Cybercrime , Cybercrime as-a-service , Endpoint Detection & Response (EDR)
Combating Ransomware: Lawmaker Wants Spies 'Hacking Back'Australian Politician Argues 'Releasing the Hounds' Necessary to Deter Attacks
A member of Australia's Parliament is calling for the government's spy agency to take offensive action against some of the world's most notorious ransomware gangs.
In a speech before Parliament on Thursday, Tim Watts called for the government to "unleash the hounds" against ransomware groups that are threatening Australia's business and health sectors.
Watts and his opposition Labor Party are calling for the government to create a national ransomware strategy. "Ransomware has just gotten out of control and is an intolerable burden on our economy and our nation," Watts tells Information Security Media Group.
His call comes as allies are likewise scrambling to try and better combat crypto-locking malware attacks and digital extortion.
In the U.S., President Joe Biden's administration has been facing increasing pressure to help businesses and blunt attacks, and the Justice Department recently announced that it will give ransomware incidents a similar priority to terrorism cases (see: White House Urges Businesses: Improve Ransomware Defenses).
With recent attacks on our hospitals, TV networks, political parties & now our biggest meat processor, ransomware is out of control.— Tim Watts MP (@TimWattsMP) June 2, 2021
It's time for the Morrison govt to act.
It's time to 'release the hounds' & task @ASDGovAu to disrupt the ransomware gangs menacing Australia: pic.twitter.com/HDFijd8tSA
Ransomware attacks have become a fixture of Australian life in recent years. Watts says that this year alone, eight Australian hospitals have been disrupted, as was broadcaster Nine Entertainment in March (see: Australian TV Channel Disrupted; Ransomware Suspected).
Some meat production in Australia was also temporarily disrupted early last week after the attack against JBS, which is the largest meat producer in both Australia and the world (see: White House Puts Russia on Notice Over JBS Ransomware Hit).
Proposal for Disruptive Action
Labor's proposal involves the Australian Signals Directorate, which is a sister agency to the U.S. National Security Agency and Britain's GCHQ, undertaking disruptive action against the groups, most of which are believed to be based in Eastern Europe, including Russia.
Such an approach has also been proposed by experts in some other countries. Former British intelligence official Ciaran Martin, for example, has suggested government intelligence agencies might be allowed to disrupt ransomware gangs, akin to how the White House tasked Cyber Command with disrupting Russia's Internet Research Agency troll farm ahead of the 2018 U.S. midterm elections.
Offensive action won't work on its own, Watts says. But it would be part of a comprehensive ransomware strategy proposed by Labor in February that includes policy and regulatory changes, law enforcement action and diplomatic efforts.
The impetus for offensive actions is to reduce the returns of ransomware groups targeting Australia and also increase the groups' operational costs, thus eating into their profits, Watts says. Government-led disruptions could include targeting command-and-control and communication channels and looking for chokepoints around cryptocurrency payments, he says.
"The objective of our strategy is to alter the target selection calculation that some of these groups have and encourage them to decide that targeting Australian organizations just isn't worth the effort - there's just not a return on investment there to do it," he says.
Watts, like some politicians in other countries - such as U.S. Rep. Jim Langevin, D-R.I - also supports collecting better data around ransomware, including creating a mandatory reporting requirement for any organization that pays a ransom. "At the moment, a lot of the data on both the incidents of ransomware and on the frequency of payments being made is either survey-driven or anecdotal," Watts says.
In 2016, Australia acknowledged for the first time that ASD had developed an offensive cyber capability. Since then, the agency has described in broad brushes some of the operations, which have included disrupting terrorist groups such as Islamic State and cybercriminal operations.
In early April, Linda Reynolds, Australia's defense minister, said that ASD had disrupted pandemic-related cybercriminal activities, according to a news release.
"We are hitting back through the Australian Signals Directorate, who have already successfully disrupted activities from foreign criminals by disabling their infrastructure and blocking their access to stolen information," Reynolds said.
ASD Director-General Rachel Noble said that the offensive cyber actions "had only just begun, and we will continue to strike back at these cybercriminals operating offshore as they attempt to steal money and data from Australians."
So far, ASD has assisted during ransomware incidents but never in an offensive capacity, The Guardian reports.
During a Parliamentary hearing last week, Noble revealed ASD used its "classified powers" during the Nine Entertainment incident to warn two other organizations of possible targeting by ransomware crews, the Guardian reports. Watts, however, doesn't believe that's going far enough, and he's not the only one seeking a broader approach.
Casey Ellis, who is CTO, founder and chairman of the vulnerability disclosure platform Bugcrowd, argues that the lack of serious deterrents has seen ransomware crews act with increasing impunity over the last three to four years. Accordingly, he says using ASD's offensive capability would be an important step for the public and to send a deterrent message to attackers.
But he stresses that offensive actions would be no replacement for having proper defenses in place, since no deterrent will be fully effective, and attacks are sure to continue. "At that point, the only other option you've got is to make sure you've got a proper defense when they show up," Ellis says.