Lawfare Daily: ‘Ransom War’ with Max Smeets

[Intro]

Max Smeets: From 2018, we have really seen the professionalization of ransomware, where we have really seen these groups coming up that are highly organized and that are targeting not just individuals for a couple of hundred U.S. dollars, but large, large enterprises often asking tens, hundreds, or sometimes millions of U.S. dollars.

Justin Sherman: It's the Lawfare Podcast. I'm Justin Sherman, contributing editor at Lawfare and CEO of Global Cyber Strategies. I, with Jonathan Cedarbaum, Lawfare book review editor and professor of practice at George Washington University Law School were joined by Max Smeets co-director of Virtual Routes and author of “Ransom War: How Cyber Crime Became a Threat to National Security.”

Max Smeets: So what the North Koreans are doing is they have now become initial access brokers for Russian criminals. So they are doing the access and they're selling that off to Russian criminals who are then doing the follow-on steps, encrypting the data and doing the negotiations, et cetera, et cetera.

Justin Sherman: Today we're talking about the history of ransomware, ransomware group's internal business dynamics and geopolitical calculi, and the future of threats and responses.

[Main Podcast]

Why don't you start by telling us about yourself and before we get to your book in a minute, how you got started in the field of studying cybersecurity and what are some of your different research and focus areas?

Max Smeets: Sure. It's been quite a while ago that I moved into cyber. In fact, it was during my undergraduate studies. At that time a book came out from Richard Clarke and Rob Knake in 2010, “Cyber War,” and I was really fascinated by it. At the time I was even a student of economics and statistics. So fascinated that I wrote a paper and then later a student post, presented it at the national conference and talked about why we need cyber deterrence.

And then since then I've never looked back. So after my undergraduate studies, I did an internship in D.C. at the Security Industry Association and I told 'em I was really interested in cybersecurity and they sent me to all the congressional hearings and I had to report back. I think this was a way for them to keep me busy, but I really enjoyed it. I could like listen into the policy conversations going on at the time.

And then subsequently my graduate degree, my masters, PhD, I focused of course on different topics and projects in cyber, but I continue to focus on them and then ever since. And then what I'm working on now, Justin, actually yesterday I presented at a conference in The Hague. The Hague TIX, it's a threat intel exchange, and I was presenting my latest research project that I'm doing together with the UK National Crime Agency on LockBit and trying to better understand how we can disrupt this behavior of affiliates that are doing these ransomware operations.

Justin Sherman: That's a good preview. I, I, I know we're gonna circle back to that.

So you've written a wonderful new book. I know Jonathan and I were each fortunate enough and, and sorry to our listeners, these events are, are over. But to hear you speak about this in, in D.C. at a couple of events. The book is titled “Ransom War: How Cyber Crime Became a Threat to National Security.”

As you alluded to, you've also written in a number of other cyber areas, including your other book which I would also recommend to folks “No Shortcuts: Why States Struggle to Develop a Military Cyber-Force.” So what made you decide to focus on ransomware for this next book project?

Max Smeets: Yeah, when I finished “No Shortcuts” about three years ago, I felt the easy option will be to write another book on military cyber operations, as that was the field that I've been in for a long time.

My PhD was on that topic too. And I felt I, first of all, it was an easy option. And of course there was a lot going on that you could write about. For example, in the UK we saw a development of the UK National Cyber Force that I would certainly feel deserves a lot of attention, and you can think about the conflict in Ukraine and there was cyber dimensions too, certainly deserve a book length research project as well.

Instead, I decided to move to crime, to ransomware. I mean, I told this to people initially, they were rather surprised, but for me, this was in some ways the obvious thing to do. First of all, because I really felt it was becoming a real national security issue, both in terms of the risk of hitting significant institutions as well as the impact that it was having on those. Second, I felt that the academic literature in particular had not really looked at it. We had seen some think tank reports, but not a single political science international relations article had been published on the subject.

And third, I felt that there was an enormous amount of data. Which, data, I mean both leaks from different groups where you can have this inside view of how they're operating, but also data from a wide range of other sources, whether this is from cryptocurrency exchanges or tracers or from threat intel companies as well. So I felt there was an opportunity here to do a really interesting project, and I'm glad I went into that direction.

Justin Sherman: Well interesting it is. And it's also notable, as you're saying, I'm just thinking, wow, the disparity between how many headlines have we seen on ransomware versus what you're saying that it had not yet received sort of that academic political science treatment.

This is a good segue, I wanna dive into the terms a bit. So when listeners hear ransomware, they might think of the news stories I was just referencing about a hospital getting shut down and having the data encrypted or maybe the Colonial Pipeline incident when critical infrastructure was compromised.

