Katerina Vardalaki (RIEAS Senior Analyst & Security Expert)

A long-term discussion for ransomware as an intelligence threat

Note: The article reflects the opinion of the author and not necessarily the views of the Research Institute for European and American Studies (RIEAS)

Ransomware is a type of infectious malware that uses encryption methods to deny access to files (Glasberg, 2016) but that definition is simple and does not include many details (Azad, 2017). It is enduring, prevalent and has been a valid concern since its first appearance in 1989. Considering that cyber crime is in its entirety human related (Penuel et al., 2013), ransomware provides a viable business model (Cartwright & Cartwright, 2019). This issue has been ignored and profusely underestimated (Funke, 2016). Consequently, it is legislated within the legal precedence of both the United States and Greece with different approaches and measures.

Legislation can provide insight about the way specific countries adapt to changes. The American and Greek realities have different views about cyber matters. In US governmental situations, serious investigations are launched after such threats occur and security-based systems are improved preemptively. The US provide a plethora of ransomware incidents (GCI, 2018; Malwarebytes, 2019) and tactics on how the state responded through legislation or other means. The US signed the Budapest Convention in 2006 and implemented the changes in 2007. Greece, on the other hand, ratified the proposed Convention in 2016 (Papantoniou, 2017) thus, making it the last EU member state to follow the convention’s directions. Moreover, Greece provides a vague and non-clarified term of cyber-crime (Spathi, 2016) without even mentioning ransomware.

In the US, all 50 states have specific cyber-crime divisions or their own law enforcement, which is also responsible for cyber-crimes (Morgan,

2019). This is due to the lack of an overarching federal legislation covering ransomware attacks. Due to the absence of federal guidelines, states are called upon to cover the legal lacuna which remains. Although not all of them possess specific laws which touch up on ransomware, the ones that have the term mentioned in their Penal Codes are: California, Connecticut, Michigan, Texas, and Wyoming.

Local governments have been the target for extortion attacks from foreign sources, such as the Iranian attack that the Department of Justice1 claimed caused 30 million dollars in losses (DOJ, 2018). This aspect of ransomware means that it can be used and exploited by state actors and not just criminal groups or regular hackers. Previously Iran’s own oil industry was targeted by the “Wiper” attack, and in the now-leaked National Security Agency (NSA) document2, it is stated that Iran might have learned the way to use malicious code for the same reason as it was used on them: disruption of government, facilities and monetary gain.

Similarly, other attacks targeting the US originated from Russian hackers like Yakubets who is accused of leading “Evil Corp”, a cyber-criminal network which created an attack called Dridex. Kshetri (Kshetri, 2006) reports a case where the FBI arrested two Russian hackers by downloading incriminating files from their original computers in Russia. Two years later, Russia filed hacking charges against the FBI, claiming that it is illegal to download files from systems located in Russia. In other cases, Kshetri states, the US has requested help from Russia with regards to cyber criminals and received no response.

Furthermore, the National Secret Services of Uzbekistan (Zetter, 2019; Lyngaas, 2019) bought and later created their own malware to use it against its citizens and other countries. Uzbekistan is not the only state actor who attempted to use malware, spyware and exploits. The case of “Phineas Fisher” and the hack against the Italian “Hacking Team” company brought into light the economy behind creating malware as a political tool. The “Hacking Team” company sold spyware and hacking services to intelligence agencies and police forces internationally (Franceschi- Bicchierai, 2016).

1 The two Iranian hackers attacked computers in 10 US states and Canada. Full report can be found here : https://www.justice.gov/opa/pr/two-iranian-men-indicted-deploying-ransomware-extort- hospitals-municipalities-and-public 2 Can be found here : https://theintercept.com/document/2015/02/10/iran-current-topics- interaction-gchq/

Moreover, due to the difficulty of tracing the criminals (Palmer, 2019), either because of jurisdictional issues and national boundaries (Kshetri, 2006) or the use of anonymous (Baggili, Rogers, et al., 2009) Bitcoincs, criminals remain at large. Evidently, the legislative framework exists and may cover the necessary clauses for criminals, however, it is difficult to impose it. Additional law will not help if there is no way to enforce it (Neuhauser, 2018). Ransomware is hard to trace for a multitude of reasons, and the concerns for investigations are usually jurisdictional, since the perpetrators may have deployed it from a different country. If criminals are caught, the chances of their original country extraditing them to be prosecuted in the victim country are few (Palmer, 2019). Concerns are also raised as to which activities should law consider, how to legislate them and how often.

All the aforementioned reasons create doubts about the necessity of another broad, one-sided and unenforceable law. The long-term approach would need a delicate legislative hand. First comes the matter of cooperation and then the matter of forensics and information. Dixon suggests two steps that should be followed: 1) Establish dialogue and a shared vision (Dixon, 2019). The solution comes from a cooperation under a common knowledge, firstly in the European level and then globally. 2) Decide on global principles for public and private partnership (Dixon, 2019). The telecommunication companies, the internet service providers and valuable private actors can cooperate with government law enforcement agencies and provide them with information to locate the perpetrators.

