2025-08-05 –, Copa
Ransomware is one of the more prevalent and expensive cyber incidents, and more pervasive and arguably more disruptive than outright disruptive cyber attacks. In this discussion, we will review the impact of ransomware on critical social services and functions, and detail how unchecked such operations may lead to unacceptable disruption in vital services and operations. Based on this understanding, we will then expand the conversation in two directions: how addressing the ransomware issue through defensive countermeasures and preventative investment can also curtail more "advanced" actor operations; and how dealing with pervasive cyber threats may justify enhanced countermeasures to deny, deter, or degrade adversary capabilities. From this discussion, we will arrive at a nuanced, complex view of the ransomware ecosystem and its outsized role in actual, observable critical infrastructure disruption.
Ransomware, like other e-crime actions, is typically viewed as a nuissance and a law enforcement matter from a policy and strategic perspective. However, the economic impact of ransomware (along with other crimes such as business email compromise) is vast, while the disruptive impact - to schools, hospitals, the industrial base, and civil functions - is immense. Compared to actual cyber "attacks" outside of events in Ukraine, ransomware has arguably had a much greater impact on societal function than any "APT" intrusion or incident across the developed world.
To set the stage, we will first review the persistent and long-standing e-crime epidemic and particularly disruptive events such as ransomware that induce loss of availability and functionality. While ransomware carries a significant economic cost in payouts and lost output, there is also a non-trivial social cost in lost functionality related to the operations of schools, hospitals, local governments, and similar entities. When reviewed in detail, especially in the cases of rural hospitals and similar disadvantaged entities, ransomware may serve as a killing function for vital services for marginalized populations.
With this context in mind, we can then review the nature of ransomware operations: often aligning or overlapping with the same tactics, techniques, and procedures employed in supposedly more concerning state-sponsored intrusion operations. Based on this threat actor convergence in behavior, we see an interesting opportunity: that defending against and closing opportunities to criminal actors will improve community defense against a variety of threat actors. For example, the rapid weaponization and exploitation of vulnerabilities in edge devices represents a primary initial access mechanism for both state-sponsored and criminal entities. Developing and implementing planning to more rapidly address these items while advocating for improved development and engineering practices at vendors may thus reduce the impact and likelihood of an incident from multiple threats.
However, defensive measures cannot just be passive in nature. The critical nature of disruptive ransomware to vital societal functions also demands active measures to reduce the scope of adversary activity. This "impose cost" approach is increasingly popular in the current administration, but carries operational and ethical costs depending on how far it is pushed. Yet simply standing by and letting adversaries operate with relative impunity places a significant burden on often poorly-resourced organizations to respond to and mitigate against such threats. Therefore, we will discuss a "reasonably effective and ethically supported" approach to counter-ransomware operations focused on targeting adversary infrastructure, operations, and communication networks for disruption utilizing law enforcement and other authorities.
From this discussion, we will arrive at a conclusion where the ransomware (and broader e-crime) threat is simply no longer sustainable under current mechanisms. By providing for response functions both passive and active in nature, we can "drain the swamp" of ransomware operations to provide greater resilience to critical societal functions across the western world. Furthermore, doing so may not just dramatically alter matters with respect to criminal entities, but have the positive externality of making life significantly harder for state-sponsored hacking teams to breach critical infrastructure entities for more focused and targeted disruption.
Joe Slowik has over 15 years of experience across multiple domains in information security. Starting with the US Navy where he performed multiple offensive and defensive roles, Joe has continued his threat-informed and threat-centric career in cyber across multiple public and private organizations. Joe currently conducts in-depth research into critical infrastructure cyber threats and their potential impacts while engaging in extensive teaching through his company Paralus LLC.