Break this down for us. So what is ransomware and why do we use that word? And if you want, maybe a little bit on the history of that word. And is this kind of, of issue a recent phenomenon or spoiler, kind of a leading question, you know, something that goes back further right than one might expect if they were just sort of seeing this in, in various press headlines?

Max Smeets: Yeah, that's a great and important question. So ransomware comes from ransom and malware, right? That combination refers to someone encrypting data and then asking for a ransom. But today, ransomware is a lot more than that. We see multiple forms of extortion where often criminals do not just encrypt your data and ask for a ransom to, for it to be decrypted, but then also steal your data.

This is called double extortion and threaten to publish this data if you don't pay. And then you might have other forms, triple or multiple extortion. For example, we continue to go after you and DDoS you in case you don't pay. So we now have ransomware often used as a term for activity that goes far beyond the encryption of devices or networks.

When it comes to the history of ransomware, we have to go actually quite far back, at least to the late 1980s. And we have to go back to a conference, the fourth International AIDS Conference, when people from the World Health Organization, as well as other policymakers and experts were coming together and after they had attended the conference, they would receive a floppy disc in their mailbox several months later.

And on this floppy disc, there was a rather peculiar program. When you would install it, you would be asked a number of different questions. How many sexual partners have you had? How many countries have you traveled to, et cetera, et cetera. And then it would spit out a number and likelihood that you would be contracting AIDS.

And if that number and likelihood be very high, you would see a message that is similar to the ones you would find at the back of a cigarette package. One that would say your lifestyle might kill you, please change it. Now the thing is, after you had installed this program and rebooted your computer a number of times, actually a second message would appear, it seemed like it was a licensing agreement. But you have been locked out of your computer.

And this licensing agreement would ask you to pay 179 U.S. dollars for at least a single license and to send this money to a specific address in Panama through a banker's check or international transfer. And only then would you get access again to your computer. Now, long story short, this program was ultimately developed by a guy called Joseph Pop, a Harvard educated biologist, a bit disgruntled it seems by WHO, and wanted to make some money on the site.

And he had to set up this elaborate scheme where he is physically mailing these floppy disk, had developed it all himself and having actually like, you know, developed ransomware that was extremely easy to decrypt at the time. It was relying on symmetric deck encryption. And of course, ultimately it didn't make much money with the exception of one check being sent to him, and that was from Scotland Yard trying to figure out if he would actually send the ecryptor back.

Since then ransomware has developed, and it went through a wide number of important sort of phases. The first phase was the use of better encryption, started to rely on asymmetric encryption, particularly from the early two thousands.

Second, it started to rely on cryptocurrency and botnet infrastructure, so cryptocurrency and botnet infrastructure. The combination allowed for scaling, both scaling of targets, but also the ability to now get paid from across the world, even if that is not necessarily anonymous.

And then the next big development was actually the, you can say specialization in this space where increasingly individuals would sometimes only develop the ransomware and then sell this off to others. This is called now ransomware as a service. It meant also that these individuals became more public because they wanted to advertise their ransom, ransomware to affiliates that could then use it.

Then from 2018, we have really seen the professionalization of ransomware where we have really seen these groups coming up that are highly organized and that are targeting not just individuals for a couple of hundred U.S. dollars, but large, large enterprises often asking tens, hundreds, or sometimes millions of U.S. dollars.

Justin Sherman: Thank you for that. If this was a video podcast, I'd say too, we sort of have to hold up the floppy disk for those who, who sort of are too young to have never seen that before. But, so you've mentioned the phases, which is, I know we're gonna get into that as well, which is interesting.

Across time and maybe more recent, however you wanna interpret this, who were some of the leading ransomware groups and are there most illustrative examples of those operations? And then what in your mind especially today, makes those groups and their activity a threat to national security?

Max Smeets: So across time we have seen different groups that were really innovative and then we saw copycats following some of their innovative ideas. So we see, for instance it's called the Snatch Team and Maze, that were starting with this process of double extortion leaking data from individuals and then quickly others followed.

The group that I have looked at most closely for my book is a group called Conti. They were the biggest one in 2022. Some have estimated that they made in that year, in 2021, sorry. They made between 18 and 1.2 U.S. billion dollars. And in this group you see them experimenting with a wide range of different things. Experimenting with hiring individuals that would call up victims, moving away from simply writing phishing emails, experimenting also organizationally, whether they should set up an office space or not.

This group was a bit more hierarchically structured following the implosion of that group, and we might be able to get into that a bit later. We see a bit more loosely affiliated RAS groups, ransomware as a service groups that have emerged most prominently today. A group that came up after was LockBit and today we see others as well.

