Krebs on Ransomware

The Krebses—Chris and Brian—are not related, but they have both come out with positions on ransomware. Chris was the former head of DHS’s CISA (Cybersecurity & Infrastructure Security Agency), and Brian is a journalist and much-admired author (by me and many others) of the outstanding blog KrebsonSecurity.

I described Chris Krebs’s position on addressing ransomware in my April 12, 2021 BlogInfoSec column, “Will Ransomware Cause the End of the Internet as We Know It,” as follows:

“[Chris] Krebs recommends controls over cryptocurrency exchanges and persuasion of countries harboring ransomware attackers to take action against them.”

Brian Krebs discussed the recent report “Combating Ransomware,” which was prepared by the Institute for Security + Technology, in his April 29, 2021 column “Task Force Seeks to Disrupt Ransomware Payments.” The 81-page RTF (Ransomware Task Force) report, available via Institute for Security and Technology (IST) » RTF Report: Combatting Ransomware is well worth reading, but don’t expect to see any new workable solutions.

There was an interesting back-and-forth in the comments section. One commenter hit the nail on the head as far as I am concerned. They stated that the appropriate approach is to build up defenses rather than trying to deter attackers.  Ransomware is too lucrative and too easy for attackers to be effectively deterred. And victims’ systems have too many vulnerabilities to be able to defend effectively.

So, where does that leave us? There are really only a couple of effective approaches, both of which would incur considerable costs. One is to take out the perpetrators, virtually or physically—remember that this is a national security issue and we are at war, cyber style. The other is Chris Krebs’ suggestion: to control cryptocurrencies and remove their anonymity. As I have written many times, anonymity has become a scourge. There are a few instances where it makes sense, but anonymous “currencies,” including crypto and cash, enable so much crime as to be clear and present dangers to the world economy.

The RTF reports suggestions are all well and good. I have made them myself many times. International cooperation and laws and regulations are key but not likely to happen any time soon, especially with perpetrators representing some of the largest economic powers.

Another issue is that insurance companies are continuing to pay the ransoms for those with cyber insurance so that there is little incentive not to pay, which, of course, only encourages other ransom seekers. A worthwhile article for you to read is Josephine Wolff’s June 12, 2021 article in Wired, “As Ransomware Demands Boom, Insurance Companies Keep Paying Out,” available at As Ransomware Demands Boom, Insurance Companies Keep Paying Out | WIRED The article states that “major carriers like AXA have backed away from paying ransoms.” However, that reticence is not universal, so that many victim organizations do not feel enough financial pain to spend time and money defending themselves.

Another good read on the topic is Matt Stieb’s June 12, 2021 article in New York Magazine with the title “What’s Driving the Surge in Ransomware Attacks.?” which is available at

The final section of Stieb’s article is “What can businesses and governments do to stop the attacks?” It contains such advice as:

  • Businesses should shore up cyber defenses (Biden administration)
  • Intelligence agencies need to continue working at stopping attacks at their sources
  • The Ransomware and Digital Extortion Task Force should continue to tackle the entire process (Department of Justice)
  • U.S. must discuss surge of attacks with Russia (Joe Biden)
  • Businesses should inform the FBI of attacks (Biden administration)
  • Laws and regulations should ban firms from paying ransoms to cybercriminals (Energy Secretary Jennifer Granholm)
  • We should return to paper rather than the Internet for accounting and information compilation (Donald Trump)

All of the above are interesting suggestions and actions with varying levels of feasibility and effectiveness. Perhaps some combination of these suggestions might work to some extent. My general impression is that they won’t make enough of a difference unless the issue of ransomware is raised to the very high level that it deserves, namely, it is an extremely serious existential threat that merits strong mobilization of all the resources that we can muster. The government must step up to its role of discouraging cyberattacks and preventing them from reaching businesses, institutions and agencies, and organizations need to implement effective defenses. We cannot afford to lose this battle—never mind the war.

Post a Comment

Your email is never published nor shared. Required fields are marked *