Ransomware gangs are giving law enforcement the runaround. Not since the days of the Wild West have the police had so much trouble bringing criminals to justice. While law enforcement agencies have recently found some success—in February 2024, a joint task force took down LockBit’s main server, and on May 7th, the UK’s NCA unmasked and imposed sanctions on the group’s ringleader—these victories are typically short-lived: by May 21st, LockBit had claimed responsibility for an attack on Canadian retail chain London Drugs.
Law Enforcement vs Ransomware Gangs: A Futile War
The battle between law enforcement and cybercriminals bears striking similarities with several physical battles in living memory – most notably the Vietnam and Soviet-Afghans wars of the mid-to-late 20th century. Essentially, a better-armed, better-funded behemoth (law enforcement, the US, the Soviet Union) fights an ultimately futile battle against guerilla fighters (ransomware gangs, the Viet Cong, the Mujahideen) who use their superior knowledge of the landscape (the internet, the Vietnamese jungle, the Afghan countryside), to defeat their enemies.
Why Traditional Methods are Failing
Traditional methods of policing, as was the case with conventional warfare in Vietnam and Afghanistan, are ineffective against cyber criminals. Ransomware gangs are like Hydras—cut off one head, and another two grow back. Moreover, many ransomware actors, including LockBit ringleader Dmitry Khoroshev, reside in Russia or are Russian citizens, making extradition practically impossible. Similarly, cybercriminals are frustratingly good at obfuscating their identities and locations.
As a result, government agencies have attempted to mitigate the ransomware problem with cybersecurity frameworks and guidelines. While undoubtedly worthwhile, taking a purely defensive approach to the war on ransomware will leave organizations one step behind attackers as they grow increasingly sophisticated, developing new techniques to bypass existing cybersecurity defenses.
The Impact of Ransomware: Beyond the Financial
The financial costs of ransomware are enormous. Research from Sophos, for example, found that the average cost of recovering from a ransomware attack in 2024 was $2.73m.
However, while the financial impacts of ransomware attacks are incredibly damaging, the less apparent impacts – particularly in the healthcare sector – make ransomware such a pressing issue. With ransomware, as we know it today, in its relative infancy, its actual consequences are only now coming to light. For example, researchers from the University of Minnesota recently revealed that mortality rates increased by 36-55% at hospitals experiencing the most severe ransomware attacks, even rising by a staggering 62-73% for patients of color.
Similarly, a patient at a London hospital recently told The Register that she “is now missing her right breast after her skin-sparing mastectomy and immediate breast reconstruction surgery was swapped out for a simple mastectomy at the last minute” due to a ransomware attack.
Tackling Ransomware at Source
Tackling ransomware relies on performing an impossible task – attacking the problem at its source. However, new research may help make this dream a reality.
The recently developed World Cybercrime Index (WCI), a collaborative effort between the University of Oxford and UNSW Canberra, is a groundbreaking tool in the fight against ransomware and other cybercrimes. The index ranks countries based on cybercrime threat levels, providing invaluable insights for law enforcement and cybersecurity experts.
The WCI systematically identifies and ranks countries based on the prevalence and severity of cybercrime activities within their borders. By pinpointing regions that serve as significant hubs for ransomware activities, the index allows law enforcement agencies to allocate resources more efficiently. Concentrating efforts on these hotspots can lead to more effective surveillance, investigation, and disruption of ransomware operations.
Cybercrime is a global issue that requires international collaboration. The World Cybercrime Index facilitates this by providing a common framework and data set that all countries can reference. The index encourages international cooperation and joint operations to combat ransomware by highlighting the countries with the highest threat levels. This collaborative approach is crucial in dismantling transnational cybercrime networks and bringing perpetrators to justice.
Governments and organizations can use the data from the World Cybercrime Index to develop informed policies and strategies. Understanding which countries are most at risk or are primary sources of cybercrime can help craft targeted cybersecurity measures and regulations. This proactive stance can significantly reduce vulnerabilities and enhance the overall cybersecurity posture of nations, making it harder for ransomware actors to operate.
The comprehensive data the World Cybercrime Index provides also supports academic and professional cybersecurity research. With its information, researchers can analyze trends, identify emerging threats, and develop new methodologies to counter ransomware and other cybercrimes. This continuous research and development cycle is vital for staying ahead of the fast-evolving ransomware landscape.
Looking Ahead
Of course, the WCI is not a silver bullet, and it will take some time for the research to have any real impact on ransomware. Even when it does, ransomware attackers can still hide in countries like Russia to avoid punishment and continue their activities. The World Cybercrime Index does, however, offer hope in what has thus far been a hopeless endeavor. We are nowhere near tackling the ransomware problem, but we are headed in the right direction.
Josh is a Content writer at Bora. He graduated with a degree in Journalism in 2021 and has a background in cybersecurity PR. He’s written on a wide range of topics, from AI to Zero Trust, and is particularly interested in the impacts of cybersecurity on the wider economy.
