Lawfare Daily: The Shadowy World of Ransomware with Professor Anja Shortland

[Intro]

Anja Shortland: The second generation of ransomware, human operator, so not the sort of commodity automated ransomware. But human operator, where people take charge of targeting, offsetting a ransom, maybe investigating how much the victim is worth, how much they might be able to pay. They might have investigated their profit and loss accounts as they're in the service anyway. They might even have found an insurance certificate.

Jonathan G. Cedarbaum: It's the Lawfare Podcast. I'm Jonathan Cedarbaum, book review editor at Lawfare with Professor Anja Shortland, who is a professor of political economy at King's College London.

Anja Shortland: Saying, oh, well, just let's take the profit motive out of it. That never worked because in the end, if their lives are at risk or livelihoods at risk and accompanies hemorrhaging money, the commitment to saying it will never pay ransoms is just not credible.

Jonathan G. Cedarbaum: Today, we're talking about her book, “Dark Screens: Hackers and Heroes in the Shadowy World of Ransomware.”

[Main Podcast]

Let's start off by asking you to tell our audience a little bit about your professional background and how you came to write “Dark Screens.”

Anja Shortland: My special subject at Kings is economics of crime, and I'm fascinated by the governance of criminal markets.

It all started in 2010 when my 4-year-old son and I got super interested in piracy off the coast of Somalia, and I started asking some really difficult questions about how do you make prices in this world? Where does the trust come from when you have a legal entity having to make a deal with a criminal group?

How do you create a transaction between somebody who's just been victimized, whose salvation is going to come from the criminals? So I've got a whole body of work around extorted crime and its governance, starting with piracy and kidnapping. Then with art crime and art napping and art recovery and ransomware.

The third part of my unholy trinity of extorted crime, and I'm asking the same sort of question who governs that gray space between ransomware groups and the businesses and individuals and governments that they victimize who, who makes a transaction work as well as it does? Why is this a business model? Why do we see brands, branded crime and this, in, in this space?

It was just, the more you look, the more interesting it gets, and it's a really complex problem. So in the end, the only way to tackle it was in, in book format. And also the book is really trying to bring out the people aspect of computing and engage the ordinary computer user, which means anyone who has a phone, with their own cybersecurity.

Jonathan G. Cedarbaum: Very good. How big a problem is ransomware today?

Anja Shortland: Well, it sets in a much bigger group of cyber crimes. But in 2025 estimates are around $75 billion of costs to the global economy from ransomware, though interestingly only about 900 million of that ended up in the hands of the criminals.

So there's a lot of damage that does nobody any good. It's almost like, yeah, wrecking a car to steal a pair of sunglasses.

Jonathan G. Cedarbaum: Where does the rest of that money go?

Anja Shortland: It's business interruption. It's possibly regulatory fines. It's litigation around third party liabilities. Data breaches, confidential data being stolen, possibly revealed all the remedial action around that.

Jonathan G. Cedarbaum: Very good. Now, the early chapters of your book offer a very engaging prehistory of ransomware through as you say, very human stories about some of the quite dramatic individuals involved.

You explained that as early as the 1980s and 1990s, hackers of various kinds, some that we might consider white hat hackers, some with darker shaded hats, had developed many of the techniques needed to infiltrate and encrypt computer systems and demand payment from the owners of those systems to, to free them from the shutdown. But you note that there were three key technical obstacles that hackers had to overcome in order to make ransomware these basic techniques, a truly effective method of extortion.

Could you tell us a little bit about those crucial technical successes that enabled hackers to turn ransomware into a major form of extortion?

Anja Shortland: Yes, of course. So the first one was, if you wanted to scale up ransomware, you needed to find a way of encrypting systems in a unique way so that every victim has to have a unique decryption key, otherwise victims can share.

So they needed asymmetric encryption, which means a virus that gently mutates every time it finds a new victim. And obviously some really good housekeeping behind the scenes to make sure you can match up each victim with a unique encryption key. So that was the, a big technical challenge.

The second challenge that hackers had was how they were going to communicate with their victims without being caught. If they had just done that from their normal phone lines, then of course would’ve been super easy to, to track them down. And it was actually the U.S. Secret Services that gave them protocol, the on router, the tall protocol that allowed them to disguise their identities and have these pseudonymous conversations within the darkness, which helps them to get together as firms, as groups, but also communicate with their victims.

