Ransomware has proliferated because it’s ‘largely uncontested’, says GCHQ boss

If you’ve wondered why ransomware has proliferated in recent years, it’s because until recently it has remained unchallenged, according to Sir Jeremy Fleming, director of British signals intelligence agency GCHQ.

“We’ve seen twice as many [ransomware] attacks this year as last year in the UK – but the reason it is proliferating is because it works,” Fleming told the US Cipher Brief threat conference.

“It just pays. Criminals are making very good money from it and are often feeling that that’s largely uncontested…we’ve got to get our head around what this means and we have up until quite recently left a lot of this playing space to those criminal actors in effect to proliferate and to make a lot of money.”

SEE: Ransomware: Industrial services top the hit list – but cyber criminals are diversifying

Last month, the UK launched the National Cyber Force (NCF), a group with offensive capabilities that unites personnel from the Ministry of Defence (MoD), GCHQ, the Secret Intelligence Service (MI6), and the Defence Science and Technology Laboratory (DSTL).

Despite its cyber-offensive capabilities, referring to the NCF, Fleming insisted that “the UK is not building a cyber warfare centre”. 

“There’s real danger, I think, in over-militarising, with due respect to all of my military colleagues on both sides of the pond,” Fleming said. However, he added: “There is a place for western democratic liberal nations…to be able to contest cyberspace, and in the UK we’ve been doing that for decades.

“That’s been part of GCHQ’s mission for decades and we need our policymakers and, in some aspects of the mission, our military leaders to be able to bring cyber capabilities into play.”

The way to address ransomware profits is through regulating and controlling cryptocurrencies, Fleming suggested. 

“I can see in the policy debate on the US side and I see the policy debate here, and you quite quickly get into the ways in which criminals profit — you quite quickly get into cryptocurrencies and how those are regulated and controlled,” he said.

While most countries back the idea of disrupting ransomware operators and the overall business model, some have developed policy that makes an exception for ransomware attacks on critical infrastructure. 

SEE: Ransomware: Looking for weaknesses in your own network is key to stopping attacks

The Netherlands minister of foreign affairs, Ben Knapen, recently outlined how its Defense Cyber Command “can carry out a counter-attack at the end of the day to avert an enemy action or to protect an essential interest of the state”. However, the minister said it normally resorts to diplomatic or legal channels.  

At US President Joe Biden’s recent cybersecurity summit with 30 countries, participating nations agreed to cooperate to target the abuse of financial mechanisms to launder ransom payments or conduct other activities that make ransomware profitable. They will also aim to disrupt the ransomware ecosystem via law enforcement collaboration to investigate and prosecute ransomware actors. Safe havens for ransomware criminals would be addressed, along with continued diplomatic engagement.

There’s suspicion in the US that Russia turns a blind eye to ransomware gangs operating in its territory. Following the ransomware attack on Colonial Pipeline last year, Biden said he warned Russian President Vladimir Putin that critical infrastructure should be off limits.