Lawfare Daily: ‘Ransom War’ with Max Smeets

Justin Sherman

The following podcast contains advertising to access.

Jonathan Cederbaum

An ad free version of the Lawfare Podcast.

Justin Sherman

Become a material supporter of lawfare@patreon.com lawfare that's patreon.com Lawfair also check out Lawfare's.

Jonathan Cederbaum

Other podcast offerings, Rational Security Chatter, Lawfare, no Bull and the Aftermath.

Max Smeetz

This summer, Instacart is bringing back your favorites from 1999 with prices from 1999. That means 90s prices on juice pouches that ought to be respected, 90s prices on box Mac and cheese and 90s prices on ham, cheese and cracker lunches. Enjoy all those throwbacks and more at throwback prices only. Only through Instacart. $4.72 maximum discount per $10 of eligible items. Limit one offer per order. Expires September 5 while supplies last discount based on CPI comparison and now a.

Unnamed Expert

Few words from finance about Marketing's latest campaign.

Jonathan Cederbaum

Wow, that's a lot of impressions. That's what I'd say if we wanted impressions.

Unnamed Expert

But we don't.

Jonathan Cederbaum

We actually want traffic. Wow, that's a lot of traffic. Much better, right Traffic? Much better Ground Truth, the advertising platform.

Unnamed Advertiser

For when you need real business results.

Unnamed Expert

Visit us@groundtruth.com From 2018 we have really seen the professionalization of ransomware, where we have really seen these groups coming up that are highly organized and that are targeting not just individuals for a couple of hundred US dollars, but large, large enterprises, often asking tens, hundreds, or sometimes millions of US Dollars.

Justin Sherman

It's the Lawfare Podcast. I'm Justin Sherman, Contributing Editor at lawfare and CEO of Global Cyber Strategies. I with Jonathan Cederbaum, lawfare Book Review Editor and Professor of Practice at George Washington University Law School. We're joined by Max Smeetz, co director of Virtual Routes and author of Ransom How Cybercrime Became a Threat to National Security.

Unnamed Expert

So what the North Koreans are doing is they have now become initial access brokers for Russian criminals. So they are doing the access and they're selling that off to Russian criminals who are then doing the follow on steps, encrypting the data and doing the negotiations, etc. Etc.

Justin Sherman

Today we're talking about the history of ransomware, Ransomware Group's internal business dynamics and geopolitical calculi and the future of threats and responses. Why don't you start by telling us about yourself and before we get to your book, in a minute, how you got started in the field of studying cybersecurity and what are some of your different research and focus areas?

Unnamed Expert

Sure, it's been quite a While ago that I moved into cyber. In fact, it was during my undergraduate studies at that time, a book came out from Richard Clark and Rob Knackley in 2010, Cyber War. And I was really fascinated by it at the time. I was even a student of economics and statistics. So fascinated that I wrote a paper and then later a student poster presented it at the national conference and talked about why we need cyber deterrence. And then since then, I've never looked back. So after my undergraduate studies, I did an internship in D.C. at the Security Industry association, and I told them I was really interested in cybersecurity and they sent me to all the congressional hearings and I had to report back. I think this was a way for them to keep me busy. But I really enjoyed it. I could listen into the policy conversations going on at the time. And then subsequently my graduate degree, my master's PhD, I focused of course, on different topics and projects in cyber, but I continue to focus on them and then ever since, and then what I'm working on now. Justin actually, yesterday I presented at a conference in the Hag, the Hic Tics It's a Threat Intel Exchange. And I was presenting my latest research project that I'm doing together with the UK National Crime Agency on Lockbit and trying to better understand how we can disrupt this behavior of affiliates that are doing these ransomware operations.

Justin Sherman

That's a good preview. I know we're going to circle back to that. So you've written a wonderful new book. I know Jonathan and I were each fortunate enough, and sorry to our listeners, these events are over. But to hear you speak about this in D.C. at a couple of events. The book is titled Ransom How Cybercrime Became a Threat to National Security. As you alluded to, you've also written in a number of other cyber areas, including your other book, which I would also recommend to folks, no Shortcuts. Why States Struggle to Develop a Military Cyber Force. So what made you decide to focus on ransomware for this next book project?

Unnamed Expert

Yeah, when I finished no Shortcuts about three years ago, I felt the easy option would be to write another book on military cyber operations, as that was the field that I've been in for a long time. My PhD was on that topic too. And I felt first of all, it was an easy option. And of course, there was a lot going on that you could write about. For example, in the UK we saw the development of the UK National Cyber Force that I would certainly feel deserves a lot of attention. And you can think about the conflict in Ukraine and those cyber dimensions too, certainly deserve a book length research project as well. But instead I decided to move to crime, to ransomware. And when I told this to people initially, they were rather surprised. But for me, this was in some ways the obvious thing to do. First of all, because I really felt it was becoming a real national security issue, both in terms of the risk of hitting significant institutions as well as the impact that it was having on those. Second, I felt that the academic literature in particular had not really looked at it. We had seen some think tank reports, but not a single political science international relations article had been published on the subject. And third, I felt that there was an enormous amount of data, which data? I mean, both leaks from different groups where you can have this inside view of how they're operating, but also data from a wide range of other sources, whether this is from cryptocurrency exchanges or tracers, or from threat intel companies as well. So I felt there was an opportunity here to do a really interesting project and I'm glad I went into that direction.

