Are Ransom Attacks State-Sponsored Terrorism?

The State Department has offered up to $15 million for information on two Russia-based ransomware gangs. DarkReading reports that those bounties might be quite effective in enticing operators to “out” rival threat actors, or getting disgruntled affiliates to take revenge if they are cheated out of their cut. However, the payouts represent a tiny fraction of the revenue ransomware gangs receive, and hardly count as an incentive to cooperate with authorities. Which raises the question: Are ransom attacks state-sponsored terrorism?

The real problem is that rogue nations support ransomware operations as a key part of geopolitical strategy, and they provide a safe harbor for attackers. A recent report by Chainalysis said that three-quarters of all illicit revenue generated by ransomware attacks during 2021 went to Russia-linked attackers. 

Russia, China, and other nations, some allied with the West, share tools and attack infrastructure with ransomware gangs. Those governments provide plausible deniability when the gangs are identified. They have zero interest in relinquishing such valuable assets.

Attacks targeting critical infrastructure providers like healthcare organizations have crossed the line from cybercriminal activity to a serious national security threat. Calling an attack that holds dozens of healthcare providers and their patients for ransom an IT security event is a serious misunderstanding. More guidelines and frameworks won’t fix the problem.

A recent report by Ponemon found a direct link between ransomware attacks on healthcare providers and negative patient outcomes. Forty-six percent of victims noted increased mortality rates. Other research found that between 2016 and 2021, ransomware attacks contributed to between 42 and 67 patient deaths and a 33 percent increase in death rates per month for hospitalized Medicare patients.

DarkReading advocates reclassifying at least some cyberattacks as terrorist acts in order to leverage new tools to fight them. Otherwise, there are few real consequences for these threat actors while targeted organizations are left to fend for themselves.