Akira is one of them for instance, behind the hack or breach against Stanford University. Another group is Qilin that was responsible for the hack against Synnovis, a business providing pathology services provided to hospitals in the U.K.

And last, I think is worth pointing out one perhaps outlier group, which is active today called Scattered Spider. So the core members of those, that group are native English speakers from U.K., U.S., Canada, often in their early twenties. And they do really super targeted voice phishing. They often, to IT help desks where they pretend they have to reset their passwords, and that's the way that they get in. This was also the group behind the attacks against the retailers in the UK earlier this year.

Justin Sherman: Is it more accurate, I, I'm just curious what you think of this. Is it more accurate to say that the ransomware itself, the, the malware, that the capability is a threat to national security? Is it that the ransomware groups, the actors, are the threat to national security? Is it both?

Max Smeets: So the malware’s technical traits matter, how it is developed, the encryption speed, the ability to decrypt. All of those things allow for a form of extortion that we may not have seen before. And when we talk about ransomware today, it is not just about this locker, it's about actually this ecosystem of activities that take place to enable ransomware.

But those traits only become a hazard, a national security hazard when they are directed against certain organizations by certain groups or individuals. So if I have to choose between the two, it's certainly the groups that are a threat to national security and these groups have proven and shown that they are very willing to target a wide range of different entities, whether this is government entities like we have seen in Montenegro or Costa Rica, or whether this is healthcare infrastructure or whether this is any other significant provider.

At times though they don't even know what they're hitting. For example, you might see cases where a provider for the food industry or water sector is hit and the ransomware group wasn't even aware of how significant it is. So sometimes in a weird way it becomes a national security threat because of simply almost collateral damage of their for-profit making business.

Jonathan Cedarbaum: Wow, Max, you offer a very interesting, innovative framework for understanding ransomware groups in your book/. It has three parts, modus operandi, organizational structure, and branding and reputation. What you come up with a very convenient acronym, MOB, M-O-B. Can you describe for our listeners what are each of those components of your framework and why are they important?

Max Smeets: Yeah, I tried to come up with a framework to really help us better understand how these groups operate, how they differ from the ransomware groups today, from the ones in the past, how they differ from state actors and how we can analyze them. And the MOB framework allows us, first of all, to, to, to look at this across these three lenses.

So modus operandi is really about the playbook of these groups. How do they get access? And then not only how do they get access and then ultimately encrypt your data, but also the process after. How the data then actually make sure that they have you pay in those negotiations and how then they make sure that after you pay that they actually can cash out that money. And that's a much more difficult process than some people realize.

Organizational structure focuses on the hierarchy of these organizations and even specific questions. You know, do they have office infrastructure or not? Where are they based? How are they thinking themselves about business expansion? What are the type of targets that they seek to go after? To what degree do they want to set up specific teams, et cetera, et cetera.

And then branding and reputation is the most frequently ignored element of ransomware groups, but in my view, one of the most important ones. How they, they position themselves both towards other ransomware actors in the ecosystem? For instance, how do they use their branding and reputation to recruit new affiliates to actually hack for them and not another group?

And secondly, how do they position themselves to the broader public as well as their victims to build up a reputation as well for being credible. So those are the three elements of the framework, and when you look across those three elements, you see that ransomware has qualitatively changed from where it was, especially a decade ago.

And then, you know, we didn't see a very clear playbook that these ransomware groups were following, whilst today there is a, what I described, an 11-step process that they go through with a very clear, almost manual of, again, how to get access to ultimately being paid out. A decade ago it wasn't organized in the same way as today, either very hierarchical or loosely, but at least in a coordinated manner.

And a decade ago, we didn't see the type of branding that you see today as well. In fact, much of the ransomware at the time wasn't really shown as ransomware, but more as scareware. So someone would lock your look out of your computer and then it would a, a message would appear. For instance, we are the police and you have been looking at pornographic websites and if you don't pay us, then we are going to arrest you or something of this kind. So what's very different in terms of that branding element than the ransomware we see today.

Justin Sherman: That's interesting. 'cause as you say that, I do recall seeing in the news, again, I have no idea how prominent this was and didn't dig into it, but some headlines recently about people getting those kinds of popups, right? Like, oh, we've, you know, videoed you watching porn on your laptop, click here. And then when they click it, it opens, you know, malware PDF.

You mentioned reputation. One of the other very interesting points in your book concerns what you call the trust paradox that faces ransomware groups and perhaps faces all of us, which refers to the incentives that these actors have to actually deliver on their claims versus cheating their victims. Talk to us about this dynamic and what does this mean both for the groups that are perpetuating these operations as well as their targets.