Justin Sherman

Well, interesting it is. And it's also notable, as you're saying. I'm just thinking, wow, the disparity between how many headlines have we seen on ransomware versus what you're saying that it had not yet received sort of that academic political science treatment. This is a good segue. I want to dive into the terms a bit. So when listeners hear ransomware, they might think of the news stories I was just referencing about a hospital getting shut down and having the data encrypted, or maybe the colonial pipeline incident when critical infrastructure was compromised. Break this down for us. So what is ransomware and why do we use that word? And if you want maybe a little bit on the history of that word. And is this kind of issue a recent phenomenon or spoiler? Kind of a leading question, you know, something that goes back further. Right. Than one might expect if they were just sort of seeing this in various press headlines.

Unnamed Expert

Yeah, that's a great and important question. So ransomware comes from ransom and malware, Right. That combination refers to someone encrypting data and then asking for a ransom. But today ransomware is a lot more than that. We see multiple forms of extortion, where often criminals do not just encrypt your data and ask for a ransom for it to be decrypted, but then also steal your data. This is called double extortion. And threaten to publish this data if you don't pay. And then you might have other forms, triple or multiple extortion for example, we continue to go after you and DDoS you in case you don't pay. So we now have ransomware, often used as a term for activity that goes far beyond the encryption of devices or networks. When it comes to the history of ransomware, we have to go actually quite far back, at least to the late 1980s. And we have to go back to a conference, the fourth International AIDS Conference, when people from the World Health Organization, as well as other policymakers and experts were coming together. And after they had attended the conference, they would receive a floppy disk in their mailbox several months later. And on this floppy disk, there was a rather peculiar program. When you would install it, you would be asked a number of different questions. How many sexual partners have you had, how many countries have you traveled to, etc. Etc. And then it would spit out a number and likelihood that you would be contracting aids. And if that number and likelihood be very high, you would see a message that is similar to the ones you would find at the back of a cigarette package, one that would say, your lifestyle might kill you. Please change it. Now, the thing is, after you had installed this program and rebooted your computer a number of times, actually a second message would appear. It seemed like it was a licensing agreement, but you have been locked out of your computer, and this licensing agreement would ask you to pay US$179 for at least a single license and to send this money to a specific address in Panama through a banker's check or international transfer. And only then would you get access again to your computer. Now, long story short, this program was ultimately developed by a guy called Joseph Popp, a Harvard educated biologist, a bit disgruntled, it seems, by WHO and wanted to make some money on the site. And he had to set up this elaborate scheme where he is physically mailing these floppy disks. Had developed it all himself, and having actually developed ransomware that was extremely easy to decrypt at the time, it was relying on symmetric encryption. And of course, ultimately it didn't make much money, with the exception of one check being sent to him that was from Scotland Yard, trying to figure out if he would actually send the decryptor back. Since then, ransomware has developed and it went through a wide number of important sort of phases. The first phase was the use of better encryption. Started to rely on asymmetric encryption, particularly from the early 2000s. Second, it started to rely on cryptocurrency and botnet infrastructure. So cryptocurrency and botnet infrastructure, the combination allowed for scaling, both scaling of targets, but also the ability to now get paid from across the world, even if that is not necessarily anonymous. And then the next big development was actually the, you can say, specialization in this space where increasingly individuals would sometimes only develop the ransomware and then sell this off to others. This is called now ransomware as a service. It meant also that these individuals became more public because they wanted to advertise their ransomware to affiliates that could then use it. Then from 2018, we have really seen the professionalization of ransomware where we have really seen these groups coming up that are highly organized and that are targeting not just individuals for a couple of hundred US dollars, but large, large enterprises, often asking tens, hundreds, or sometimes millions of US dollars.

Justin Sherman

Thank you for that. If this was a video podcast, I'd say too, we sort of have to hold up the floppy disk for those who are too young to have never seen that before. But so you've mentioned the phases, which is. I know we're going to get into that as well, which is interesting across time and maybe more recent, however you want to interpret this, who are some of the leading ransomware groups and are their most illustrative examples of those operations. And then what, in your mind, especially today, makes those groups and their activity a threat to national security?

