US lawmakers seek to brand ransomware gangs as terrorists

United States lawmakers are mulling a new proposal to designate countries from which cyber criminal ransomware gangs operate as state sponsors of terrorism.

The law forms part of the Intelligence Authorisation Act for the 2025 fiscal year, which is being brought forward by Mark Warner, a Democratic senator for Virginia, and chair of the Senate Intelligence Committee.

It would see countries such as Russia that are deemed to have provided support for a ransomware demand scheme, including providing safe haven for criminal gang members themselves, listed in the same bracket as the likes of Cuba, Iran, North Korea and Syria, and subject to the same penalties and sanctions.

It lists a number of ransomware crews that the Committee believes constitute hostile foreign cyber actors whose home countries benefit from their activities, including some of the most dangerous and prolific operations of the past few years, such as Black Basta, BlackCat, Cl0p, Conti, DarkSide, LockBit and ReVIL, all of which had or have links to Russia.

There are four main categories of sanctions for countries that are designated as a state sponsor of terror, including bans on US foreign assistance, defence exports and sales, controls over exports of dual use items – items that can be used for both civilian and military purposes, and “miscellaneous” financial and other restrictions. Russia is, of course, already subject to wide-ranging western sanctions over its illegal invasion of Ukraine.

The bill also sets out a proposal to deem ransomware attacks on critical national infrastructure (CNI) as an intelligence priority under the US National Intelligence Priorities Framework.

Jon Miller, founder and CEO of Halcyon Security, an AI-driven anti-ransomware platform, told Computer Weekly it was long past time that ransomware attacks are called out for what they are, especially when they target healthcare providers and other CNI operators such as utilities or communications services providers (CSPs).

He explained that while ransomware gangs have always hidden behind the fact that their actions appear like criminal activity, they often have it both ways in that they frequently advance geopolitical agendas – such as by not attacking organisations in Russian-speaking jurisdictions.

They also receive the tacit backing of their “host” governments, exemplified by the arrests of REvil gang members by Russia’s FSB security service in January 2022, which proves that Russia is very capable of being an effective partner in the fight against cyber crime when it chooses to be.

“Ransomware operators can walk and chew gum at the same time. While ransomware is lucrative for them and they need to make money to fund their operations, we should not ignore the fact that many of these attacks are carried out with the goal of causing disruption, creating doubt, and furthering geopolitical agendas. It is not a stretch therefor to designate some of this as acts of terrorism,” he said.

“The fact that ransomware attacks appear on the surface to merely be cyber criminal activity provides a convenient level of plausible deniability when those attacks also serve the larger geopolitical goals of adversarial governments. This is why it is imperative for the US government and allied nations who are the targets of these attacks to differentiate a portion and reclassifying them as terrorist acts – specifically those attacks that target healthcare and other critical infrastructure functions where lives are at put at risk or lost.

“If any state-sponsored actor physically attacked a hospital, water treatment facility, or other critical infrastructure provider, we would not hesitate to call that terrorism. Why should we just because they were cyber attacks?” he said.

Miller described the suggestion by the US as a step in the right direction, saying that if deeming ransomware attacks as terrorist attacks gives the authorities more options, it is a lever that should be pulled.