Max Smeets: Yeah the ransomware trust paradox has become a really important component in my book. I didn't realize that when I started, but towards the end I realized it's really central to my writing, and it's a really simple principle.

Whilst ransomware groups inherently have to deceive their victims broadly defined, you know, writing a phishing email to get access, encrypting their data, et cetera, they also need to gain their trust. They need to gain their trust in two ways. First of all, the victim needs to believe that they are skillful enough that after they have paid, let's say a hundred thousand or even a million, that they actually get a working decryptor from this ransomware group, and that's not always an easy feat.

Second of all, they need to be seen as reliable enough that they're following up on their promises. That after you've paid a million or so that they, this ransomware group is not going to upload this data on their leak site and that they are going to supposedly delete this data off their own service. Without this belief, you're not going to pay them.

And so the big question for ransomware groups, it's how do they develop this trust from their victims? And they do this in a number of different ways and sometimes similar ways that we can think about for legitimate businesses. With legitimate businesses we know that an important element is to prove that you have the capacity to do something.

You know, a car vendor will tell you, please go and drive this car, and I showcase that this car is actually working in the same way. A ransomware group will say, well, please send us two files. We will decrypt them for free. It's a showcase that they're actually have a working decrypter.

Second way in which we develop trust is by focusing on this communication elements. We know from business that by repeated interaction and communication that will help in gaining trust. Hey I'm checking in here. I'll send you an email in two hours when I'm finished with this job, and then you'll follow up in two hours and you explain what you've done. All of these elements can help in a business setting between individuals and how they are coordinating.

Similarly for ransomware groups, you would find often on the leak side, a frequently asked questions page where you can find out what you need to do after you've been ransomed. Or groups like Clop will have a 24 7 helpline, which you can call and reach out to in case you're ransom by them to know what the follow on steps are.

But the third element and most important is his reputation element. The worst thing that can happen to a ransomware group is that the first 10, 20 search results on Google say that this group is unreliable and doesn't pay. And so they have to think very carefully about how they develop this reputation to make sure that you are paying.

And one of the ways in which it is done is also engagement with the media and the broader public. How we write about these groups dramatically influences how they are perceived.

Justin Sherman: Just to, to add one more thing, I, I'm curious, 'cause you mentioned earlier triple extortion, right? And, and so not only as you're saying, okay, we, we locked down your system, pay once to get it back, then you pay to get it back. Okay, well now we're not going to, you know, we're gonna leak the data pay again. And then the third time it's a DDS attack.

I'm just curious, do you think. Is there something to be said about the more, I mean maybe there's a fourth extortion phase someone will come up with. I mean, do you think the further out or the, the more number of steps that these groups add in, does that diminish trust because a target feels like I keep paying and you're pulling the rug out from under me every time I pay or. Is it not undermining trust because as you're saying, maybe they message it really well and it's actually very clear that no, they will stop DDoS-ing you. They're just gonna ddo s you and you have to shell out another, you know, two and a half million in Bitcoin kind of thing.

Max Smeets: That's a brilliant question, and already today, when we think about multiple forms of extortion, we've seen many more than the three that I just mentioned. And to mention one more because that's a really important one, is we promise to not revictimize you. So after you've paid, we are not coming back in half a year and then you are gonna have to pay another ransom, which many victims are afraid of.

But that is not always the case. And one of the things we see, and this is important, it's important to distinguish between the group that is, that is doing the operations and the brand. And those, the organization and brand are connected, but different.

You can have a group that operates under multiple brands, and one of the things that can happen is that you first conduct an operation under one brand. You get paid, you promise to not go after them. And then a year later you conduct the same operation against the same target under a different brand. Now you can imagine in those cases, Justin, if a threatened firm or other organization in particular will be able to disclose that and showcase that link, but that can tarnish the reputation of these groups very clearly.

Jonathan Cedarbaum: Speaking of groups, Max, let me ask you a little bit more about Conti, which you mentioned earlier, which plays an important role in your book, in part because some of its internal documents were leaked. And so, you had this wonderful source of information about Conti. Tell us a little bit about the history of that group, why it became so important, and what lessons you drew from those internal documents.

Max Smeets: Yeah, Conti is an absolutely fascinating group. As I mentioned previously, it was the largest group in 2021 and very briefly in 2022 as well, until the further invasion of Ukraine and an individual who had access to the backend of their Jabber and Rocket.Chat service leaked a lot of chat messages that led and or accelerated the implosion of this group. And indeed, I used these messages, internal messages between the group members to really better understand how this group has operated.

