Cybersecurity & Tech

Combating Ransomware: A Roadmap for Progress

Gary Corn, Melanie J. Teplinsky
Tuesday, March 7, 2023, 12:11 PM

A new white paper from American University Washington College of Law’s Technology, Law, and Security program provides recommendations for combating ransomware.

A ransom message displayed by Locky, a ransomware malware released in 2016. (Christiaan Colen, https://flic.kr/p/SWrePq; CC BY-SA 2.0, https://creativecommons.org/licenses/by-sa/2.0/)

Published by The Lawfare Institute
in Cooperation With
Brookings

The Biden administration’s freshly minted National Cybersecurity Strategy calls for, among other things, a comprehensive federal and international approach to addressing the growing problem of ransomware. In line with the strategy’s focus, a newly released white paper from American University Washington College of Law’s Technology, Law, and Security Program (TLS) explores the ransomware problem and identifies actionable, expert-informed recommendations for combating the evolving ransomware threat. Entitled “Combating Ransomware: One Year On,” the paper was drafted in consultation with leading experts in the field: V. Gerald Comizio, Gary Corn, William Deckelman, Karl Hopkins, Mark Hughes, Patrick McCarty, Sujit Raman, Kurt Sanger, Ari Schwartz, Melanie Teplinsky, and TLS student fellow Jackson Colling.

The American public was unexpectedly awakened to the real-world effects of a ransomware attack on critical infrastructure in May 2021, when Colonial Pipeline—which supplies nearly half the fuel for the East Coast of the United States—halted its pipeline operations in response to a criminal ransomware attack on its business-side computers. The ensuing panic-buying, fuel shortages, and price spikes along the East Coast set off alarm bells at the highest levels of government and corporate America and opened people’s eyes to the significance of ransomware to U.S. economic and national security interests.

After the Colonial Pipeline attack, TLS sponsored “Combating Ransomware,” a three-part webinar series that brought together leading experts, informed by diverse experiences and perspectives, to discuss the threat of ransomware and what should be done about it. The webinar series offered an in-depth look at the ransomware problem from three perspectives: private-sector efforts to combat ransomware, cryptocurrency as a ransomware driver, and national security aspects of counter-ransomware initiatives.

TLS’s new white paper builds on key ideas from the ransomware webinar series.

The National Cybersecurity Strategy calls out ransomware as a specific challenge for a reason. Ransomware not only has been growing as a problem for the private sector but also represents a clear threat to national security with a number of identifiable trends, including: (a) an increasingly sophisticated, specialized, and resilient Ransomware-as-a-Service ecosystem, in which ransomware is packaged and sold for use; (b) ransomware-driven developments in cyber insurance, such as increased premiums, shrinking coverage, and the potential need for, and scope of, federally backed cyber insurance; (c) notable shifts in ransomware targets; (d) the evolving role of cryptocurrency in ransomware payouts; and (e) the rise of multi-extortion ransomware, in which cybercriminals not only encrypt a victim’s data and threaten to withhold it until ransom is paid but also exfiltrate data and threaten to leak it to the public or sell it on the dark web if the victim does not pay the requested ransom.

The TLS paper first assesses the impact of ransomware on the private sector. It pinpoints areas of opportunity and concern in connection with the evolving cyber incident reporting environment and identifies a range of measures available to the private sector to prevent, mitigate, and respond to a ransomware attack. The paper goes beyond traditional recommendations for the private sector to adopt basic cyber hygiene (which itself includes critical measures such as vulnerability management and multifactor authentication). Indeed, the paper explicitly recognizes the importance of businesses being proactive in achieving cybersecurity and resilience, including by migrating toward zero trust architectures and working to ensure quantum cyber readiness. 

The TLS paper also posits an operational expansion of public-private cooperation. Specifically, TLS observes that the private sector’s extensive cooperation with Ukrainian government entities in response to Russia’s invasion could be translated into greater operational integration and coordination with U.S. government entities in the future. Ideally, such expanded cooperation would come into play not only at a time of crisis but also in day-to-day work toward the common goal of overall network security to create a safer cyberspace environment.

The TLS paper next addresses ransomware from a national security perspective. Nation-states increasingly are using ransomware to facilitate national security and strategic goals, with nation-states themselves becoming targets more frequently. Historically, China, Russia, North Korea, and Iran have used ransomware and proxy groups to target nation-states, particularly Western countries. Of late, targets have expanded beyond Western countries to those with potentially weaker cyber defenses, as demonstrated by recent crippling attacks against Montenegro’s critical infrastructure and government services (August 2022), Bosnia and Herzegovina’s parliament (September 2022), and Costa Rica’s government offices (summer 2022). 

The paper also addresses the international law dimensions of counter-ransomware efforts through a detailed discussion of several concepts, such as:

  • Attribution, which can be crucial to determining a state’s options for response to a ransomware attack and, when done publicly, can be used to signal to adversaries that the U.S. deems a particular cyber operation unacceptable as a matter of international law or national policy.
  • Sovereignty, which has important implications for U.S. counter-ransomware cyber operations against infrastructure located in other states.
  • Due diligence, which involves addressing criminal ransomware activities emanating from one’s own territory.

The TLS paper next details recent U.S. government actions to combat ransomware. Since the Colonial Pipeline attack, the U.S. has fully embraced an “all-tools” approach to combating the ransomware threat, actively leveraging all instruments of national power—diplomatic, informational, military, economic, financial, intelligence, and law enforcement (often referred to as the DIMEFIL framework). The National Cybersecurity Strategy provides clear guidance to build on these collaborative efforts to fundamentally reshape the underlying dynamics of the digital ecosystem, raise the costs to criminal actors, and proactively disrupt and dismantle ransomware threat actors.  

Finally, in line with the National Cybersecurity Strategy, the TLS paper enumerates practical, expert-informed recommendations to combat the multidimensional ransomware threat. The recommendations range from considering modifications to the cyber insurance market; to enhancing intergovernmental collaboration and information sharing mechanisms; to clarifying and enabling the Defense Department’s role in disrupting ransomware threats in collaboration and coordination with civilian, law enforcement, and intelligence partners. The recommendations are designed to bolster cyber defense, cyber offense, law enforcement efforts, the cyber incident reporting regime, cryptocurrency efforts, and international efforts. Taken together, these expert recommendations offer a road map for progress in the U.S.’s ongoing fight against ransomware.


Gary Corn is the director of the Technology, Law & Security Program and adjunct professor of cyber and national security law at American University Washington College of Law; a senior fellow in national security and cybersecurity at the R Street Institute; a member of the editorial board of the Georgetown Journal of National Security Law and Policy, and the founder and principal of Jus Novus Consulting, LLC. A retired U.S. Army colonel, Corn previously served as the staff judge advocate to U.S. Cyber Command, as a deputy legal counsel to the chairman of the Joint Chiefs of Staff, the operational law branch chief in the Office of the Judge Advocate General of the Army, the staff judge advocate to United States Army South, on detail as a special assistant United States attorney with the United States Attorney’s Office for the District of Columbia, and on deployment to the former Yugoslav republic of Macedonia as part of the United Nations Preventive Deployment Force and as the chief of International Law for Combined Forces Command, Afghanistan.
Melanie J. Teplinsky is an adjunct professor at American University, Washington College of Law (WCL); a senior fellow in the Technology, Law and Security Program at WCL; and a faculty fellow at American University’s Internet Governance Laboratory. Ms. Teplinsky previously practiced technology law at Steptoe & Johnson LLP and served (pre-IPO) on the advisory board for CrowdStrike Inc.

Subscribe to Lawfare