Podcast Title: The Lawfare Podcast
Episode: Lawfare Daily: ‘Ransom War’ with Max Smeets
Release Date: June 26, 2025
Host: The Lawfare Institute
Guest: Max Smeets, Co-Director of Virtual Routes and Author of Ransom: How Cybercrime Became a Threat to National Security

Introduction

In this episode of The Lawfare Podcast, Justin Sherman and Jonathan Cederbaum engage in an in-depth conversation with Max Smeets, an expert in cybersecurity and the author of Ransom: How Cybercrime Became a Threat to National Security. The discussion delves into the intricate world of ransomware, exploring its evolution, the organizational dynamics of ransomware groups, their impact on national security, and potential strategies to counteract this growing threat.

Background and Expertise of Max Smeets

Max Smeets begins by sharing his journey into the field of cybersecurity, sparked by his undergraduate studies in economics and statistics and further fueled by his fascination with Richard Clarke and Rob Knackley's Cyber War (02:26). His academic pursuits led him to collaborate with the UK National Crime Agency on understanding and disrupting ransomware operations, particularly focusing on Lockbit (03:10).

Understanding Ransomware

Definition and Evolution

Max provides a comprehensive breakdown of ransomware, tracing its origins back to the late 1980s with the infamous floppy disk incident linked to Joseph Popp (07:57). Initially, ransomware was rudimentary, relying on symmetric encryption and yielding minimal financial returns. However, it has since evolved through several critical phases:

1. Improved Encryption: Transition to asymmetric encryption in the early 2000s enhanced the sophistication of ransomware attacks.
2. Cryptocurrency and Botnets: The adoption of cryptocurrencies and botnet infrastructure in the 2010s facilitated global scalability and anonymity.
3. Ransomware as a Service (RaaS): The emergence of RaaS allowed individuals to develop and sell ransomware tools, leading to increased public visibility and hierarchical organization.
4. Professionalization: From 2018 onwards, ransomware groups became highly organized entities targeting large enterprises with demands often reaching millions of dollars (12:29).

Max Smeets (07:57):
"Ransomware is a lot more than just encrypting your data and asking for a ransom. We now see multiple forms of extortion, including double and triple extortion tactics."

Key Ransomware Groups and Their Impact on National Security

Max highlights several prominent ransomware groups, emphasizing their operational methods and the broader implications for national security:

• Conti: Once the largest ransomware group, making an estimated $180 million to $1.2 billion in 2021 (13:01). Internal documents leaked from Conti revealed their hierarchical structure, business mindset, and attempts to expand their operations globally.
• Lockbit: Known for its adaptability and ongoing operations.
• Akira: Responsible for high-profile breaches, such as the attack on Stanford University.
• Killen: Targeted Synovus, a pathology services provider in the UK.
• Scattered Spider: Noteworthy for its targeted voice phishing techniques and attacks on UK retailers.

Max Smeets (15:17):
"The group that I have looked at most closely for my book is Conti. They were experimenting with a wide range of different tactics, moving away from simple phishing emails to more organized hierarchical structures."

Ransomware as a National Security Threat

Max argues that it's not just the malware itself but the organized groups behind it that pose significant national security risks. These groups target critical infrastructure, government entities, and large enterprises, causing widespread disruption and financial loss. The collateral damage from their for-profit motives often inadvertently affects national security.

Max Smeets (15:35):
"It's more accurate to say that the ransomware groups, the actors, are the threat to national security. These groups have proven and shown that they are very willing to target a wide range of different entities."

The Mob Framework: Analyzing Ransomware Groups

Max introduces the Mob Framework, a three-part analytical tool to understand ransomware groups:

1. Modus Operandi:

   • Access Methods: Phishing, exploiting vulnerabilities.
   • Extortion Tactics: Encryption, data theft, double/triple extortion.
   • Payment Handling: Use of cryptocurrencies, negotiation strategies.

2. Organizational Structure:

   • Hierarchy: Centralized vs. decentralized.
   • Operations: Presence of physical offices, division of labor.
   • Expansion: Business strategies, target selection.

3. Branding and Reputation:

   • Public Image: Media engagement, perceived reliability.
   • Affiliate Recruitment: Building trust within the criminal ecosystem.
   • Reputation Management: Ensuring victims believe in their ability to decrypt data and honor agreements.

Max Smeets (17:29):
"The Mob Framework allows us to analyze ransomware groups through their modus operandi, organizational structure, and branding and reputation, providing a comprehensive understanding of their operations."

The Trust Paradox in Ransomware

Max explores the Trust Paradox, where ransomware groups must balance inherent deception with the need to build trust to ensure ransom payments. This paradox involves:

• Deception: Utilizing phishing and encryption to initiate attacks.
• Trust Building: Demonstrating the ability to decrypt data upon payment and adhering to promises not to leak or re-victimize.

Failures in trust can lead to victims refusing to pay, undermining the group's financial viability.

Max Smeets (21:12):
"Ransomware groups inherently have to deceive their victims, but they also need to gain their trust to ensure payments."