The group itself has a longer history. It really depends on where you start as these individuals didn't start with Conti, but already with previous ransomware brands. The one on which it is most closely linked to is a group called Ryuk, which was there, not just just before, but it actually overlapped. And that in turn had links to another locker as well called Hermes. So there is a longer history there, but perhaps more interestingly is really that question that you asked about, how do they operate and, and what lessons can we learn from this group?

And there are many. One of the most fascinating things is about their leader. He's called Stern, and that's the persona. And he is interesting because of his business mindset in a number of different ways. You would find conversations in these chats with him and other senior individuals about whether they should or should not set up two offices in St. Petersburg, where he argues that they shouldn't because he believes that employees can be remotely monitored and you don't need them in an office.

You will have him talking about setting up a liaison office to engage with the FSB. But you also have him talk and focus on business expansion. Which other markets do I need to enter or what other brands do I need to establish? So next to Conti, he established another brand, for example, called d, Diavol, where he sought to separate that for the reasons partially that I just mentioned. But also because he thought to be more resilient to law enforcement.

And, and this is something that many forget, he thought industrywide, and I never would expect to find that before. When we often think about the evolution of ransomware, we think as these individuals that are operating in ransomware today, and they will do so tomorrow and a year from now and two years from now as well. But many of these individuals think industrywide across the criminal ecosystem and beyond that.

And this guy Stern, at some point he had around a hundred million U.S. dollars in just one Bitcoin wallet. He was thinking about a variety of projects. He established a social media platform or was working on that. He was involved in cryptocurrency, pump and dump schemes. He tried to revive the carding markets. So this is the credit card stealing markets. There was already now a website that is online, the Mac Duck group it's called.

So when we think about this evolution and of these groups and these individuals, they are thinking more broadly and perhaps a not perfect analogy, perhaps Elon Musk like too in the same way as when he, you know, after PayPal doesn't stay in that money service business, but start to do various different projects. Some of those individuals in those groups do too.

Jonathan Cedarbaum: Fascinating. Yes. These are really as I read your book and other studies a kind of criminal Silicon Valley. They are entrepreneurs. They are adapters, they're looking for new opportunities, new startups, new ways to monetize developments and technology.

Max Smeets: And this is, what is important to say, sorry Jonathan, we should, we shouldn't over romanticize though what they are doing. And that also comes back from the chats, especially when we do not look at the leaders, but at some of those individual operators. And then you will find messages like, gosh, I've been, you know, going through this data and this has been a boring, dull exercise. Or, I can't get this thing to work, or I need to finish this off, but I need to pick up my kids from school. Or like, I can't travel, I wanna go on a holiday, what's going on?

You know, you see actually a real demoralizing experience that many of these people have that are working as part of Conti, and many of them do not get rich. So this is also a misconception where sort of every person that is part of these ransomware groups is earning a lot of money. That's not the case. Many might be on a typical sort of payroll system where they earn 800 to 1200 U.S. dollars a month for certain services. They might have been recruited off official job posting websites, initially, not even being aware that they're part of a ransomware group.

So with the broader ecosystem, and it's not necessarily the, the fancy lifestyle that some people imagine for the great, great majority of, most of, of those who are involved.

Jonathan Cedarbaum: No great points. Of course, one might say the same thing about many tech workers.

But let me just ask you one more geopolitical follow up though, you mentioned Stern in his messages talking with his colleagues, should they have one office or two offices in St. Petersburg? My ears pricked up at St. Petersburg. How much of the ransomware industry is based in Russia, run from Russia?

Max Smeets: It's notable to start with this conversation about those offices that it seems that we have the full capture of those, that message conversation that Stern had with one of his key people around him. And what they do not discuss is, how does this make us more vulnerable to co-optation from the FSB or another Russian government affiliated group. So that's a notable omission, make of it as you wish.

What we do know and what is explicit in the leaks is that Conti had to occasionally do so-called pioneering activity. This is specific requests coming from the FSB, not the GRU, and for this pioneering activity, they had to hack into often hard targets. One of them was, for example, a journalist affiliated with Bellingcat, the open-source investigative network, that was helping the Navalny research team on an investigation.

And so Conti was asked to hack into them, but we've seen other cases as well, including against relevant healthcare infrastructure, especially in COVID times. And some of those individuals, part of the group will joke about it. So there is this code that I have in my book. Or one individual says, okay, well I'll do it whilst wearing a red tie.

So they know that they have to occasionally engage in that behavior. It doesn't however mean that all of the activity that they're engaged in is directed by the FSB or another government actor. So, and that makes sense. Ideally for them, they want to keep them at arms length. Ultimately, they're making an enormous amount of money, at least the leadership and they want to continue to do that. So of course they will do those requests when needed, but if they can, they don't want to sit in a specific office and day in, day out doing those requests, but just keep going with the things that earn them this profit. So that's an interesting dimension.

