Samantha Ravich / Dr. Georgianna Shea
It’s past time for the business owners of America to demand that Washington do more to end the scourge of ransomware attacks by gangs of cyber marauders and their state sponsors. Imagine if armed mercenaries took control of food production facilities, gas pipelines, banks, and hospitals, agreeing to leave the premises only if paid millions of dollars. That is essentially what is happening today in cyberspace with the proliferation of ransomware attacks.
The U.S. government is engaged in a multipronged effort to combat ransomware, but Washington’s collaboration with the private sector has only entailed coaxing or requiring businesses to install virtual fences and alarm systems. Implementing such cyber hygiene best practices will help prevent unsophisticated hackers who operate like the opportunistic burglar walking around the neighborhood, checking to see which doors are unlocked. But locks will not stop a determined and well-resourced attacker.
President Joe Biden held a multinational cybersecurity summit last month. It provided little comfort that governments can stop these attacks. To be sure, 30 nations agreed to step up law-enforcement efforts to counter illicit finance schemes, disrupt ransomware-payment flows, and prosecute attackers. The fact that the United States reportedly rallied its partners to hack and dismantle a Russian ransomware group’s infrastructure is a notable, if likely limited, operational success.
But at the end of the day, these steps will have only marginal effects so long as ransomware is lucrative. Attacks will continue until victims stop paying the ransoms.
For this reason, policymakers periodically raise the prospect of making ransomware payments illegal. Current U.S. policy discourages paying ransoms, but banning them would “stab the wounded,” as National Cyber Director Chris Inglis recently lamented. An outright prohibition against ransomware payments would force victims to choose between taking illegal action and possibly going out of business.
Even if victims follow the advice of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency to “be prepared” with system back-ups, there may still be significant data loss in reverting to the last known good state, as the previous clean version of the data is called. For example, if the data backup happens monthly, victims can count on losing weeks’ worth of data. If it is unclear when the attacker breached the system, or if hackers surveilled the system for weeks or months before launching the attack, the last known good state may have been many months earlier. Few businesses can afford both that loss and the business interruption that trying to rebuild systems while under attack entails.
Tens of millions of businesses are potential victims. All need better tools to help protect themselves and make it harder for ransomware to lock up their keyboards, freeze their systems, and destroy their data. Luckily, there are technologies that can mitigate the effects of ransomware by securing what is most important: the data, not just the users and the devices. In a newly published report for the Foundation for Defense of Democracies, we describe how we tested this type of solution with a distributed, encrypted file storage system.
In today’s ransomware dystopia, infected machines and devices are treated as critical to operations, so companies are willing to pay any ransom to free them from their bondage. Yet in our test case, the machines are replaceable and irrelevant to the security of the data. With distributed file storage systems, the company can reject the kidnapper’s threats to shoot the hostage. Even if ransomware attackers succeed in locking a machine, they will wind up with nothing but a corpse because the company itself has already taken the device out back and shot it.
Our fundamental premise is the proverb “don’t put all your eggs in one basket.” Instead of simply saving a file locally or on a central server (one basket), when the user saves a file, the system fingerprints the data, breaks the file into pieces, fingerprints it again, and encrypts it. The user then distributes the fragments to multiple other machines or nodes in the system. If hackers attack one or even multiple machines, the user can still recover all of the data with minimal or negligible delay by logging in from a different device and rebuilding the files from the encrypted, distributed fragments.
While the purpose of our project was to test the mitigation of ransomware effects, businesses need to be resilient in the face of a range of attacks, not just the popular threat de jour. Using decentralized, fragmented, and encrypted file storage removes the central server, thus eliminating the primary target of a ransomware attack, but the system provides other real-world benefits as well. The lack of a central server also protects against wiper attacks or other attempts to destroy data.
Today, when ransomware victims refuse to pay, attackers try to increase the pressure by threatening to publicize or sell the data. Other hackers steal valuable trade secrets. Decentralizing the fragmented and encrypted data means that exfiltrated data is gibberish to the thief and selling the data is useless. It also removes the file access that system administrators have by default, preventing the next Edward Snowden from exfiltrating huge volumes of classified or sensitive information.
Organizations should anticipate that a hacker will breach their systems, but they do not have to accept that the hacker will compromise, leak, or lock their data. Instead of simply adding cybersecurity protections to a system to make a compromise harder, the more effective approach is to anticipate that the adversary will find a way in and build resilient systems that enable secure operations despite the breach.
Washington cannot expect every mom-and-pop business to figure out on its own how to build systems that are resilient by design. Rather than parroting the same talking points about cyber hygiene and ransomware payments, the U.S. government needs to provide better advice and support to help the at-risk corporate population understand and utilize technological solutions to solve the ransomware epidemic.
Samantha F. Ravich serves as chair of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies and as a commissioner on the U.S. Cyberspace Solarium Commission. Georgianna Shea is CCTI’s chief technologist and head of its Transformative Cyber Innovation Lab. FDD is a Washington, D.C.-based, nonpartisan research institute. Follow Samantha and Georgianna on Twitter @_GeorgiannaShea.