New Ideas for Fighting Ransomware Attacks – Enlightenment from the Evolution of Traditional Hostage-taking Incident Handling Methods

[Editor’s note]The growing threat of ransomware has policymakers and corporate America wrestling with how to deal with it. However, extortion of money itself is nothing new, in fact, the United States has a long and painfully troubled history on the issue. Danielle Gilbert of the U.S. Air Force Academy was inspired to study ransomware, drawing on the history of hostage-taking to determine how to deal with ransomware problems.

“Wait, is it just me, or is there a massive ransomware attack every two months in the past?” on a recent episode of “Last Week Tonight,” host John W. John Oliver confronted the apparent surge in ransomware incidents head on. These attacks, which have been around for 20 years, involve infecting digital devices such as smartphones or computers with malware and encrypting and/or threatening data until a ransom is paid. But as perpetrators have targeted critical infrastructure and dramatically increased their demands, they have recently reached a fever pitch. This year alone, ransomware attacks have disrupted the largest U.S. oil pipeline and meatpacking plant, which produces one-fifth of U.S. beef; a ransomware gang carried out the largest attack on record, demanding 17 countries spent $70 million to decrypt equipment. Attacks on hospital systems and local governments are devastating but common. Software company Emsisoft reports that in 2020, 2,354 local governments, healthcare facilities, and schools in the U.S. were hit by ransomware — a number that is almost certainly grossly underestimated.

Ransomware may be new, but hostage-taking is not. The United States has faced hostage problems for decades, if not centuries. From the Barbary Pirates to Bowe Beridahl, the hostage crisis has attracted significant media attention and fundamentally changed U.S. policy. Hostage-taking violence remains a thorny issue in international security long after the embassy incidents and wave of hijackings in the 1970s. According to the former head of the FBI’s interagency Hostage Recovery Fusion Cell, “U.S. citizens abroad are being kidnapped on a weekly basis.”

The hostage-taking incidents of the past half century have provided valuable lessons for understanding and responding to ransomware attacks. The similarities between these two forms of coercion can tell us a lot about the dynamics within them. The successes and failures of U.S. hostage rescue policies can help assess policy options against this new threat.

power to hurt

Both hostage-taking and ransomware are coercive tactics that use captivity to demand concessions. While not strictly a hostage-taking — no one was taken — ransomware underscores what Thomas Schelling calls “the power of harm.” It requires the target to make concessions in order to prevent future suffering.

Both hostage-taking and ransomware attacks create a kind of bilateral monopoly: a fake marketplace with only one seller (the perpetrator) and one buyer (the target). As a result, criminals can take advantage of their inherent price sensitivity to make exorbitant demands and expect them to be met, raising ransoms into the tens of millions of dollars. Yes, these attacks help make money, but they can also highlight vulnerabilities in the system or embarrass an adversary. Famous hostages like American heiress Patty Hearst and Colombian presidential candidate Ingrid Betancourt have drawn attention to their captors and challenged the state’s monopoly on violence.

These famous cases show that the hijackers were there to gain public attention—and many did. But the vast majority of hostage-taking and ransomware attacks happen in secret. The target may want to avoid reputational damage by looking insecure. They may also avoid going public so they can make concessions without fear of retaliation. Some notorious kidnapping hotspots have implemented legally binding mechanisms to prevent targets from paying ransoms, hoping to dampen hostage-taking in general and reduce its frequency. In Colombia and Italy, for example, when families report kidnappings to law enforcement, anti-kidnapping legislation freezes their assets. Such a policy undermines the enthusiasm for reporting.

Additionally, both state and non-state actors can take hostages or use ransomware. While kidnappings have traditionally been the purview of criminal and political armed groups, countries including China, North Korea, Turkey and Iran have all engaged in hostage diplomacy — taking foreigners as leverage under the guise of the law. Some states condone hostage-taking by providing prisoners with safe havens. These state protections are a major driver of ransomware attacks, as Russia protects (and perhaps hires) hackers to commit these crimes overseas.

In all these respects, ransomware resembles the hostage-taking violence of the past. In recent years, malicious manipulation of data for profit has endangered human life. Attacks on critical infrastructure underscore how digital attacks behave in the real world; attacks on hospital systems can be deadly. As ransomware gets closer to holding people hostage, its innovations make it harder to guard against.

