months of 2021 as compared to the same time last year, according to the cybersecurity company CheckPoint. JBS USA, one of the largest meat suppliers in the US, paid an $11 million ransom after a breach forced five of its plants to temporarily halt operations in May. The Japanese tech giants Fujifilm and Toshiba have both been hit this year. Even the Houston Rockets, an NBA basketball team, was a target.

While the motivations behind WannaCry and many similar ransomware attacks appear to be financial, ransomware has the potential to become a powerful geopolitical tool. We spoke with Jenny Jun, non-resident fellow at the Atlantic Council’s Cyber Statecraft Initiative about how ransomware can be used coercively against adversaries and hostile governments.

This conversation has been edited for length and clarity.

Coda Story: Let’s look into the history of ransomware. From what I know, it emerged a long time ago, demanding small amounts of money — typically less than $500 — from individuals. Now, we’re seeing massive attacks on companies and governments, asking for millions.

Jenny Jun: The first case of ransomware ever recorded was in 1989. It was basically some guy who spread this virus on a floppy disk. It wasn’t really for money. He was interested in this novel thing. I think he ended up donating all the proceeds to some foundation or other. That’s how it first started. Then people forgot about it. Then in 1996, some computer scientists — Adam Young and Moti Yung —wrote an influential paper on how to use encryption coercively. That’s when it resurfaced again. That idea, coupled with the rise of cryptocurrency, which makes it really easy for criminals to get the money without risking their capture or revealing their identity, facilitated its evolution into an organized criminal enterprise.

In the early 2010s you started to see some of the early variants of ransomware, the rudimentary stuff. It was like spam. You spray and pray, and hope that at least one person will click on it. The ransom demand was not tailored to you specifically. They set what they thought was the average price that any individual would be willing to pay. Anyone who was willing to pay about $300, they paid and got their decryption key. For a long time, that was the business model. It wasn’t really making a lot of money. It was just nickels and dimes.

In 2016 to 2017, things started to change. These criminal groups were realizing that, usually, people would rather pay a couple of hundred bucks to instantly get their data back and their hardware unlocked than to brute force their way through the encryption. Once they realized that, they started going for individuals or enterprises who would be willing to pay more. That’s when we started to see a shift towards targeted ransomware, also called “big game hunting.” That was a whole different game.

So, this assumes that the fundamental goal is often financial. What about nation states? Why would a country be interested in conducting ransomware attacks?

So far, here are two cases where a nation state was involved in ransomware. The most famous is North Korea’s WannaCry. North Korea is famous for using cyber attacks to generate money. They’ve been doing illicit trade, they’ve been selling illegal weapons all over the world. They’re making counterfeit currency. So, this is like an extension of that. They’re dabbling in cybercrime, they’re stealing money from banks, they’re hacking cryptocurrency exchanges. 

WannaCry was a nickels and dimes ransomware attack. It’s a worm-based ransomware, so it spreads from network to network. It self-propagates. The goal was to try to infect as many systems as possible. Per system infected, it asked for $300. The goal was presumably to make cash. 

But what if they don’t have a financial interest? Why are they using ransomware? There are two examples here. One is Russia. In 2017, hackers from there used a ransomware worm called NotPetya, which worked like WannaCry and encrypted a lot of systems mainly in Ukraine, but elsewhere too. It locked up a lot of critical infrastructure. There, the goal was pure disruption. They weren’t really interested in getting anything in return.

Another example is Iran, which has been using ransomware called Pay2Key against Israel since early last year. For context, Iran and Israel have been fighting a shadow war, assassinating nuclear scientists, blowing up ships. Pay2Key was used as one of the means to get back at Israel. It is suspected that it wasn’t really used for financial purposes, but for disruptive ones.

Is “ransomware as a geopolitical tool” the general direction that you’re seeing? 

That’s one of my main predictions. I would go even further and say that, yes, ransomware can be used as a quasi-wiper attack, which basically fries computer systems. But it can go further, because the encryption is not totally destructive. It’s reversible and you can ask for something in return. There’s no rule saying that it has to be bitcoin or cash. 

For example, Iran is under sanctions, and a lot of U.S. allies hold Iranian financial assets frozen in their country’s banks. South Korea has a lot of frozen Iranian oil funds. So, early this year, Iran hijacked a South Korean oil tanker off the Strait of Hormuz. They said, “We’re gonna hold the ship and crew hostage, but, we’ll let them go if you unfreeze some of that money that you’re holding in your banks.” They ended up doing a swap. Iran released the crew and South Korea unfroze some of Iran’s assets. Then Iran returned the ship and got paid some more. 

