Unintended Consequences of Ransomware: An Introduction

January 27, 2022 | 3 min read

BlueVoyant

This is an introduction to a five-part series that focuses on the Unintended Consequences of Ransomware. In this forthcoming series, BlueVoyant aims to shed light on how ransomware attacks happen, why, and what happens when they do. By examining key perspectives through the lens of unintended consequences, this series will illustrate how different stakeholders are drawn into, and affected by, a ransomware event.

By BlueVoyant Strategic Intelligence team

Over the last decade, ransomware attacks have grown each year, sometimes doubling - or even quadrupling - in frequency. BlueVoyant engages with the threat of ransomware daily. We find and secure vulnerabilities to ransomware in our client companies; when ransomware attacks have occurred, we help businesses recover and secure themselves against the next attack. We use our insight into global internet data and custom analytics to track and report on ransomware gangs, their evolution, their campaigns, and their time triggered protocols (TTPs).

In this series, which we have called “Unintended Consequences of Ransomware,” BlueVoyant aims to shed light on how ransomware attacks happen, why, and what happens when they do. Even though ransomware is by its nature a criminal enterprise - holding individuals and companies hostage for money - it has, over time, become much more. It’s not just a challenge for law enforcement but a tool of geopolitics, a puzzle to policymakers, and a threat to the health and safety of average citizens.

By examining five key perspectives through the lens of unintended consequences, this series shows how different stakeholders are drawn into, and affected by, a ransomware event. It shows the motivations of different actors, hoping to clear up the complex dynamics of criminals, policymakers, and victims. Hopefully, this series makes ransomware seem less complex, and less prone to conspiracy theory or confusion. Most ransomware gangs simply want money. Most policymakers simply want a way to protect critical industries. Most victims simply want the cheapest, most legal-compliant way out of their predicament. Most citizens simply want to know what their rights are.

The series begins by examining how this form of attack became so prevalent in the cybercriminal economy. We trace the evolution of leak sites, the ransomware-as-a-service (RaaS) economy, and the nearly exponential growth among the underground economy driven by these early ransomware innovations. That growth, in turn, led to greater organization and complexity: ransomware gangs structured themselves as businesses, often securing vendors and contractors across national borders, creating their own marketing campaigns and partnership structures.

The next installment in the series will focus on impacted organizations: the way they respond to ransomware attacks and the challenges they face (both technical and legal). We will then look at the perspective of the average Joe: the citizen who finds their access to services or work (even their finances) compromised; or their health and safety impacted by a ransomware gang they’ve never heard of attacking a company they may not have known they relied on.

Finally, the series will end by telescoping out to incorporate the perspectives of more high-level stakeholders, namely, the insurance industry and, finally, the policymaker. As ransomware grows as a threat, it sparks questions about systemic change. How does the insurance industry react to rampant cybercrime? How does it protect the interests of client companies while also mandating baseline security requirements for insurance payouts? From a policy perspective, what policies are necessary on a national and international scale to reduce cybercrime and protect citizens?

As the tempo of attacks increased over the last few years, the government has been forced to take notice.

In the immediate aftermath of the Colonial Pipeline and JBS attacks, to cite two examples, the White House discussed four lines of effort that had heretofore shown little impact on slowing the onslaught:

1. Work in partnership to disrupt ransomware infrastructure and threat groups.

2. Build an international coalition to exert pressure on countries that provide safety to ransomware purveyors.

3. Expand cryptocurrency analysis as means to cut off the primary artery for criminal financing/laundering.

4. Lobby for clearer international norms whereby nation states do not harbor these criminals.

The ransomware threat is difficult to understand and to face down precisely, because at its heart is a series of complex dynamics - between attacker and victim; state and citizen; private sector and public; and national policymaking and geopolitical brinksmanship.

Hopefully this series will help to inform and clarify for our audience how ransomware attacks occur and what happens, and why, after they do.