How ransomware is different

Ransomware is the latest in a series of paradigm shifts in hostage-taking driven by new technologies. For example, the growth of commercial air travel in the mid-20th century fueled a wave of plane hijackings in the 1960s and 1970s. The rise of smartphones and portable internet technology in the early 2000s pushed hostage-taking from the public to covert operations. Being able to create and distribute high-profile videos of violent hostages in relative safety means that perpetrators no longer have to negotiate their way out or struggle to death.

Two new technological changes make ransomware particularly attractive to criminals without a corresponding benefit to the target.

First, cryptocurrencies make paying ransoms safe and easy. Before the advent of cryptocurrencies, kidnappers collected ransoms through “delivery” (the target delivering an agreed-upon amount at a time and place of the kidnapper’s choice). This drop is dangerous for kidnappers, as it could provide an opportunity for law enforcement to track down or catch criminals. Traditional wire transfers have also proven to be risky, as such transactions can be easily traced. But paying the ransom in cryptocurrency solves both of the perpetrators’ problems by removing the physical and informational risk of paying. The digital, unregulated and largely anonymous nature of cryptocurrencies makes them very useful to criminals.

Second, “malware as a service” makes every hostage take no need for a team of skilled professionals. From Afghanistan to Ann Arbor, hijackers rarely go it alone. One of the most consistent elements of a hostage-taking conspiracy is the division of roles in teams of 10-15 criminals, with different roles responsible for gathering intelligence on the target, carrying out the kidnapping, protecting the organization, and negotiating the release of the hostages. This dynamic has changed dramatically as off-the-shelf ransomware and malware services are widely purchased. In other words, a ransomware attack can be carried out by almost anyone, regardless of whether they have the relevant skills and knowledge. The proliferation of malware-as-a-service that doesn’t require people to learn special skills before using them has invited “lone wolves” to wreak havoc.

Lessons from America’s Hostage Policy

Efforts to curb hostage-taking have taken different approaches over the past 50 years, with varying results. The familiar debate about punishment has resurfaced as the White House created a new ransomware task force and released resources to businesses and the community. Past efforts to stop hostage-taking can provide valuable lessons for future ransomware battles.

The first is to take all possible measures to prevent ransomware in the first place. Countless articles offer the same straightforward list of ransomware prevention measures: divide up your network, maintain backups, install security updates, secure passwords, implement multi-factor authentication, and train your team on cybersecurity measures. This advice is consistent and prolific, but adoption is low.

Unfortunately, history shows that preventive measures are difficult to achieve and only become apparent in retrospect. In the 1960s and 1970s, a plane was hijacked every five and a half days. However, commercial airlines are reluctant to implement new safety and screening measures for passengers, fearing the inconvenience will affect business. In this case, the hijackings continued until airlines began X-raying luggage in the 1980s. Airport security is no fun, but it largely makes hijacking a thing of the past.

The second method is what law enforcement and security officials call “benefits denial” — policies and tactics designed to prevent criminals from enjoying the fruits of their labor. This could mean, for example, ensuring that the hijacker receives a ransom paid in counterfeit currency, or recovering the funds before the hijacker spends them.

The “no concession” policy is also intended to deny benefits to hijackers. These policies assume the perpetrators know which targets won’t pay and stop attacking them in the future. Existing research shows that targets that did pay the ransom yesterday were more likely to be kidnapped tomorrow than those who refused the ransom. That’s the logic behind the call to make ransom payments to cybercriminals illegal, including the insightful and creative choices posted on this site. (For example, paying the ransom is tax-free, which seems especially shocking.)

However, given their track records, these policies are neither wise nor likely to contain ransomware attacks in isolation for three reasons.

First, making ransomware payments illegal would mean a dramatic change in the current ransom policy in the US. Although the US is known to pursue a “no concessions” policy, current law only prohibits ransom payments to US-designated Foreign Terrorist Organizations (FTOs). At the time of writing, it is perfectly legal for the U.S. government, business, or individual citizen to pay ransom to any other hostage taker—whether foreign or domestic criminals, non-fto armed groups, or even the state. We rely on these payments to bring home hundreds of Americans kidnapped abroad. Making ransom payments illegal only in a virtual context is inconsistent with current U.S. law and could force a reckoning with decades of U.S. policy.

