Fortinet was proud to have been asked to participate in the first INTERPOL High-Level Forum on Ransomware, held online on July 12, 2021. FortiGuard Labs' Derek Manky joined other cybercrime experts —including INTERPOL’s Secretary General and Executive Director of Cybercrime, the Chief of Cybercrime at the United Nations, leaders from the World Economic Forum, and members of law enforcement agencies from around the world—to discuss the rapid rise of ransomware around the world and its growing impact on the world economy. Manky has also been a member of the (INTERPOL Global Cybercrime Expert Group) since its inauguration in 2015. INTERPOL IGCEG is a selected group of cybercrime experts that participate in annual workshops to tackle various problems.
Much of the forum was dedicated to discussing the real-world impact of cybercrime on organizations globally, impacting businesses, critical infrastructure, and essential services, especially healthcare. Very timely topics, given several recent high profile ransomware attacks and FortiGuard Labs research showing ransomware on the increase.
Presenters were also quick to point out that while high-profile attacks get most of the attention, most attacks never make the news, and many go unreported. The reason for the wide range in ransom demands is related to the sophistication of the criminal enterprises running these attacks. Today’s cybercriminal activities are often highly distributed.
Manky also spoke about a new threat mapping project he is running in conjunction with the World Economic Forum. This effort is focused on mapping cybercrime, including the ad hoc organizations running attacks like ransomware, as a strategy for combating cybercrime. The goal is to create a strategic tool to help effectively understand the scope of the problems and the use that information to disrupt cybercrime.
This is harder than it looks. While there sometimes may be some well-known criminal name attached to a high-profile attack, the reality is that there are often dozens of independent contractors collaborating in anonymous underground chat rooms to pull off that attack. Another aspect to this project involves addressing the lack of a common framework for discussing and tracking these elements. Instead, different researchers/organizations use different names to attribute them, which simply adds to the confusion.
No criminal activity generating billions of dollars in revenue is run by lone wolf actors. Instead, a growing percentage of cybercriminal operations are the result of loosely affiliated groups working together for a common goal. Some produce the crimeware (such as developers, packers, and individuals with expertise in special platforms), others are enablers (like nation states and hosting services), and some are members of the primary criminal organization running the operation. The most common elements, or business units, if you will, in a ransomware attack include:
Ancillary to the complexity of the structure of many ransomware campaigns is capturing those responsible. This challenge has two elements:
Because many of the services outlined above are provided anonymously in Dark Web chat rooms, catching one person or group does not stop an organization. Like the fabled nine-headed hydra, if one head is cut off it will simply grow back—or in this case, be replaced by a new individual or organization willing to provide the same service. The other challenge boils down to international borders. While there has been some success at hunting down cybercriminals, they still successfully evade capture because some countries are less willing to cooperate.
At the end of the conference, there were four key takeaways that should be used by law enforcement and other agencies, both public and private, to help staunch the tide of ransomware. For governments and law enforcement agencies, these takeaways are:
Achieving these objectives also requires a close partnership with the private sector. Public agencies need to combine their efforts with advanced prevention, detection, and response technologies, threat hunting and criminal tracing capabilities, best practices and training, and advances in AI and machine learning to effectively combat and counter the growing sophistication of today’s cybercriminal enterprises.
Learn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard Security Subscriptions and Services portfolio.
Learn more about Fortinet’s free cybersecurity training, an initiative of Fortinet’s Training Advancement Agenda (TAA), or about the Fortinet Network Security Expert program, Security Academy program, and Veterans program. Learn more about FortiGuard Labs global threat intelligence and research and the FortiGuard Security Subscriptions and Services portfolio.