Now as Dmitri Alperovitch has said we don't have a ransomware problem, we have a Russia problem. And that's a very nice way of saying it. It might of course be a bit too simplified, but it is certainly, I case that the great majority of ransomware groups do operate from Russia, Belarus, and notably Ukraine, certainly pre-further invasion as well.

Conti was a group with a lot of Ukrainian individuals. Ukraine has been, you know, when we look at the history of cyber crime, one that had always played a prominent role, particularly in the carding industry, and that Russian speaking individuals in particular have been closely involved in that. And since the further invasion, that has slightly changed too. So we see a, a ecosystem that is changing.

And what is also worth pointing out is that whilst we see the links of Conti with the FSB, it doesn't mean that these links are mirrored across other groups as well. Clearly we know that other groups have links with particularly the FSB too, but the links might differ from group to group and how they are established. So it seems increasingly that there is not one model in which these ransomware groups are co-opted by the state, but multiple models each with different flavors depending on the relationship between senior leadership of the ransomware group and the FSB.

And lastly here, I am not aware of any public disclosure of these ransomware groups being linked to the GRU. Whilst we know the GRU has used ransomware to conduct some of their own operations, I do not know yet of strong links between any ransomware group and the GRU. It's primarily with the FSB

Justin Sherman: And the GRU being of course the Russian military intelligence agency. I wanna say thank you for mentioning this because this always drives me nuts in the headlines is, as you know, I do a lot of Russia work as well, and as as Jonathan and as you're saying, to see either every Russian ransomware operation referred to as nothing to do with the state, which as you're saying is not, not necessarily true in terms of the contours of the system.

But also the other way is you're noting where every operation is seen as some secret espionage plot. You know, where a Russian guy in a uniform is standing behind the criminal hacker and sort of, you know, tasering him until he gets into the target, which of course is not true either.

I'm just curious because we, we, you're alluding to other countries and a lot of this is based in Russia. Maybe if this is making you speculate, feel free to, to pass on the question, but is, are there reasons why the North Koreans, for example, have not seen this as an attractive means of, of pulling in money to fund the WMD program? Do we not, are there structural or other reasons? I mean, I'm thinking of your other book too, why China would not have a larger ransomware ecosystem compared to, to what's going on in Russia.

Max Smeets: Yeah. So. It's primarily a Russia problem, but I may have oversimplified it. So we do see some ransomware activity in other countries, and I actually have published a report together with several colleagues for Virtual Routes, “Ransomware's New Masters,” where it focuses on not just Russia, but then also China, Iran, and North Korea, and then actually particularly state use of ransomware for different reasons.

And the North Koreans, as you mentioned, then they stand out. So clearly when we think about North Korea especially across those four, it is a state actor group that does do financially motivated attacks. And we are well aware that they've often focused on cryptocurrency theft and that's where they are making a lot more money in some ways is as surprising as them not moving at more in ransomware as some of the cyber, the Russian criminals not moving more into cryptocurrency theft, by the way.

But secondly, we have seen them engaging in some relevant ransomware activity, and this has been fascinating. Early activity, they were often able to get access, encrypt data, but not get the trust of victims to pay them. That is the element that they couldn't overcome.

And how did they try and overcome this? It's by co-opting criminal brands, or better to say, pretending to be criminal brands. So in 2019, a very prominent group that emerged was REvil and North Korean hacking groups. State groups would pretend to be REvil. So they write a ransom note that they would say, you are, you know, hacked by REvil. Please pay to this Bitcoin address. So they were using the brand. The hope that they would get paid in that way.

One thing that we though see a lot more of today and a trend in by North Korean state hectares is to insert themselves into the mature Russian criminal ecosystem. So what the North Koreans are doing is they have now become initial access brokers for Russian criminals. So they are doing the access and then they're selling that off to Russian criminals who are then doing the follow on steps, encrypting the data and doing the negotiations, et cetera, et cetera. And that's the part that they are very familiar with because that's what they do against lots of other targets too.

So you see now a much more complex ecosystem where many of these actors across the globe are only inserting themselves in parts of the process.

Jonathan Cedarbaum: Wow, that North Korean example is a really fascinating instance of division of labor in this industry, as it were. Are there other trends as you look ahead the next three to five years that you see developing in this ransomware ecosystem?

Max Smeets: There are a couple of notable trends that we are partially worried about. We'll have to see how to develop. One of them is the way in which ransomware groups are currently both targeting as well as analyzing data, so, or targeting in in victims, and then analyzing data.

