The Strategic Intelligence Value of Ransomware

Simon Handler
Wednesday, December 15, 2021, 9:00 AM

Foreign intelligence services can siphon a wealth of information from ransomware operations that are of operational and strategic value.

A bundle of wires. (Simeon Berg, https://tinyurl.com/yxokdsvg; CC BY 2.0, https://creativecommons.org/licenses/by/2.0/)

Published by The Lawfare Institute
in Cooperation With
Brookings

Ransomware implies a financially motivated crime. The theft of millions of dollars through extortion is the modern expression of a tactic far older than the digital systems so commonly afflicted. But focusing on ransomware as criminal activity overlooks the real strategic value these operations can provide their owners. Ransomware can be used to disruptive effects without any credible desire for financial gain (Russia), to bring in financial support for strategic weapons programs (North Korea), as well as for cover for, if not the direct operation of, intelligence collection.

This last strategic effect deserves specific consideration as the U.S. government and its allies work to counter ransomware operations after a recent surge in widely reported incidents. Many of the policy tools to better harden government and private-sector systems and to pursue criminal ransomware gangs may fail to address the strategic intelligence risks that ransomware operations can pose. This creates a risk of surrendering valuable information to adversaries through ransomware groups operating on their behalf or in some coordination. The surrendered information can provide both operational insight and strategic leverage to adversaries in an ongoing intelligence contest with the United States and its allies in cyberspace.

Ransomware is designed to encrypt a target’s data until the victim pays a demanded ransom to the attacker, in exchange for the data’s decryption. Publicly reported ransomware operations appear to be perpetrated largely by financially motivated criminal organizations. These operations have a low technical barrier to entry, as aspiring ransomware groups do not require extensive technical know-how to deploy ransomware but, instead, can rely on an emerging market of Ransomware-as-a-Service providers to supply the tools and operational support. This market drives an evolving array of ransomware as the success of one group begets imitation, evolution and further success by others.

One such evolution in recent years is the rise of double-extortion ransomware. This tactic threatens not only data encryption but also the theft and/or leak of the information. At least 16 ransomware groups are known to have used the double-extortion tactic in 2020, compared to just one such group in 2019. And according to one 2021 report, double-extortion ransomware cases increased 935 percent over the previous year. Certain foreign intelligence services are keen to develop discrete partnerships with ransomware groups, which can provide valuable information collected in the process of their criminal operations. Research has indicated that Russia’s Federal Security Service (FSB) and Foreign Intelligence Service (SVR) benefit from close working relationships with multiple Russian ransomware groups.

Foreign intelligence services can siphon a wealth of information from ransomware operations that are of operational and strategic value. These operations might not permit direct collection against a mature government entity but provide ready access to less well-defended entities of tangible personal value like hospitals, mental health practitioners, banks, research laboratories and government contractors. An October 2021 ransomware attack on Planned Parenthood Los Angeles and the subsequent information leak demonstrated the vast amount of sensitive data that ransomware operations could exfiltrate from the right targets—400,000 patients’ personal information, including details on diagnoses, procedures, and prescriptions, was divulged.

Operationally, this information can support future cyber or human intelligence operations. For instance, by obtaining information about a target’s habits and routines, communication contents and style, financial stability, and potentially compromising material, a foreign intelligence service could better understand an individual’s access, susceptibility and suitability for potential recruitment as an intelligence asset. At the strategic level, states could leverage this information to shape their own behavior, engage in influence campaigns and obtain intellectual property to spur innovation.

Though not a ransomware example, the Sunburst cyber-espionage campaign demonstrated Russia’s active pursuit of operational and strategic information through cyber operations across the public and private sectors. The well-publicized compromise of SolarWinds’ Orion software was one of the multiple vectors leveraged by the SVR to gain access to the agency’s ultimate prize—the Microsoft Office 365 cloud environments of targets of interest. Among the compromised targets were senior government officials, industry leaders, and—in at least one case—a U.S. cabinet-level official, whose emails, calendars and files were vacuumed up in the campaign. In October 2021, reporting indicated that through the Sunburst campaign the SVR gleaned operational and strategic information on U.S. counterintelligence investigations and sanctions policy against Russian individuals, respectively.

Ransomware provides novel benefits over standard cyber operations for this kind of collection because its intelligence value gets lost in the noise for policymakers concerned about disruption and economic ramifications. The Biden administration highlights in its ongoing efforts to counter ransomware the “financially driven nature of these activities,” calling out the hundreds of millions of dollars that businesses shell out in ransom payments. The administration has made no public reference to the threat of data exfiltration, its potential strategic intelligence value to adversaries, or efforts to counter them. Among the other benefits that ransomware can provide adversaries, as demonstrated by Russia’s 2017’s NotPetya attack, ransom demands can serve as a ruse to cover up the true intentions of an operation, distract defenders and foul up forensic recovery. An incident responder preoccupied with a cyber-espionage operation masquerading as ransomware may be slower to realize the operation’s true purpose. Perhaps most importantly, these operations muddle the attribution process, allowing states to work through ransomware groups rather than risking exposure by directly engaging in operations.

In a relationship between state intelligence agencies and ransomware, states can provide passive support in the form of operational safe havens, on the condition that the groups do not target entities within the state’s territory. States may also provide more active assistance to ransomware groups throughout their operations, providing direction and even technical support—further blurring the line between state-sponsored and non-state operations. Partnerships between intelligence services and ransomware groups can provide states like Russia a degree of separation—and plausible deniability—from operations that may appear criminal on the surface.

A foreign intelligence service need not necessarily deploy ransomware directly or collaborate with those who do. Through surveillance akin to “fourth-party collection”—whereby an intelligence service may actively or passively collect intelligence on the control servers of another foreign intelligence service to spy on the activities of the foreign spies—foreign intelligence services can maintain an additional degree of separation by visiting the well of unsuspecting ransomware groups. There, they can snoop on the ransomware groups’ hauls, where these groups find potentially valuable intelligence targets—however unwittingly.

Policymakers have, by and large, viewed the surge in ransomware attacks as a mostly economic challenge with disruptive effects. While many ransomware operations are financially driven and cause undeniable harm to small- and medium-sized enterprises, the U.S. government and its allies can take further action to mitigate the strategic intelligence value of ransomware to adversaries and the concomitant risk of surrendering leverage in cyberspace. As outlined in the Atlantic Council’s report, “Countering Ransomware: Lessons From Aircraft Hijacking,” mitigations should consist of passive and active security measures to prioritize security across the ecosystem while imposing costs and seeking out the root of the problem.

Ransomware’s low cost and marked effects present a cocktail of challenges for cybersecurity policymakers. Recognizing and reacting to the potential strategic intelligence value of ransomware operations to major adversaries would help avoid missing a pernicious threat for the overemphasis on a louder one. The U.S. government and its allies as a result would compete more effectively amid a period of heightened strategic competition.


Simon Handler is a fellow at the Atlantic Council’s Cyber Statecraft Initiative within the Scowcroft Center for Strategy and Security. His research focuses on cyber strategy, counterterrorism and counterinsurgency, and the Middle East. Previously, he was assistant director of the Initiative, a role in which he managed a wide range of projects at the nexus of geopolitics and international security with cyberspace.

Subscribe to Lawfare