Second, a complete ban on payments is unlikely to work, as individual targets always have an incentive to cheat when the lives of their loved ones (or their data) are at stake. At the national level, this can also have detrimental effects. As I have written elsewhere:

In 2007, G8 leaders agreed to “abstain” from paying ransoms to terrorist groups. Over the ensuing decade, however, some G8 leaders offered al Qaeda and ISIS hundreds of millions of dollars in ransoms. This is especially damaging when a criminal takes hostages from countries with different policies. For example, ISIS French, German, Italian and Spanish hostages were released, and American and British hostages were brutally killed. This patchwork of less-than-ideal legal systems, in which some states “take a hard line and others are open to dialogue,” demonstrates the urgency of coordinating deterrence.

Third, punishing the target (rather than the perpetrator) could lead to a huge political backlash. Ransom payments to FTOs are illegal in the United States by enforcing Section 2339(B) of the Material Support Statute: Ransom payments to terrorists include material support to terrorist organizations. In practice, that means telling family members that saving their loved ones is funding future terrorism. James Foley, Steven Sotloff, Peter Kassig and Kayla Mueller captured by ISIS in 2014 The episode culminated in parents petitioning the White House to rescue their imprisoned children. The surviving Foleys told ABC News they were repeatedly threatened by an officer on the White House National Security Council and a State Department official: Pay and you’ll be prosecuted as a criminal.

Translating this dynamic into ransomware, it’s easy to imagine that threatening or punishing sympathetic crime victims would spark a serious political backlash. Lives will be at stake as targets shift from tech companies to critical infrastructure. Policymakers should think twice before holding victims accountable for stopping these attacks.

Instead, anti-ransomware policies should focus on punishing perpetrators. Some existing hostage recovery policies target criminals directly through specialized units with the aim of disrupting hostage-taking raids. In the United States, it looks like the FBI’s hostage rescue team and two military special forces — the Army’s Delta Force and the Navy’s SEALs — trained relentlessly to disrupt hostage crises around the world. In Colombia, specialized units of both the police and the army specialize in hostage-taking; they are credited with the dramatic decrease in kidnappings in Colombia over the past 20 years.

Recent news suggests that the upcoming crackdown is already having an impact on criminals, but more needs to be done. The White House has moved forward with a number of initiatives to strengthen cybersecurity, including a ransomware task force, a website highlighting prevention resources, and the Rewards for Justice program. But without serious investment in the FBI’s investigative and intervention capabilities, criminals will continue to attack the least safe places among us.

In the absence of a clear and consistent policy, the response to hostage-taking highlights the importance of developing harm mitigation techniques. A strong hostage-response industry – including kidnapping and ransom insurance agents and private hostage negotiators – brings skills, experience and discipline to regulate the market. Their role is primarily focused on covering the cost of kidnapping the target, mitigating harm, and facilitating the recovery of hostages, while making raids take longer and lower the perpetrator’s profits.

Two approaches to mitigate the damage seem promising.

First, professional hostage negotiators advise the target to never pay the initial ransom demand, but to fight back and negotiate a lower price. Hijackers often demand more money than they expected; when the target pays right away, the abuser thinks they didn’t ask for enough. At the very least, making a credible counter-offer could dampen the exponential growth in ransomware demand.

Second, taking hostages in the real world is costly: criminals must have sufficient resources to provide their prisoners with food, clothing, and shelter while in captivity, while protecting their organizations from counter-insurgency or police persecution. Operating in the digital realm (and with Russia’s safe harbor), such costs are unlikely to translate. But stalling tactics could provide a greater opportunity for law enforcement to intervene or allow targets to find alternatives to recovering their data. Time or other factors that increase the cost to the perpetrator can mitigate harm to the victim.

In recent years, policymakers have passed legislation and established cross-agency efforts to address hostage-taking directly and comprehensively. Equal attention to ransomware must work on all fronts: enhancing the FBI’s ability to track and recover ransoms; confronting the challenges of cryptocurrencies and Russia’s safe havens; securing the most vulnerable health, energy, food, water, transportation, and emergency departments protected from attack. Failure to do so risks becoming a hostage in the future.