So of course we have seen the rise of LLMs. Of course, this has led to slightly better phishing emails that are written by these groups. But secondly, what that has allowed them to do is starting to better understand potentially the data that they're obtaining from their victims. And the question is whether the trend continues that way, and as a result of them, them, by better understanding the actual victim data that they have obtained, being also better able to extort the victims that they are negotiating with. So that's one trend on the sort of the motor operandi side.

On the organizational structure side, we see a couple of notable trends too. One of them is actually the greater fragmentation of this space. When I looked at Conti, it had almost a monopoly on ransomware. Much of the activity, some would say 70 others, 80, and some would even say 85 or 90% of all the ransomware activity was either done by Conti or with affiliated brands. Today we see a much more fragmented ecosystem.

In part, this is the result of actually law enforcement having come in, going after big brands, big groups and as they go after that brand, it sort of disperses into smaller groups. And this is something that we still see today, a more fragmented ecosystem. And I don't see this going back anytime soon. So that's the second element.

When we look at the branding and reputation side, we see a variety of different experiments going on right now. One is, I think, worthy of elaborating on. One of the experiments we see of ransomware groups is they've developed these platforms for affiliates to use to conduct their ransomware operations from. And these platforms, you know, help you in a number of different ways. They help you not only encrypt the data, but also create a unique decryptor and automatically generate often a Bitcoin address, offer you a nice negotiation portal, et cetera, et cetera.

So they build this infrastructure for you in an easy way to conduct these operations. In the past, when one brand would develop this infrastructure, they would say, you can only use our specific locker or sort of ransomware to conduct your operations. What has been changing is what some would call a cartel like structure.

We still provide the platform, but you can, instead of bring your own booze, you can bring your own ransomware and you can, you know, plug that in and then use our platform nevertheless. We still take a small fee for that. But that leads to even more sort of, fragmentation of the ecosystem that we didn't previously see making attribution even harder when it comes to these kind of individuals that are behind it.

So these are sort of three developments across the MOB framework on modus operandi, organizational structure and branding.

Jonathan Cedarbaum: Many studies, including yours, seem to suggest that ransomware remains a major problem one that governments have not had much success combating. Do you have recommendations either for governments or private targets about how we can work together to reduce the impact of ransomware groups?

Max Smeets: When I started the book project and when I was halfway in, I thought I was gonna write a really easy final chapter. I thought I was gonna write about this framework and then I was gonna do this really detailed empirical case study and show everyone how these groups really operate.

And then I was gonna write this conclusion and say, we have not seen any ransomware countermeasures to date, and we need to do a lot more. And I thought I was gonna end there, and then I realized that will be highly unfair. Because actually we have seen a number of really interesting and important initiatives from different government organizations.

So as a result of that, I actually developed a tracker. It's now published on the Virtual Routes website. It's called the Counter-Ransomware Measures Tracker, where I track all the different countermeasures that governments have taken against ransomware. Whether this is sanctioning individuals or whether this is going after command and control infrastructure, whether this is providing alerts, et, et, et cetera.

When you combine that, you see some notable trends. First of all, you see a very large increase in government countermeasures from 2021. Whilst of course, the majority of those ransomware efforts come from a really select number of governments, of which the U.S. is the most prominent, I believe, over 55 or 60% of the cases.

What is also notable is around 60% of the arrests are affiliates who travel or cash out. So core coder still remain really hard to reach and you know, it's also reflected in lighter sentences depending on where they are. But when we look at all of those efforts, most of these efforts targets either the M of the MOB framework, the modus operandi.

Let's say we go after their command and control infrastructure or how they cash out. Or they go after their organizational structure, let's sanction those individuals, et cetera. But very rarely do they go after the B elements and really seek to undermine the trust that these groups have. And that is, of course, as I discussed in the ransomware trust paradox, a crucial element. And there a lot more can be done.

One notable exception is Operation Cronos. This was the operation conducted by the NCA and partners disrupting LockBit. And in this operation in February, 2024, they didn't just focus on going after a couple of wallets and sanctioning individuals, et cetera, but they were also very keen to spread the message to journalists and others, including me, to make sure that we would tell the public, hey, LockBit doesn't delete your data even after you've paid. Hey, LockBit doesn't suspend certain affiliates from their platform after they have done some rules that are against our sort of official code of ethics. All of those things spread that message to reduce the trust that people would have in the LockBit brand.

So I believe there is an opportunity here for more of that type of engagement from government, but there is also an opportunity here for the broader public because ultimately that development of branding and reputation comes from our writing. And it really means that we have to think much more carefully about how we engage with these groups and to draw a important comparison.