State Affiliation and Geopolitical Implications

The discussion delves into the connections between ransomware groups and state actors, particularly focusing on Russian entities:

• Russian Ties: Many ransomware groups operate from Russia, Belarus, and Ukraine, with some links to the FSB (Federal Security Service).
• North Korean Involvement: While North Korean groups primarily focus on cryptocurrency theft, they have begun functioning as initial access brokers for Russian criminals, adding complexity to the global ransomware ecosystem.

Max Smeets (34:14):
"The great majority of ransomware groups operate from Russia, Belarus, and Ukraine. Conti, for example, had connections with the FSB, but this doesn't apply uniformly across all groups."

Emerging Trends and the Future of Ransomware

Looking ahead, Max identifies several trends shaping the future landscape of ransomware:

1. AI and Data Analysis:

   • Enhanced phishing techniques using large language models (LLMs).
   • Improved data analytics to better understand and exploit victim data for more effective extortion.

2. Fragmentation of Ransomware Ecosystem:

   • Law enforcement actions against major groups like Conti have led to increased fragmentation, making attribution more challenging.

3. Platform-Based Operations:

   • Development of platforms allowing affiliates to conduct operations with minimal technical expertise, further dispersing the ecosystem.

Max Smeets (42:40):
"We are seeing a fragmentation of the ransomware ecosystem as law enforcement disrupts major groups, leading to smaller, more dispersed operations."

Countermeasures and Recommendations

Max offers insights into the current state of countermeasures and suggests future strategies to mitigate the ransomware threat:

1. Government Initiatives:

   • Significant increase in countermeasures since 2021, primarily targeting the modus operandi and organizational structures of ransomware groups.
   • Example: Operation Cronos by the NCA and Parnas disrupted Lockbit and leveraged public messaging to undermine the group's reputation (46:27).

2. Public and Media Role:

   • Responsible reporting can help erode the trust and reputation ransomware groups rely on.
   • Similar to strategies used against terrorism and disinformation, media narratives should avoid inadvertently bolstering the credibility of these criminal organizations.

3. Policy Recommendations:

   • Ransom Payment Bans:
     • Mixed opinions on outright bans. Max cautions against exceptions that could target the most vulnerable entities.
     • Suggests broader international cooperation to ensure bans are meaningful and not merely shifting the problem geographically (51:51).

4. Collaboration Between Agencies:

   • Enhanced cooperation between intelligence services and law enforcement is crucial for tracking and dismantling ransomware operations.
   • Establishing new institutional structures to facilitate this collaboration is necessary for effective countermeasures (53:58).

Max Smeets (46:27):
"Most countermeasures target the modus operandi or organizational structure, but very rarely do they tackle the branding and reputation elements, which are crucial for undermining these groups."

Conclusion

Max Smeets concludes by emphasizing the need for a multifaceted approach to combat ransomware, highlighting the importance of targeting not just the technical aspects but also the organizational and reputational facets of these groups. By leveraging responsible media practices, enhancing governmental countermeasures, and fostering inter-agency collaboration, there is potential to significantly mitigate the threats posed by ransomware to national security.

Max Smeets (55:58):
"We need to think about how we set up new institutional structures to allow for more cooperation between law enforcement and intelligence services. This collaboration is essential to effectively counteract ransomware operations."

Notable Quotes

• Max Smeets (07:57):
  "Ransomware is a lot more than just encrypting your data and asking for a ransom. We now see multiple forms of extortion, including double and triple extortion tactics."

• Max Smeets (15:35):
  "It's more accurate to say that the ransomware groups, the actors, are the threat to national security. These groups have proven and shown that they are very willing to target a wide range of different entities."

• Max Smeets (17:29):
  "The Mob Framework allows us to analyze ransomware groups through their modus operandi, organizational structure, and branding and reputation, providing a comprehensive understanding of their operations."

• Max Smeets (21:12):
  "Ransomware groups inherently have to deceive their victims, but they also need to gain their trust to ensure payments."

• Max Smeets (34:14):
  "The great majority of ransomware groups operate from Russia, Belarus, and Ukraine. Conti, for example, had connections with the FSB, but this doesn't apply uniformly across all groups."

• Max Smeets (42:40):
  "We are seeing a fragmentation of the ransomware ecosystem as law enforcement disrupts major groups, leading to smaller, more dispersed operations."

• Max Smeets (46:27):
  "Most countermeasures target the modus operandi or organizational structure, but very rarely do they tackle the branding and reputation elements, which are crucial for undermining these groups."

• Max Smeets (55:58):
  "We need to think about how we set up new institutional structures to allow for more cooperation between law enforcement and intelligence services. This collaboration is essential to effectively counteract ransomware operations."

Final Thoughts

This episode provides a thorough exploration of the ransomware landscape, offering valuable insights into the operational complexities of ransomware groups and their broader implications for national security. Max Smeets' analysis, grounded in his extensive research and firsthand knowledge, underscores the urgent need for coordinated and comprehensive strategies to combat this evolving threat.