United States lawmakers are mulling a new proposal to designate countries from which cyber criminal ransomware gangs operate as state sponsors of terrorism.
The law forms part of the Intelligence Authorisation Act for the 2025 fiscal year, which is being brought forward by Mark Warner, a Democratic senator for Virginia, and chair of the Senate Intelligence Committee.
It would see countries such as Russia that are deemed to have provided support for a ransomware demand scheme, including providing safe haven for criminal gang members themselves, listed in the same bracket as the likes of Cuba, Iran, North Korea and Syria, and subject to the same penalties and sanctions.
It lists a number of ransomware crews that the Committee believes constitute hostile foreign cyber actors whose home countries benefit from their activities, including some of the most dangerous and prolific operations of the past few years, such as Black Basta, BlackCat, Cl0p, Conti, DarkSide, LockBit and ReVIL, all of which had or have links to Russia.
There are four main categories of sanctions for countries that are designated as a state sponsor of terror, including bans on US foreign assistance, defence exports and sales, controls over exports of dual use items – items that can be used for both civilian and military purposes, and “miscellaneous” financial and other restrictions. Russia is, of course, already subject to wide-ranging western sanctions over its illegal invasion of Ukraine.
The bill also sets out a proposal to deem ransomware attacks on critical national infrastructure (CNI) as an intelligence priority under the US National Intelligence Priorities Framework.
Jon Miller, founder and CEO of Halcyon Security, an AI-driven anti-ransomware platform, told Computer Weekly it was long past time that ransomware attacks are called out for what they are, especially when they target healthcare providers and other CNI operators such as utilities or communications services providers (CSPs).
He explained that while ransomware gangs have always hidden behind the fact that their actions appear like criminal activity, they often have it both ways in that they frequently advance geopolitical agendas – such as by not attacking organisations in Russian-speaking jurisdictions.
They also receive the tacit backing of their “host” governments, exemplified by the arrests of REvil gang members by Russia’s FSB security service in January 2022, which proves that Russia is very capable of being an effective partner in the fight against cyber crime when it chooses to be.
“Ransomware operators can walk and chew gum at the same time. While ransomware is lucrative for them and they need to make money to fund their operations, we should not ignore the fact that many of these attacks are carried out with the goal of causing disruption, creating doubt, and furthering geopolitical agendas. It is not a stretch therefor to designate some of this as acts of terrorism,” he said.
“The fact that ransomware attacks appear on the surface to merely be cyber criminal activity provides a convenient level of plausible deniability when those attacks also serve the larger geopolitical goals of adversarial governments. This is why it is imperative for the US government and allied nations who are the targets of these attacks to differentiate a portion and reclassifying them as terrorist acts – specifically those attacks that target healthcare and other critical infrastructure functions where lives are at put at risk or lost.
“If any state-sponsored actor physically attacked a hospital, water treatment facility, or other critical infrastructure provider, we would not hesitate to call that terrorism. Why should we just because they were cyber attacks?” he said.
Miller described the suggestion by the US as a step in the right direction, saying that if deeming ransomware attacks as terrorist attacks gives the authorities more options, it is a lever that should be pulled.
Implications for UK organisations
Given the American Bill implicitly targets Russia, if passed into law it would doubtless have implications for organisations in the UK, particularly those that also do business in the US. However, it should be noted that many businesses have already reduced their exposure to Russian markets to comply with Western sanctions following the invasion of Ukraine.
The UK government is planning to bring forward new cyber security laws as well, and the proposed Cyber Security and Resilience Bill outlined in the King’s Speech contains welcome hints that the UK will enforce better reporting of ransomware incidents. However, it has not yet advanced to the stage where any detailed proposals on other measures have been put forward.
Recent dialogue in the UK on improving responses to ransomware has focused largely on banning ransomware payments as a lever that it is time to pull, something that has also been the subject of debate in the US, although CISA director Jen Easterly recently indicated this idea may be off the table for now.
Writing on ransomware payment bans for Computer Weekly earlier in 2024, Cyjax CISO and cyber commentator Ian Thornton-Trump said that when push came to shove, the UK tends to follow the US’ lead on such matters.
He said: “The UK, while it thinks about a ban on ransomware payments, may end up with no choice.” This scenario may yet play out with regard to Warner’s proposals.