When we think about often state activity, what we see there is that these groups, especially intelligence agencies, they don't want to be publicly attributed. They want to shy away from public attention. When it comes to criminal groups, that's very different. Ransomware groups, they actually, after they've done their operation, they wanna have all the attention that helps them in their reputation building.

They want you to write this article in a media outlet about them, especially how fierce and sophisticated they are and how almost Silicon Valley like they are, et cetera, et cetera. That is to their advantage. They sometimes publish press releases themselves or correct the press. They occasionally are very happy to do interviews. All of those things are important.

So another element really here that I've been pushing for is this need for us to think about how we write about these groups and perhaps even this type of, sort of code of ethics. It doesn't mean that we shouldn't write about them at all. But in the same way as we think about writing on terrorism or disinformation, we are very well aware that we can play into the hands of terrorists if we write in certain ways about the fear mongering acts that they are seeking to do or disinformation when we publish this in the mainstream media, same way, we have to think about ransomware.

Jonathan Cedarbaum: Very interesting. Presumably one of the central goals of what you're proposing, that is undermining their brands, undermining trust in their reliability is to encourage victims not to pay. Of course some governments have proposed a more direct route to that result, which is banning ransomware payments altogether and imposing some kinds of penalties on organizations that make ransomware payments. What's your view of those government prohibitions on ransomware payments?

Max Smeets: Yeah. And we see different flavors and variations of that proposal. Some proposals I am more favorable to than others. Let me start with some of them that I'm less favorable to and we see frequently coming up.

One of them is to propose a ransomware ban, but also with some type of license or exception. So this is then for certain entities where they can apply for this exception and still pay, especially if for instance, lives are at risk. I'm against this because it creates a exact new target set of the most vulnerable. If that is the case, and if you have those licenses in place, who has a ransomware group would you then go after? Well, exactly those ones that are most vulnerable, so that I'm not very positive about.

Second, I am positive about the potential creation of a ban, but we have to be realistic about what it does, especially individual countries do that. When individual countries mention this, they suggest that this allows for no more ransomware and these groups to just go away. Well, the reality is, is what we're actually suggesting is if I as Country X and enact such a ban, I simply hope that these individuals or criminals are discouraged from going after entities in my country and go to another country instead. So move them away from us, towards others.

And as long as we're a bit more honest and open about that, that we might not be really addressing in that sense, the core problem, because I'm unrealistic that all of the countries will have such a ban in place, but that we are trying to dissuade them from going off targets in our country, but instead going off the targets in other countries, then I'm more open to it.

Justin Sherman: Not outrunning the bear all of us, right? But outrunning, you know, the slowest runner kind of, kind of thing. Once again, for listeners, your book is titled “Ransom War: How Cybercrime Became a Threat to National Security.” Max, is there anything else you'd like to add that we did not touch on?

Max Smeets: Well, first of all, thanks for having me on the podcast. Thanks again. I really appreciate it. There are a lot of other topics that I feel are worthy of engaging with and maybe I want to mention one here to close.

And that's the link between the intel services and the law enforcement agencies. As we've discussed now, cyber criminal groups have a wide range of different links to the state, particularly those Russian based groups. And secondly, I have argued that they are a threat to national security, which means that we see two entities of course, being interested in tracking them, both law enforcement, police, and the intel services. These entities have overlapping but also distinct missions.

You can imagine that law enforcement is interested in arresting individuals, sometimes disrupting. You can imagine that intel services are a bit more interested in really tracing how these groups operate and understanding their links. When we think about ransomware operations, it's important to find out and think about how we want to set up perhaps new institutional structures to allow for more cooperation between law enforcement and intel.

It's one that I've not really been seeing is I have not seen it discussed in the public and it deserves it more attention. In the same way as we had discussions about the equity process between the military and the intel services and the need to have, let's say in the U.S. a dual hatted role, or whether you need more specific operational units to collaborate and to de-conflict. I'll leave it there. Thanks again for having me.

Justin Sherman: That's all the time we have. Thanks for listening.

The Lawfare Podcast is produced in cooperation with the Brookings Institution. You can get ad free versions of this and other Lawfare podcasts by becoming a Lawfare material supporter through our website, lawfaremedia.org/support. You will also get access to special events and other content available only to our supporters.

Please rate and review us wherever you get your podcasts. Look out for our other podcasts, including Rational Security, Allies, The Aftermath and Escalation, our latest Lawfare Presents podcast series about the war in Ukraine. Check out our written work at lawfaremedia.org. The podcast is edited by Jen Patja and our audio engineer this episode was Goat Rodeo. Our theme song is from Alibi Music. As always, thank you for listening.