Unnamed Expert

So across time, we have seen different groups that were really innovative. And then we saw copycats following some of their innovative ideas. So we see, for instance, it's called the Snatch Team and Mace that were starting with this process of double extortion, leaking data from individuals. And then quickly, others followed. The group that I have looked at most closely for my book is a group called Conti. They were the biggest one in 2022. Some have estimated that they made in that year, in 2021, sorry, they made between 180 million and 1.2 US billion dollars. And in this group, you see them experimenting with a wide range of different things, experimenting with hiring individuals that would call up victims, moving away from simply writing phishing emails, experimenting also organizationally, whether they should set up an office space or not. This group was a bit more hierarchically structured following the implosion of that group. And we might be able to get into that a bit later. We see a bit more loosely affiliated raas groups, ransomware as a service groups that have emerged most prominently today. A group that came up after was Lockbit. And today we see others as well. Akira is one of them, for instance, behind the hack or breach against Stanford University. Another group is Killen, that was responsible for the hack against Synovus, a business providing pathology services provided to hospitals in the uk. And last I think is worth pointing out one perhaps outlier group which is active today called Scattered Spider. So the core members of that group are native English speakers from UK, US, Canada, often in their early 20s and they do really super targeted voice phishing. They often to it help desks where they pretend they have to reset their passwords and that's the way that they get in. This was also the group behind the attacks against the retailers in the UK earlier this year.

Justin Sherman

Is it more accurate? I'm just curious what you think of this. Is it more accurate to say that the ransomware itself, the malware, that the capability is a threat to national security? Is it that the ransomware groups, the actors, are the threat to national security? Is it both?

Unnamed Expert

So the malware technical traits matter, right? How it is developed, the encryption speed, the ability to decrypt, all of those things allow for a form of extortion that we may not have seen before. And when we talk about ransomware today, it is not just about this locker, it's about actually this ecosystem of, of activities that take place to enable ransomware. But those traits really only become a hazard, a national security hazard when they are directed against certain organizations by certain groups or individuals. So if I have to choose between the two, it's certainly the groups that are a threat to national security. And these groups have proven and shown that they are very willing to target a wide range of different entities, whether this is government entities like we have seen in Montenegro or Costa Rica, or whether this is healthcare infrastructure or whether this is any other significant provider. At times though, they don't even know what they're hitting. For example, you might see cases where a provider for the food industry or what a sector is hit and the ransomware group wasn't even aware of how significant it is. So sometimes in a weird way it becomes a national security threat because of simply almost collateral damage of their for profit making business.

Jonathan Cederbaum

Wow, Max, you offer a very interesting innovative framework for understanding ransomware groups in your book. It has three parts, modus operandi, organizational structure and branding and reputation. What you come up with a very convenient acronym, Mob. Mob. Can you describe for our listeners what are each of those components of your framework and why are they important?

Unnamed Expert

Yeah, I tried to come up with a framework to really help us better understand how these groups operate, how they differ from the ransomware groups today from the ones in the past, how they differ from state actors, and how we can Analyze them. And the mob framework allows us first of all to look at this across these three lenses. So modus operandi is really about the playbook of these groups. How do they get access? And then not only how do they get access and then ultimately encrypt your data, but also the process after. How do they then actually make sure that they have you pay in those negotiations? And how then they make sure that after you pay that they actually can cash out that money? And that's a much more difficult process than some people realize. Organizational structure focuses on the hierarchy of these organizations and even specific questions, you know, do they have office infrastructure or not? Where are they based? How are they thinking themselves about business expansion? What are the type of targets that they seek to go after? To what degree do they want to set up specific teams, et cetera, et cetera. And then branding and reputation is the most frequently ignored element of ransomware groups. But in my view, one of the most important ones, how they position themselves both towards other ransomware actors in the ecosystem. For instance, how do they use their branding and reputation to recruit new affiliates to actually hack for them and not another group? And secondly, how do they position themselves to the broader public as well as their victims to build up a reputation as well as for being credible? So those are the three elements of the framework. And when you look across those three elements, you see that ransomware has qualitatively changed from where it was especially a decade ago. And then, you know, we didn't see a very clear playbook that these ransomware groups were following. Whilst today there is a, what I describe, an 11 step process that they go through with a very clear almost manual of again, how to get access to ultimately being paid out. A decade ago it wasn't organized in the same way it is today, either very hierarchical or loosely, but at least in a coordinated manner. And a decade ago we didn't see the type of branding that you see today as well. In fact, much of the ransomware at the time wasn't really shown as ransomware, but more as scareware. So someone would lock out of your computer and then a message would appear. For instance, we are the police and you have been looking at pornographic websites and if you don't pay us, then we are going to arrest you or something of this kind. So what's very different in terms of that branding element than the ransomware we see today?

Justin Sherman

That's interesting because as you say, that I do recall seeing in the news, again, I have no idea how prominent this was and didn't dig into it, but some headlines recently about people getting those kinds of pop ups, right, like, oh, we've, you know, videoed you watching porn on your laptop, click here and then when they click, it opens, you know, malware PDF. You mentioned reputation. One of the other very interesting points in your book concerns what you call the trust paradox that faces ransomware groups and perhaps faces all of us, which refers to the incentives that these actors have to actually deliver on their claims versus cheating their victims. Talk to us about this dynamic and what does this mean both for the groups that are perpetuating these operations as well as their targets?

