Fraud Management & Cybercrime , Ransomware

Ransomware Task Force Details Impact of Disrupting Operators

Law Enforcement Efforts Are Having at Least a Measurable, Tactical Impact
Left to right: Institute for Security and Technology's Trevaughn Smith, future of digital security associate; Taylor Grossman, deputy director for digital security. (Image: IST)

While a new Ransomware Task Force study of 2023 ransomware group disruptions finds they're often "tactical and temporary," report co-author Taylor Grossman said recent, major law enforcement actions may "really strategically pull them apart and make it harder for them to regroup."

See Also: 5 Requirements to Stay Afloat in the SIEM Storm

The new report is based on 2023 incidents, using data gathered by eCrime.ch, which monitored 66 ransomware groups' data-leak sites to help track ransomware incidents across 117 countries. Most of these involved ransomware-as-a-service groups that practice double extortion, meaning they demand separate ransom payments for a file decryptor as well as promise to delete stolen data, backed by the use of a data-leak site.

Analyzing the data, the Ransomware Task Force - launched in 2021 to better coordinate the public and private approach to combating such attacks - found the quantity of double extortion ransomware attacks surged 73% from 2022 to 2023, underlying the extent to which the ransomware-as-a-service or RaaS model continues to lead to massive profits for its criminal practitioners.

Grossman said the eCrime.ch data doesn't yet reflect the impact of recent, major law enforcement efforts such as Operation Cronos, which has been targeting the LockBit group (see: Cybercrime is Still Evil Incorporated, But Disruptions Help).

Another caveat is that groups may be getting disrupted in ways that are harder to track or measure, and which may not be reflected by the eCrime.ch data, "such as affiliates shifting underground, maybe payments decrease - which may correspond to a decrease in activity - but not necessarily a decrease in ransomware attacks," said report co-author Trevaughn Smith.

In this video interview with Information Security Media Group, Grossman and Smith also discussed:

  • The extent to which online attackers don't need zero-day vulnerabilities or advanced capabilities to amass significant criminal profits;
  • Efforts to better coordinate ransomware information exchange, which includes mapping the flow of payments from victims to attackers;
  • The Blueprint for Ransomware Defense, an RTF action plan designed to help small and midsize organizations plan for ransomware mitigation, response and recovery.

At IST, Grossman works on the Ransomware Task Force and other ongoing projects. Previously, she was a senior researcher in the Cyberdefence Project at the Center for Security Studies at ETH Zurich, where she served as a policy consultant for the Swiss government.

Smith supports the Ransomware Task Force and other IST initiatives. He has a background in computer security and data privacy and is dedicated to advancing conversation and research around cyberdefense, with a focus on cyber-poor communities.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing paymentsecurity.io, you agree to our use of cookies.