All of that was in place quite early and the really big missing piece of the puzzle was how to take payments safely from a criminal's point of view. And it was only the gift of cryptocurrencies that made it possible for them to take payment at scale and cash out pseudonymously without ever revealing their real world identities.

And yeah, it was 2013 that all of these things came together. So quite a long gestation period from the first ransomware attempt in 1989.

Jonathan G. Cedarbaum: Very good. And you, as you track the history of the development of ransomware, you identify what you call ransomware as a service emerging in that period around 2013 or the 2010s as an important step forward as it were in the development of this kind of criminal industry.

What is ransomware as a service and why was its emergence so significant?

Anja Shortland: Ransomware relies on very clever coders creating malware that can penetrate computer systems that that encrypts and reliably decrypt people's networks and individual computers. Once you've got that kind of technology, there probably isn't time for you to make money from each individual victim because you can have thousands, you can have hundreds of thousands of victims.

So what ransomware as a service does is that it leases that weapons-grade malware to other people whose coding skills are not that great, but who might be able to, to scam or black their way into a network.

So, you outsourced effectively the time-consuming part of the operation to others. And you have affiliates, loose affiliates who do the breaking and entering part, and then the malware takes care of the extortion and ransoming part on their behalf. And it really drove the massive expansion of ransomware as a threat to the global economy.

Jonathan G. Cedarbaum: And the malware distributors get a cut from each of those affiliates, as it were?

Anja Shortland: That's right. So the affiliates are taking more risks. They're more traceable. So they take actually quite a significant cut initially. So 70% and 80%, now 90%. So yes, it's, it can be very lucrative for the affiliates.

The coders take the smaller part, but of course they also have the option that when somebody comes in with a huge ransom, that they just disappear and take the entire ransom. So there is no honor among thieves on this one.

Jonathan G. Cedarbaum: In that same period, you also describe what you call ransomware settlement as a service.

And it seems to be a development that I had the impression you were not happy about or that you're concerned about some of the unfortunate consequences of development, of what you call ransomware settlement as a service. What do you mean by that term? And what were some of its consequences that you were concerned about?

Anja Shortland: Yes, indeed. It's something that's ambiguous. So for people who've been subject to a ransomware attack, the chances of them being really stumped by it and facing a really long business downtime and not knowing how to resolve it is of course great. So people started to outsource their recovery. Which is a good idea because people do get it really wrong, and as far as insurance companies were concerned, putting the recovery in the hands of experts was a super idea.

On the other hand, from a collective point of view, throwing money at the problem and making it easier to recover, less troublesome to source the Bitcoin, speed up the transaction with the criminals. Also made it easier for the criminals to increase their activities because rather than holding somebody's hand, as they're carefully rebuilding their system after an attack, they could use that time to run further attacks. So yes, it's a two-sided sword here, so it's good. And it's—

It's problematic too also because there were some, what are called ransomware payment mills, who don't really add much value, but they give people the idea that they might be able to get out of their predicament without paying the hackers, but paying the ransomware payment mill or multiple of the ransom that the hackers demand.

And then behind the back, of course, the ransomware payment mills just go back to the hackers. So, so nothing has gained except for the ransomware payment mills. So yeah, quite a lot of shady businesses in that space preying on, on, on people's predicament as a result of ransomware attacks as well. In that case, yes, I am lamenting.

Jonathan G. Cedarbaum: Who were the folks behind those ransomware payment mills? Were they actually in league all along with the ransomware hackers or—

Anja Shortland: They're legal companies offering a legal service. They exist as, as long as the organization that's taking the ransom is not a prescribed organization there’s nothing, technically or legally wrong with making that payment. But sometimes a victimized company doesn't want to be involved in a direct transaction with a criminal company.

And yeah, there is just some jiggery pokery in that space where they say, oh, you can pay us so you don't need to pay them. And then they're just very opaque about their methods. But people who have investigated them realize that they are just going back to the criminals.

Jonathan G. Cedarbaum: I like that technical term, jiggery pokery, that term may be unfamiliar some of the—

Anja Shortland: Very English.

Jonathan G. Cedarbaum: Yes, from outside the U.K. So let's continue with the history, the development of the ransomware industry.

You described several generations of ransomware: first generation, second generation, third generation. What distinguished second generation ransomware from first generation.