Unnamed Expert

Yeah, the ransomware trust paradox has become a really important component in my book. I didn't realize that when I started, but towards the end I realized it's really central to my writing and it's a really simple principle. Whilst ransomware groups inherently have to deceive their victims, broadly defined, you know, writing a phishing email to get access, encrypting their data, etcetera, they also need to gain their trust. They need to gain their trust in two ways. First of all, the victim needs to believe that they are skillful enough that after they have paid, let's say, 100,000 or even a million, that they actually get a working decryptor from this ransomware group. And that's not always an easy feat. Second of all, they need to be seen as reliable enough that they are following up on their promises that after you've paid a million or so, that this ransomware group is not going to upload this data on their leak site and that they are going to supposedly delete this data off their own servers. Without this belief, you're not going to pay them. And so the big question for ransomware groups is how do they develop distrust from their victims? And they do this in a number of different ways and sometimes similar ways that we can think about for legitimate businesses. With legitimate businesses, we know that an important element is to prove that you have the capacity to do something. You know, a car vendor will tell you, please go and drive this car, and I showcase that this car is actually working the same way. A ransomware group will say, well, please send us two files and we will decrypt them for free. It's a showcase that they actually have a working decryptor. The second way in which you develop trust is by focusing on this communication element. We know from business that by repeated interaction and communication, that will help in gaining trust. Hey, I'm checking in here. I will send you an email in two hours when I'm finished with this job. And then you follow up in two hours and you explain what you've done. All of these elements can help in a business setting between individuals and how they are coordinating. Similarly, for ransomware groups, you would find often on the league site, a frequently Asked Questions page where you can find out what you need to do after you've been ransomed. Or groups like club will have a 24.7helpline which you can call and reach out to in case you're ransomed by them to know what the follow on steps are. But the third element, and most important is this reputation element. The worst thing that can happen to a ransomware group is that the first 1020 search results on Google say that this group is unreliable and doesn't pay. And so they have to think very carefully about how they develop this reputation to make sure that you're paying. And one of the ways in which it is done is also engagement with the media and the broader public. How we write about these groups dramatically influences how they are perceived.

Justin Sherman

Just to add one more thing, I'm curious because you mentioned earlier triple extortion, right? And so not only as you're saying, okay, we lock down your system, pay once to get it back, then you pay to get it back. Okay, well now we're not going to, you know, we're going to leak the data, pay again, and then the third time it's a DDoS attack. I'm just curious, do you think, is there something to be said about the more. I mean, maybe there's a fourth extortion phase someone will come up with. I mean, do you think the further out or the more number of steps that these groups add in, does that diminish trust? Because a target feels like I keep paying and you're pulling the rug out from under me every time I pay. Or is it not undermining trust? Because as you're saying, maybe they message it really well and it's actually very clear that no, they will stop ddosing you. They're just going to DDoS you and you have to shell out another two and a half million in Bitcoin kind of thing.

Unnamed Expert

That's a brilliant question. And already today when we think about multiple forms of extortion, we have seen many more than the three that I just mentioned. And to mention one more, because that's a really important one, is we promise to not re victimize you. So after you've paid, we are not coming back in half a year. And then you are going to have to pay another ransom, which many victims are afraid of. But that is not always the case. And one of the things we see, and this is important, it's important to distinguish between the group that is doing the operations and the brand and those the organization and brand are connected but different. You can have a group that operates under multiple brands, and one of the things that can happen is that you first conduct an operation under one brand, you get paid, you promise to not go after them, and then a year later you conduct the same operation against the same target under a different brand. Now, you can imagine in those cases, Justin, if a threat intel firm or other organization in particular would be able to disclose that and showcase that link. But that can tarnish the reputation of these groups very clearly.

Heather

Heather is a nurse practitioner from UnitedHealthcare.

Justin Sherman

We meet patients wherever they live.

Unnamed Expert

During a house call, she found Jack had an issue.

Justin Sherman

Jack's blood pressure was dangerously high.

Jonathan Cederbaum

It was 217 over 110.

Unnamed Expert

So they got Jack to the hospital.

Heather

And got him the help he needed.

Justin Sherman

He had had a stent placed in his heart, preventing a massive heart attack.

Jonathan Cederbaum

If it wasn't for my guardian angel, I wouldn't be here.

Unnamed Expert

Hear more stories like Jax@unitedhealthcare.com benefits, features and or devices vary by plant, area.

Heather

Limitation and exclusions apply. Skin care experts and dermatologists have often touted the benefits of indoor humidity as essential for healthy, glowing skin. But did you know dry air can start to harm your skin in as little as 30 minutes? For years, many people have relied on humidifiers for better skin, sleep and overall wellness. But traditional models bulky, mold, prone and difficult to maintain. That's where Canopy humidifier comes in. Recommended by leading dermatologists, Canopy is a completely reimagined humidifier designed to elevate any space. Offering the ultimate in skincare and wellness benefits. Canopy's clean moisture combats dryness, dullness and fine lines while strengthening the skin's barrier and boosting the effectiveness of topical skincare products. With its sleek design, Canopy is the cleanest and easiest humidifier on the market. With its unique technology, cleaning is as easy as popping it in the dishwasher. Go to getcanopy.co to save $25 on your Canopy humidifier purchase today with Canopy's filter subscription. Even better, use code podcast at checkout to save an additional 10% off your canopy purchase. Your skin will thank you.