The issue needs a global cyber-crime framework, which would cover many cyber-crimes and offenses, and will be agreed upon from every (cooperative) country. Secondly, the establishment of a global Cyber Crime Division, that would be responsible, as law enforcement, to gather all information from all countries and industries, alongside a global Cyber Crime Court of Justice that would be manned exclusively with legal experts on cyber matters. This idea is ambitious and challenging, for which a research much more extensive than the present one is necessary.

However, realizing the limitations of this proposal, I would suggest for legal experts and security experts to combine forces and take the necessary steps to reach a consensus against a global threat which will not subside with the legal approach that is now being used.

References Azad A.(2017). Ransomware: a research and a personal case study of dealing with this nasty malware. Issues in Informing Science & Information Technology, vol. 14, 2017, p. 87+. Baggili, I., & Rogers, M. (2009). Self-Reported Cyber Crime: An Analysis on the Effects of Anonymity and Pre-Employment Integrity. International Journal of Cyber Criminology, 3(2):550-565. Cartwright, Anna, & Cartwright, Edward. (2019). Ransomware and Reputation. Games, 10(2), Games, Jun 2019, Vol.10(2). Department of Justice. (2018, November 28). Two Iranian Men Indicted for Deploying Ransomware to Extort Hospitals, Municipalities, and Public Institutions, Causing Over $30 Million in Losses. Retrieved from https://www.justice.gov/opa/pr/two-iranian-men-indicted-deploying-ransomware- extort-hospitals-municipalities-an d-public

Dixon, W. (2019, February 19). Fighting cybercrime – what happens to the law when the law cannot be enforced? World Economic Forum. Retrieved from https://www.weforum.org/agenda/2019/02/fighting-cybercrime-what-happens-to-the- law-when-the-law-cannot-be-enforced/ Franceschi-Bicchierai, L., (2016, November 12). Hacker ‘Phineas Fisher’ speaks on camera for the first time- through a puppet. Vice Motherboard. Retrieved from https://www.vice.com/en_us/article/78kwke/hacker-phineas-fisher-hacking-team- puppet Funke, G. (2016). Training Challenges in Cyber Security. Addressing Human Factors Gaps in Cyber Defense. Proceedings of the Human Factors and Ergonomics Society Annual Meeting. 60. 770-773. 10.1177/1541931213601176.

Glassberg, J. (2016). Defending against the ransom ware threat. POWERGRID International, 21(8), 22-24

Global Cybersecurity Index (GCI), (2018). Global Cybersecurity Index 2018. ITU Publications. Retrieved from https://www.itu.int/dms_pub/itu-d/opb/str/D-STR- GCI.01-2018-PDF-E.pdf Kshetri, N. (2006). The simple economics of cybercrimes. IEEE Security & Privacy, 4(1), 33-39.

Lyngaas, S.(2019, October 3). How Uzbekistan's security service (allegedly) began developing its own malware. Cyberscoop. Retrieved from https://www.cyberscoop.com/uzbekistan-sandcat-kaspersky/ Malwarebytes. (2019). Cybercrime tactics and techniques: Ransomware Retrospective. (CTNT Report 2019). Retrieved from https://resources.malwarebytes.com/files/2019/08/CTNT-2019- Ransomware_August_FINAL.pdf Morgan, S., (2019, September 22). Directory of U.S. State and local cybercrime law enforcement. Cybercrime Magazine. Retrieved from

https://cybersecurityventures.com/directory-of-u-s-state-and-local-cybercrime-law- enforcement/ Palmer, D. (2019, November 29). Ransomware: Big paydays and little chance of getting caught means boom time for crooks. ZDNet. Retrieved from https://www.zdnet.com/article/ransomware-big-paydays-and-little-chance-of-getting- caught-means-boom-time-for-crooks/ Papantoniou, K. (2017). How Cybercrime is Punished. Broker’s Time 49(15), Retrieved from: https://www.bahagram.com/wp- content/uploads/2017/07/%CE%A0%CE%A9%CE%A3-%CE%A4%CE%99%CE%9 C%CE%A9%CE%A1%CE%95%CE%99%CE%A4%CE%91%CE%99-%CE%A4% CE%9F-%CE%9A%CE%95%CE%A1%CE%9D%CE%9F%CE%95%CE%93%CE %9A%CE%9B%CE%97%CE%9C%CE%91.pdf?fbclid=IwAR0UW0IgwzCeI79xOz zx33sci Penuel, K. B., Statler, M., & Hagen, R. (2013). Encyclopedia of crisis management. Thousand Oaks, CA: SAGE Reference Neuhauser, A. (2019, April 13). Can the law stop ransomware? U.S. News. Retrieved from https://www.usnews.com/news/national-news/articles/2018-04-13/can-the-law- stop-ransomware Spathi T. (2016). New Technologies and Crime. Intelligent Deep Analysis. Retrieved from http://www.indeepanalysis.gr/nomika-themata/nees-technologies-kai-egklhma Zetter, K. (2019, October 3). Researchers say they uncovered Uzbekistan Hacking operations due to spectacularly bad OPSEC. Vice. Retrieved from https://www.vice.com/en_us/article/3kx5y3/uzbekistan-hacking-operations- uncovered-due-to-spectacularly-bad-opsec