Rob Joyce, director of cybersecurity at the National Security Agency (NSA) told the attendees from a recent UK security conference that ransomware attacks have been on the decline over the last two months or so, and that trend can be traced directly to the sanctions imposed on Russia. Criminals operating outside the country are struggling to find ways to collect ransom payments and establish infrastructure, due in large part to the sanctions associated with the invasion of Ukraine.
NSA Director Sees Downward Trend in Ransomware Attacks Due to Recent Sanctions
The NSA’s director of cyber security told the National Cyber Security Center (NCSC) Cyber UK event in Wales that criminal attempts against government agencies and critical infrastructure had made ransomware attacks a security priority. national, and that most of the serious players in this particular segment of the criminal underworld are based in Russia. Therefore, new sanctions against entities in Russia are having a dampening effect on ransomware attacks, as criminals lose options for doing business with the outside world.
Joyce said this was probably not the only factor in the reduction in ransomware attacks, but it was a significant contributor. Ransom payments are more difficult to process due to a lack of access to a variety of banking options and an inability to purchase the technology needed to set up the infrastructure for new ransomware campaigns.
Whether or not to formally ban ransomware payments has been a hot topic around the world for several years, ever since ransomware attacks had a huge resurgence. After a hiatus in the mid-2010s, ransomware roared back in 2017-2018 around the same time as the massive rise in the value of cryptocurrencies. There have been even bigger spikes since the start of the Covid-19 pandemic, as internet traffic both at home and at work increased sharply. While there are some arguments for cutting off these attacks at the source by banning ransom payments, an argument supported by this recent NSA announcement, many organizations feel they have no choice but to make a payment when they are unexpectedly caught in a breach. This is particularly true for businesses that can’t afford even a small amount of downtime, such as healthcare facilities and critical infrastructure companies, and most governments have continued to err by allowing payments to be made forever. that the corresponding authorities are also notified of the situation.
Penalties make ransomware payments harder to facilitate
One of the sanctions that is affecting the ransom payments is the removal of Russian banks from the SWIFT international banking system. Payments for ransomware attacks are usually made in cryptocurrency, but most attackers look to convert this to fiat at some point due to the more limited outlets for directly spending crypto funds; Attackers in Russia now have far fewer options in this area. Major credit card companies like Visa and Mastercard also left the Russian market and blocked Russian banks.
Russia has faced some level of international sanctions since its armed conflict with Ukraine began in 2014, but more countries than ever have joined since the 2022 invasion began. Some notable countries now participating include South Korea, Taiwan and Singapore.
Penalties also prevent victims from making ransom payments without being subject to additional large fines and, in some cases, potential criminal charges. US Office of Foreign Assets Control (OFAC) sanctions not only apply to cryptocurrency payments, but can also be imposed in some scenarios where the attacker only has a suspected or possible connection with a sanctioned party. Penalties for “willful” violations are harsh, with a maximum fine of $1 million and up to 20 years in prison per violation.
While the NSA says it sees a reduction in ransomware attacks and ransom payments, the picture is far from clear based on other data sources. The Conti ransomware gang has been extremely active during the months of the Ukraine invasion, racking up at least 50 attacks in April alone. Other groups that have been active with multiple attacks during the war include LockBit, Pysa, Maze, and CLOP. A few new groups have also emerged during this time (Onyx, Mindware, and Black Basta) and the previously routed REvil appears to have regrouped and is back active. And while ransomware attacks on certain industries have subsided since February, the trend of targeting school systems and government agencies in the US appears to have picked up as well.
The global average ransomware payment amount rose to more than half a million dollars in 2021, and in the US the average rose as high as $6 million according to some research. Analysts expected both the number of attacks and the size of the average ransom payment to increase, but the average in the first quarter of 2022 has actually decreased. according to some research.