Unnamed Advertiser

Every idea starts with a problem. Warby Parker's was simple. Glasses are too expensive. So they set out to change that by designing glasses in house and selling directly to customers, they're able to offer prescription eyewear that's expertly crafted and unexpectedly affordable. Warby Parker glasses are made from premium materials like impact resistant polycarbonate and custom acetate. And they start at just $95, including prescription lenses. Get glasses made from the good stuff. Stop by a Warby Parker store near you.

Jonathan Cederbaum

Speaking of groups, Max, let me ask you a little bit more about Conti, which you mentioned earlier, which plays an important role in your book in part because some of its internal documents were leaked. And so you had this wonderful source of information about Conti. Tell us a little bit about the history of that group, why it became so important, and what lessons you drew from those internal documents.

Unnamed Expert

Yeah, Conti is an absolutely fascinating group. As I mentioned previously, it was the largest group in 2021, and very briefly in 2022 as well, until the further invasion of Ukraine. And an individual who had access to the back end of their Jabber and Rocket chat service leaked a lot of chat messages that led and or accelerated the implosion of this group. And indeed, I used these messages, internal messages between the group members, to really better understand how this group has operated. The group itself has a longer history. It really depends on where you start, as these individuals didn't start with Conti, but already with previous ransomware brands. The one on which it is most closely linked to is a group called Ryuk, which was there not just before, but it actually overlapped, and that in turn had links to another locker as well, called Hemas. So there is a longer history there. But perhaps more interestingly is really that question that you asked about how do they operate and what lessons can we learn from this group? And there are many. One of the most fascinating things is about their leader. He's called Stern and that's the Persona. And he is interesting because of his business mindset in a number of different ways. You would find conversations in these chats with him and other senior individuals about whether they should or should not set up two offices in St Petersburg where he argues that they shouldn't because he believes that employees can be remotely monitored and you don't need them in an office. You will have him talking about setting up a liaison office to engage with the fsb, but you also have him talk and focus on business expansion. Which other markets do I need to enter or what other brands do I need to establish to Conti? He established another brand, for example, called Diavol, where he sought to separate that for the reasons partially that I just mentioned, but also because he thought to be more resilient to law enforcement. And this is something that many forget. He thought industry wide and I never would expect to find that before. When we often think about the evolution of ransomware, we think as these individuals that are operating in ransomware today and they will do so tomorrow and a year from now and two years from now as well. But many of these individuals think industry wide, across the criminal ecosystem and beyond that. And this guy Stern, at some point he had around US$100 million in just one bitcoin wallet. He was thinking about a variety of projects. He established a social media platform or was working on that. He was involved in cryptocurrency, pump and dump schemes. He tried to revive the carding market. So this is the credit card stealing market. There was already now a website that is online, the McDuck Group, it's called. So when we think about this evolution of these groups and these individuals, they are thinking more broadly and perhaps a not perfect analogy, perhaps Elon Musk liked too, in the same way as when he, you know, after PayPal doesn't stay in that money service business, but starts to do various different projects, some of those individuals in those groups do too.

Jonathan Cederbaum

Fascinating. Yes. These are really, as I read your book and other studies, a kind of criminal Silicon Valley. They are entrepreneurs, they are adapters, they're looking for new opportunities, new startups, new ways to monetize developments in technology.

Unnamed Expert

And what is important to say, sorry Jonathan, we shouldn't over romanticize though what they are doing. And that also comes back from the chats, especially when we do not look at the leaders but at some of those individual operators. And then you will find messages like, gosh, I've been going through this data and this has been a boring, dull exercise. Or I can't get this thing to work, or I need to finish this off, but I need to pick up my kids from school or I can't travel, I want to go on a holiday. What's going on? You see actually a real demoralizing experience that many of these people have that are working as part of Comti and many of them do not get rich. So this is also a misconception where every person that is part of these ransomware groups is earning a lot of money. That's not the case. Many might be on a typical sort of payroll system where they earn 800 to 1200 US dollars a month for certain services. They might have been recruited off official job posting websites initially not even being aware that they're part of a ransomware group. So we see a broader ecosystem and it's not necessarily the fancy lifestyle that some people imagine for the great, great majority of most of those who are involved.

Jonathan Cederbaum

No great points. Of course, one might say the same thing about many tech workers. But let me just ask you one more geopolitical follow up though. You mentioned Stern in his messages talking with his colleagues. Should they have one office or two offices in St. Petersburg? My ears pricked up at St. Petersburg. How much of the ransomware industry is based in Russia, run from Russia?