Anja Shortland: So the first-generation ransomware was large scale, pretty automatic and taking very low ransoms. The second generation of ransomware, human operator, so not the sort of commodity automated ransomware, but human operator where people take charge of targeting, offsetting a ransom, maybe investigating how much the victim is worth, how much they might be able to pay. They might have investigated their profit and loss accounts as they're in the service anyway. They might even have found an insurance certificate so they can set the ransom and they might have to negotiate it.

They might have a chat function where they could do a little bit of handholding on, on, on the recovery. So it's much more involved, but it was in response to a lot of businesses getting wise to, to, to cybercrime in general, and the ransomware threat in particular.

So as the success rate of attacks was dropping, they made up with ever-rising ransoms from the second generation type of ransomware.

Jonathan G. Cedarbaum: Got it. You also help readers understand the ransomware industry by taking a deep look at several of the most prominent ransomware organizations and some of their most, I would say, spectacular operations.

Let's turn and spend a few minutes on a few of those major ransomware organizations. First one with perhaps my favorite name. For a ransomware organization, REvil—that is capital ‘R’ smooshed, together with the word ‘evil.’ You profile the REvil group and you describe one of their most well-known attacks on a company called Kaseya.

Can you just remind our audience or tell our audience what did that hack, and what did it reveal about the methods of sophisticated ransomware organizations and how best to respond to them?

Anja Shortland: Yeah, so, so this was a really clever attack, targeted at what's sometimes called the soft underbelly of computer security.

So it was a managed service provider that they targeted here. So where companies outsource their computer security to someone else and have a really deep connection, frictionless communication between that managed service provider and their own computer. So if he can somehow get inside one of those companies, then everyone will take updates or malware from that provider without any questions.

So by breaking into Kaseya’s servers, they had up to a million end users potentially in their hands. So this could have been one of the most spectacular ransomware attacks in history. In the end, it wasn't quite that spectacular. So it is a, it's a bad news story, but also a good news stories because Kaseya found out pretty quickly that they had been breached. They had shut down the servers.

In the end, only one server was compromised and about 1,500 companies were affected, which of course is a lot of victims all, all in a tight place at one point. What was really lovely about the aftermath of that attack was that the companies that had used the Kaseya software all rallied around the ones that had been affected and really helped with the rebuild.

Soi t was not as catastrophic as it could have been. And also it was not nearly as lucrative as it should have been. And the REvil leadership really got into trouble on the dark net forums because people said, well, you did this amazing thing and are you hiding the profits from this? Did you really only get that small amount of money for it?

So it was also something that's so distrust and contributed to the, to, to the demise of that particular ransomwear.

Jonathan G. Cedarbaum: So it sounds as though one of the morals of that story though, from the potential victim side is speed of detection and response

Anja Shortland: Absolutely. Absolutely.

Jonathan G. Cedarbaum: —was crucial. Like Kaseya's ability, as you said, to shut down many of its servers quickly.

Anja Shortland: That's right. I mean, that's been the lesson of quite a few of the recent attacks that those who just sort of bury their head in the sand and hope it's not a ransomware attack. Like Marks and Spencer's end up with a much bigger rebuild and a much larger problem than the companies like the Co-Op who says, okay, this is happening. Let's just shut it down. Let's investigate. Yes.

Even if it's not a ransomware attack we'd rather be safe than but than super sorry.

Jonathan G. Cedarbaum: Okay, let's look at another of groups you profile that is the Conti group and you feature an attack of theirs that also got a lot of attention, that is their attack on the government of Costa Rica.

Notably its Ministry of Finance. How was Conti organized and what do its operations show us about the nature of ransomware threats?

Anja Shortland: Conti was an absolute gift to us as researchers of ransomware space. It was a pan-European, central and Eastern European crime group. They spectacularly collapsed in the aftermath of the Russian invasion of Ukraine when part of the group put up some message boards saying, oh, we are fully in, in support of President Putin and a special military operation. And some of the Eastern European and Ukrainian particular affiliates and associates and members of the group said, no, we are really not happy about this.

So we got a whole cache of leaked documents and communications going over months. So we know a lot about this particular group, and it was organized like, like a proper firm. They had about 60 to, to 100 employees fluctuating over time. They were organized in six different departments. There were coders, there were pen testers, there were reverse engineers. There are the specialist hackers. There are those that maintained an attack infrastructure, but perhaps most interesting, I found the human resources department, because it really show the problems of trust within such an organization when you only knew people by their pseudonyms.