Ransomware can be used in that way. That’s my prediction for the next five to 10 years, that ransomware will be used coercively — as a bargaining tool.

So, rather than being restricted to espionage and information gathering, we’re going to start to see hacking as a tool of state coercion? Which states do you think will be first to adopt it? 

I think so. I think it will be more useful in Iran and North Korea than in, say, Russia. I say that because Iran and North Korea don’t have much to lose. Victims can always retaliate and, if you think about a state like Russia, their grids, their businesses and their economy are vulnerable. Let’s say Russia encrypted a significant U.S. target and issued serious geopolitical demands —  the U.S. is not going to just say, “OK, we’ll do that.” It’s going to also encrypt targets in Russia. We’re just going to have the usual hostage situation. Attacking North Korea will cause fewer problems, because there’s less at stake there. 

Why is ransomware a powerful tool for coercion, as opposed to other kinds of cyber attacks, like wiper attacks, which essentially erase all the data?

For a long time, scholars and policymakers, government officials have been saying that we can’t really use cyber tools for coercion. The reason why they said that is that when you’re trying to use a tool coercively, you have to say “I want a certain thing in return,” and also demonstrate that you have the capability to inflict harm if they don’t listen.  

A lot of cyber operations rely on deception and surprise. That makes coercion really awkward, because for you to convey that you want something in return, you have to let them know that you’re in their network. Then the other side will say, “Well, screw you, I’m just gonna unplug my computer from the network, or mitigate that vulnerability.” 

Then ransomware comes along, which is extremely effective at coercing victims and extorting money. Theory tells me that cyber attacks are ineffective for coercion, and yet they’re coercing the hell out of everyone. 

So, I’ve been thinking about ransomware and its similarities to disinformation campaigns. They’re both low-cost, high-impact. And disinformation is becoming more accessible— disinformation for hire is now a reality. Isa the same true for ransomware? 

There’s a whole industry in the cyber-criminal world where they’re offering ransomware as a service. You and I, who know nothing about coding and nothing about how the encryption algorithm works under the hood, can go to the dark web and purchase ransomware. You pay $100 or something — it depends on the company — and then they give it to you. It’s a point-and-click system where you don’t code a single thing. There is very little barrier of entry. 

That means that it’s a lot cheaper for poorer, isolated states, like North Korea, than waging actual war. You can do a lot of damage without firing a single shot. Are we going to see more states making that kind of calculation?

I do a little bit of digging on North Korea’s cyber strategy. The reason that they got into it is that it’s a good tool to advance their national strategy. For example, they wanted to influence South Korea and change its policy in ways that benefit them. But, because of the deterrence structures that exist between the two countries, it’s very hard to do that with conventional forces. I think cyber attacks emerged as a loophole in that deterrence framework. There are no set red lines. There’s a fuzziness and ambiguity around how we respond to a cyber attack, as opposed to artillery fire. 

However, it is also empirically true that overall, states have used cyber capabilities overwhelmingly for espionage rather than as a strategic weapon. In reality, planning a cyber operation takes considerable time and resources, and systems must be compromised well in advance in order to create effects when you want to. The use of these capabilities must also serve some political or military purpose beyond simple destruction, and for aforementioned reasons it was relatively difficult to translate cyber power alone into such strategic victories. I think it’s more realistic to think that cyber capabilities would be used in tandem with existing conventional capabilities in a future conflict, rather than by itself.

Institutional victims, like hospitals or companies, aren’t concerned about calling out whoever carried out the attack, so much as they just want their data back so they can get back to business, right?

This used to be the culture, but I think it’s changing after high-profile ransomware events this year like Colonial and Kaseya. Government agencies are encouraging victims to report ransomware incidents, and there are even several bills in Congress right now to mandate such reporting. The U.S. government is using these reports to investigate and actively go after ransomware gangs such as REvil and intermediary money launderers. 

Unlike the typical cyber attribution problem, the problem isn’t necessarily coming from attributing the identity of the attackers – often the ransomware operators make their brand clear in the ransom note. The problem is that ransomware victims often do not want to disclose that they have been attacked and/or that they have paid. There is a trust issue that needs to be managed between these victims and federal agencies who handle this information, and making the reporting process clear and easy. 

Right, you could flip it and incentivize stronger cybersecurity, training, updated software and the backing up of data.

The critical flaw of ransomware is that, if you have a shadow copy of everything, then they can’t really coerce you. Invest in real-time, offline backup technology. There’s cloud technology — use that to back up your stuff. Migrate your legacy system. Subsidize the adoption of such technologies and recovery processes, or incorporate such features in cyber insurance underwriting. Update everything. It’s not rocket science.