Unnamed Expert

It's notable to start with those conversations about those offices that it seems that we have the full capture of that message conversation that Stern had with one of his key people around him. And what they do not discuss is how does this make us more vulnerable to co optation from the FSB or another Russian government affiliated group. So that's a notable omission. Make of it as you wish. What we do know and what is explicit in the leagues is that Comti had to occasionally do so called pioneering activity. This is specific requests coming from the fsb, not the gru. And for this pioneering activity they had to hack into often hard targets. One of them was for example, a journalist affiliated with bellingcat, the open source investigator network that was helping the Navalny research team on an investigation. And so Conti was asked to hack into them. But we've seen other cases as well, including against relevant healthcare infrastructure, especially in Covid times. And some of those individuals, part of the group will joke about it. So there is this quote that I have in my book where one individual says, okay, well I will do it whilst wearing a red tie. They know that they have to occasionally engage in that behavior. It doesn't however mean that all of the activity that they're engaged in is directed by the FSB or another government actor. And that makes sense. Ideally for them, they want to keep them at arm's length. Ultimately they are making an enormous amount of money, at least the leadership and they want to continue to do that. So of course they will do those requests when needed. But if they can, they don't want to sit in a specific office and day in, day out doing those requests, but just keep going with the things that earn them this profit. So that's an interesting dimension. Now, as Dmitri Alpirevich has said, we don't have a Renssev problem, we have a Russia problem. And that's a very nice way of saying, might of course be a bit too simplified, but it is certainly the case that the great majority of ransomware groups do operate from Russia, Belarus and notably Ukraine. Suddenly pre further invasion as well. COMTI was a group with a lot of Ukrainian individuals. Ukraine has been, you know, when we look at the history of cybercrime, one that had always played a prominent role particularly in the carding industry and the Russian speaking individuals in particular have been closely involved in that. And since the further invasion that has slightly changed too. So we see a ecosystem that is changing. And what is also worth pointing out is that whilst we see the links of Conti with the fsb, it doesn't mean that these links are mirrored across other groups as well. Clearly we know that other groups have links with particularly the FSB2 but the links might differ from group to group and how they are established. So it seems increasingly that there is not one model in which these ransomware groups are co opted by the state, but multiple models, each with different flavors depending on the relationship between senior leadership of the ransomware group and the fsb. And lastly here I am not aware of any public disclosure of these ransomware groups being linked to the gru. Whilst we know the GRU has used ransomware to conduct some of their own operations, I do not know yet of strong links between any ransomware group and the gru. It's primarily with the FSB and the.

Justin Sherman

GRU being of course the Russian military intelligence agency. I want to say thank you for mentioning this because this always drives me nuts in the headlines. As you know, I do a lot of Russia work as well. And says Jonathan, and as you're saying, to see either every Russian ransomware operation referred to as nothing to do with the state, which as you're saying is not necessarily true in terms of the contours of the system, but also the other way, as you're noting, where every operation is seen as some secret espionage plot where a Russian guy in a uniform is standing behind the criminal hat hacker and sort of, you know, tasering him until he gets into the target. Which of course is not true either. I'm just curious because we, we. You're alluding to other countries and a lot of this is based in Russia. Maybe. If this is making you speculate, feel free to pass on the question. But are there reasons why the North Koreans, for example, have not seen this as an attractive means of pulling in money to fund the WMD program? Do we not? Are there structural or other reasons? I mean, I'm thinking of your other book too. Why China would not have a larger ransomware ecosystem compared to what's going on in Russia.

Unnamed Expert

Yeah, so it's primarily a Russia problem, but I may have oversimplified it. So we do see some ransomware activity in other countries. And I actually have published a report together with several colleagues for Virtual Routes Ransomware's New Masters, where it focuses on not just Russia, but then also China, Iran and North Korea and then actually particularly state use of ransomware for different reasons. And the North Koreans, as you mentioned then they stand out so clearly when we think about North Korea, especially across those four, it is a state actor group that does do financially motivated attacks. And we are well aware that they have often focused on cryptocurrency theft and that's where they are making a lot more money. In some ways it's as surprising of them not moving as more in ransomware as some of the cyber. The Russian criminals not moving more into cryptocurrency theft by the way. But secondly, we have seen them engaging in some relevant ransomware activity and this has been fascinating early activity. They were often able to get access encrypt data, but not get the trust of victims to pay them. That is the element that they couldn't overcome. And how did they try and overcome this? It's by co opting criminal brands, or better to say pretending to be criminal brands. In 2019, a very prominent group that emerged was are evil and North Korean hacking groups, state groups would pretend to be Arevil. So they write a ransom note that they would say, you are hacked by our evil. Please pay to this Bitcoin address. So they were using the brand in the hope that they would get paid in that way. One thing that we don't see a lot more of today and a trend by North Korean state hackers is to insert themselves into the mature Russian criminal ecosystem. So what the North Koreans are doing is they have now become initial access brokers for Russian criminals. So they are doing the access and then they selling that off to Russian criminals who are then doing the follow on steps, encrypting the data and doing the negotiations, et cetera, et cetera. And that's the part that they are very familiar with because that's what they do against lots of other targets too. So you see now a much more complex ecosystem where many of these actors across the globe are only inserting themselves in parts of the process.