You don't know whether they're sitting in Ukraine. You don't know whether they're police or whether they are committed or not committed. Max Smeets has a book that has a lot more detail on Conti than my book has, which, and he has a chapter on it, but he ends up concluding that sort of, it just sounds like a really badly run internet startup.

And I thought, yes, but that's exactly what it is because it sitting. In countries, specifically Russia, where the government tolerates, if not smiles on that kind of activity. They don't have to hide. They can even have an office. They can have the physical presence. It really shows a lot about the geopolitics of ransomware and the attack on Costa Rica was, yeah, just a really terrible way of dealing with the fundamental rupture of the Conti group where they said, okay, well we've gotta reconfigure, let's create a big distraction somewhere. Let's push this poor country to the brink of ruin, let people starve. Everyone will be looking at Costa Rica while we quietly reconfigure our operations to make them more Russian.

Jonathan G. Cedarbaum: Very good. I want to echo your recommendation of Max Smeet’s book, “Ransom War.” Max, as some of our listeners may know, is a brilliant scholar of cybersecurity, and he was just a few months ago a guest on the Lawfare Podcast. We actually had him on just as we're having you on, Professor Shortland, to discuss his book. So, listeners may be, we're interested in your book may be interested in his as well.

Let's talk a little bit about just one more of these sophisticated ransomware organizations that you analyze and that is the LockBit organization. And you not only describe the organization, but the efforts of law enforcement to take them down.

What are some of the morals of the rise and fall of LockBit?

Anja Shortland: Well, LockBit was centered on a rather nasty but perhaps not uncharismatic character who ran his operation fairly loosely or somewhat lax in his attitude to their own cybersecurity. And while they were super profitable and really egregious in their attacks, he also managed to let in law enforcement into their communication channels and the National Crime Agency of the U.K., joined by a lot of other law enforcement agencies, spent many happy weeks going around the servers and finding out absolutely everything about the LockBit machine, and then decided to implode it spectacularly by hijacking the site and really revealing a lot of the internal workings of that group—

With the intention and successfully to undermine the trust that victims have in the promises of these ransomware gangs. So there has been a change from the second generation to the third-generation ransomware where data exfiltration is the of the heart of the extortion. So you're relying on the honor of thieves again, that say, well, we've exfiltrated your data, but if you pay us a ransom, we won't reveal it. In fact, we will delete it.

It turned out they hadn't. So that trust was destroyed by the by this law enforcement operation. But they also really targeted the affiliates. They targeted, they revealed the identity of the leader of the LockBit group. Hopefully and apparently LockBit imploded has not come back.

Even though the leader was very determined to do so. But yeah, it's it's changed the ransomware landscape, has become much more fractured as a result of the operation. One of the NCA leaders of the law enforcement action there calls it Franken-ware. And I think you get this, you get the point.

Jonathan G. Cedarbaum: Well, speaking of that landscape, putting aside North Korea's very capable state-sponsored hacking groups, which you also devote a chapter to, are there any significant ransomware organizations that are based outside of Russia and Eastern Europe, particularly Russian-controlled portions of Ukraine?

It seems as though this industry really is geographically concentrated.

Anja Shortland: Well, there was lots of, there's lots more cybercrime. So,

Jonathan G. Cedarbaum: Yes, of course there, there are cybercrime groups of different kinds and in other places, but just focusing on ransomware, has that, is that a real specialty of Russia and its—I was gonna say satellites, I'll say neighbors.

Sympathetic neighbors.

Anja Shortland: It's because it does need a great degree of technical sophistication that the Russians and the North Koreans have. But it also requires that, that focus, that profit motivation and that real hostility that, that says, well, we don't care if people die in medical facilities, we don't mind switching intensive care unit equipment off that, that requires something that that not many countries that, that, that antagonism doesn't exist in that many countries.

China, of course is great technical capabilities, but they're using it for espionage. They don't need to earn money through that kind of insidious threat. There are some groups sponsored out of Iran. But of course, Iran doesn't have an internet at the moment at all. But if you are a hacktivist who's looking to cause destruction then you can rely on Iranian sponsored groups to provide you with ransomware malware.