Jonathan Cederbaum

Well, that North Korean example is a really fascinating instance of division of labor in this industry, as it were. Are there other trends as you look ahead the next three to five years that you see developing in this ransomware.

Unnamed Expert

Ecosystem, there are a couple of notable trends that we are partially worried about. We'll have to see how to develop. One of them is the way in which ransomware groups are currently both targeting as well as analyzing data, so targeting in victims and then analyzing data. So of course, we have seen the rise of LLMs. Of course this has led to slightly better phishing emails that are written by these groups. But secondly, what it has allowed them to do is starting to better understand potentially the data that they are obtaining from their victims. And the question is whether the trend continues that way and as a result of them by better understanding the actual victim data that they have obtained, being also better able to extort the victims that they are negotiating with. So that's one trend. On the sort of the modus operandi side, on the organizational structure side, we see a couple of notable trends too. One of them is actually the greater fragmentation of this space. When I looked at Conti, it had almost a monopoly on ransomware. Much of the activity, some would say 70, others 80, and some would even say 85 or 90% of all the ransomware activity was either done by Conti or with affiliated brands. Today we see a much more fragmented ecosystem. In part, this is the result of actually law enforcement having come in, going after big brands, big groups, and as they go after that brand, it sort of disperses into smaller groups. And this is something that we still see today, a more fragmented ecosystem. And I don't see this going back anytime soon. So that's the second element. When we look at the branding and reputation side, we see a variety of different experiments going on right now. One is, I think, worthy of elaborating on. One of the experiments we see of ransomware groups is they've developed these platforms for affiliates to use to conduct their ransomware operations from. And these platforms help you in a number of different ways. They help you not only encrypt the data, but also create a unique decryptor and automatically generate, often a bitcoin address, offer you a nice negotiation portal, et cetera, et cetera. So they build this infrastructure for you in an easy way to conduct these operations. In the past, when one brand would develop this infrastructure, they would say, you can only use our specific locker or sort of ransomware. You conduct your operations. What has been changing is what some would call a cartel like structure. We still provide the platform, but you can, instead of bring your own booze, you can bring your own ransomware, and you can plug that in and then use our platform nevertheless. And we still take a small fee for that, but that leads to even more sort of fragmentation of the ecosystem that we didn't previously see, making attribution even harder when it comes to these kind of individuals that are behind it. So these are sort of three developments across the mob framework on modus operandi, organizational structure and branding.

Jonathan Cederbaum

Many studies, including yours, seem to suggest that ransomware remains a major problem, one that governments have not had much success combating. Do you have recommendations either for governments or private targets, about how we can work together to reduce the impact of ransomware groups?

Unnamed Expert

When I started the book project and when I was halfway in, I thought I was going to write a really easy final chapter. I thought I was going to write about this framework and then I was going to do this really detailed empirical case study and show everyone how these groups really operate. And then I was going to write this conclusion and say, we have not seen any ransomware countermeasures to date and we need to do a lot more. And I thought I was going to end there. And then I realized that would be highly unfair because actually we have seen a number of really interesting and important initiatives from different government organizations. So as a result of that, I actually developed a tracker. It's now published on the Virtual Routes website. It's called the Counter Ransomware Measures Tracker, where I track all the different countermeasures that governments have taken against ransomware, whether this is sanctioning individuals or whether this is going after command and control infrastructure, whether this is providing alerts, etc. Etc. When you combine that, you see some notable trends. First of all, you see a very large increase in government countermeasures from 2021. Whilst of course the majority of those ransomware efforts come from a really select number of governments, of which the US is the most prominent, I believe over 55 or 60% of the cases. What is also notable is around 60% of the arrests are affiliates who travel or cash out. So core quotas still remain really hard to reach. And, you know, it's also reflected in lighter sentences depending on where they are. But when we look at all of those efforts, most of these efforts targets either the M of the MOP framework, the modus operandi, let's say we go after their command and control infrastructure, or how they cash out, or they go after the organizational structure, let's sanction those individuals, etc. But very rarely do they go after the B elements and really seek to undermine the trust that these groups have. And that Is of course, as I discussed in the Ransomware Trust paradox, a crucial element and there a lot more can be done. One notable exception is Operation Cronos. This was the operation conducted by the NCA and Parnas disrupting lockbit. And in this operation in February 2024, they didn't just focus on going after a couple of wallets and sanctioning individuals, etc. But they were also very keen to spread the message to journalists and others, including me, to make sure that we would tell the public, hey, Lockbit doesn't delete your data even after you've paid. Hey, Lockbit doesn't suspend certain affiliates from their platform after they have done some rules that are against our sort of official code of ethics. All of those things spread that message to reduce the trust that people would have in the Lockbit brands. So I believe there is an opportunity here for more of that type of engagement from government, but there is also an opportunity here for the broader public. Because ultimately that development of branding and reputation comes from our writing. And it really means that we have to think much more carefully about how we engage with these groups to draw a important comparison. When we think about often state activity, what we see there is that these groups, especially intelligence agencies, they don't want to be publicly attributed, they want to shy away from public attention. When it comes to criminal groups, that's very different ransomware groups, they actually, after they've done their operation, they want to have all the attention that helps them in the reputation building. They want you to write this article in a media outlet about them, especially how fierce and sophisticated they are and how almost Silicon Valley like they are, etc. Etc. That is to their advantage. They sometimes publish press releases themselves or correct the press. They occasionally are very happy to do interviews. All of those things are important. So another element really here that I've been pushing for is this need for us to think about how we write about these groups and perhaps even this type of sort of code of ethics. It doesn't mean that we shouldn't write about them at all. But in the same way as we think about writing on terrorism or disinformation, we are very well aware that we can play into the hands of terrorists if we write in certain ways about the fear mongering acts that they are seeking to do or disinformation when we publish this in the mainstream media, same way we have to think about ransomware.