So, so, so that exists. And, that Handala group in particular, but it's not as big and it's not as well organized, and as it's not on that sort of industrial scale.

Jonathan G. Cedarbaum: Very good. We've been talking a lot about the ransomware industry. Let's flip over and talk a little bit about responses to ransomware efforts to reduce the threat of ransomware.

You discussed several of those approaches. One of them you talk about was an effort actually organized through the private sector in the U.S., though drawing on people from many parts of society, and that is the ransomware task force that put out an extensive report with many recommendations about how to defend against ransomware and reduce the burden of ransomware.

Can you tell us a little bit about the, that task force and what are some of its key recommendations were?

Anja Shortland: Yes, of course. So it started in 2020 when private sector was absolutely aware of the problem of ransomware and it was so, so difficult to get the government, particularly the U.S. government interested in tackling what is a wicked problem.

It's super complex and in fact, they couldn't really get any politician to run with an agenda. So what they thought is, let's get everyone together, everyone who's active in this space, everyone give, gets a voice, let's discuss what we can do, and when the Biden administration comes in, let's give them a cheat sheet of what they could do.

So it was a real effort to put the computer security and law enforcement and think tanks and policy makers in the room and really discuss what to do about preparation, about resilience, about computer safety, about policy, about regulation. They managed to come up with a list of 48 recommendations and they said, you can't really choose pick and choose. You've gotta do all of this and it's gonna be so much better.

And it was such a hard sell, except a week later there was the attack on Colonial Pipeline, which finally focused political attention on the threat of ransomware. And there was some diplomatic activity with President Biden having a conversation, a direct conversation with President Putin saying national—critical national infrastructure is off limits. And civilized nations don't harbor criminals who do that sort of thing.

So we've been relying on that rather fragile consensus ever since. But yeah, unfortunately the community could not come up with one big policy idea that would solve the problem, the idea of a ransomware ransom ban saying, oh, well just let's take the profit motive out of it.

That never worked because in the end, if their lives are at risk or livelihoods at risk and a company's hemorrhaging money, the commitment to saying it will never pay ransoms is just not credible.

Jonathan G. Cedarbaum: If you look back at that list of the 48 recommendations from the ransomware task force, were there any on that list that proved influential in practice?

Anja Shortland: Yes, of course. And there are lots of things that we could do as in as individuals and that we still can do more. But really basic cyber hygiene recommendations of multi-factor authentication, having sensible passwords, not recycling those passwords, patching the computer when the update comes up. All of that is so important.

And of course, the vigilance against all these social engineering attacks. I think a lot of companies have learned many lessons over the last years. But this is a co-evolution of crime and security. We've also learnt great deal about resilience. So one thing is not getting breached, but the other thing as well—

How likely is it that you can say, well, thanks but no thanks. I don't need a decryption key. I've got my, my, my offline backup. Here's my memory stick. I'm good. It's about what you put online in the first place, what data you hold, what confidential data you collect. So I think we've become a lot wiser in, in terms of that.

In terms of really resourcing law enforcement, well, I think more could be done. I think we have a, have to have a really grown-up debate about how ready we want to be for the for this threat. But also what our plan B is when the light goes, or for somewhere part of the country or there's no drinking water, because somebody's decided that they're gonna target that part of our national infrastructure, we still have to have that conversation unfortunately.

Jonathan G. Cedarbaum: Anja Shortland, thank you so much for joining us on the Lawfare Podcast. Professor Shortland's book, “Hackers and Heroes in the Shadowy World of Ransomware” will be on bookstore shelves, at least in the United States, on April 28th. You can learn more by getting yourself a copy.

[Outro]

The Lawfare Podcast is produced by the Lawfare Institute. If you wanna support the show and listen ad-free, you can become a Lawfare material supporter at lawfaremedia.org/support. Supporters also get access to special events and other bonus content we don't share anywhere else. If you enjoy the podcast, please rate and review us wherever you listen. It really does help.

And be sure to check out our other shows, including Rational Security, Allies, The Aftermath, and Escalation, our latest Lawfare Presents podcast series about the war in Ukraine. You can also find all of our written work at lawfaremedia.org.

The podcast is edited by Jen Patja with audio engineering by Cara Shillenn of Goat Rodeo. Our theme song is from ALIBI Music.

And as always, thank you for listening.