Jonathan Cederbaum

Very interesting. Presumably one of the central goals of what you're proposing, that is undermining their brands undermining trust in their reliability is to encourage victims not to pay. Of course, some governments have proposed a more direct route to that result, which is banning ransomware payments altogether and imposing some kinds of penalties on organizations that make ransomware payments. What's your view of those government prohibitions on ransomware payments?

Unnamed Expert

Yeah, and we see different flavors and variations of that proposal. Some proposals I am more favorable to than others. Let me start with some of them that I'm less favorable to. And we see frequently coming up, one of them is to propose a ransomware ban, but also with some type of license or exception. So this is then for certain entities where they can apply for this exception and still pay, especially if, for instance, lives are at risk. I'm against this because it creates a exact new target set of the most vulnerable. If that is the case, and if you have those licenses in place, who, as a ransomware group, would you then go after? Well, exactly those ones that are most vulnerable. So that I'm not very positive about. Second, I am positive about the potential creation of a ban, but we have to be realistic about what it does, especially if individual countries do that. When individual countries mention this, they suggest that this allows for no more ransomware and these groups to just go away. Well, the reality is what we're actually suggesting is if I, as Country X, and I have such a ban, I simply hope that these individuals or criminals are discouraged from going after entities in my country and go to another country instead. So move them away from us towards others. And as long as we're a bit more honest and open about that, that we might not be really addressing in that sense, the core problem, because I'm unrealistic that all the countries will have such a ban in place, but that we are trying to dissuade them from going off the targets in our country, but instead going off the targets in other countries, then I'm more open to it.

Justin Sherman

Not outrunning the bear, all of us. Right. But outrunning the slowest runner kind of thing. Once again, for listeners, your book is titled Ransom How Cybercrime Became a Threat to National Security. Max, is there anything else you'd like to add that we did not touch on?

Unnamed Expert

Well, first of all, thanks for having me on the podcast. Thanks again, really appreciate it. There are a lot of other topics that I feel are worthy of engaging with, and maybe I want to mention one here to close, and that's the link between the intel services and the law enforcement agencies. As we've discussed now, cybercriminal groups have a wide range of different links to the state, particularly those Russian based groups. And secondly, I have argued that they are a threat to national security, which means that we see two entities of course being interested in tracking them, both law enforcement, police and the intel services. These entities have overlapping but also distinct missions. You can imagine that law enforcement is interested in arresting individuals, sometimes disrupting. You can imagine that intel services are a bit more interested in really tracing how these groups operate and understanding dead links. When we think about ransomware operations, it's important to find out and think about how we want to set up perhaps new institutional structures to allow for more cooperation between law enforcement and Intel. It's one that I've not really been seeing. I have not seen it discussed in the public and it deserves it more attention. In the same way as we had discussions about the equity process between the military and the intel services and the need to have, let's say, in the US a dual headed role or whether you need more specific operational units to collaborate and to deconflict. I'll leave it there. Thanks again for having me.

Justin Sherman

That's all the time we have. Thanks for listening. The Lawfare Podcast is produced in cooperation with the Brookings Institution. You can get ad free versions of this and other Lawfare podcasts by becoming a Lawfare material supporter through our website lawfairmedia.org support. You'll also get access to special events and other content available only to our supporters. Please rate and review us wherever you get your podcasts. Look out for our other podcasts including Rational Security, Allies, the Aftermath and Escalation. Our latest Lawfare Presents podcast series about the war in Ukraine. Check out our written work@lawfaremedia.org the podcast is edited by Jen Patya and our audio engineer. This episode was Goat Rodeo. Our theme song is from Alibi Music. As always, thank you for listening.

Unnamed Advertiser

Staying up to date with current immigration regulations and policies can feel like a full time job. Maintaining and hiring a staff with foreign nationals is already complex and with today's shifting policies and global uncertainty, states staying compliant can be overwhelming. That's where Meltzer Hell Rung comes in. As trusted thought leaders in business immigration, we partner with companies like yours to simplify the process through a high touch expert led approach backed by our cutting edge immigration management technology platform. It's easier than you think with the right partner. Sign up for Meltzer Hell Rung's free weekly news alert emails and monthly webinars to stay ahead of the curve@meltzerhellrung.com.