When the final numbers are tallied for 2021, ransomware will pass a grim milestone: Reported payments to ransomware groups last year will top $1 billion, making ransomware the most unwelcome unicorn enterprise. This exponential growth is explained in part by the rise of ransomware groups operating like enterprises — offering ransomware-as-a-service, a business model through which ransomware groups lease their malware to affiliated groups for a fee or a share of the profits.
The nature of threat – as an enterprise rather than an ideology – presents an opportunity. Ransomware groups by and large have shown themselves to be rational actors that engage in cost-benefit calculus, affording the government and private sector levers to change their behavior. If 2022 is to mark an inflection point in the fight against ransomware, we must do more to change the incentives.
First, the U.S. government needs to enforce the red lines it has drawn to protect critical infrastructure. The Biden administration made it clear which targets raise heightened levels of concern when it provided Russian President Vladimir PutinVladimir Vladimirovich PutinSullivan says threat of Russian military invasion 'high' Democracy is on life support — and the GOP wants to pull the plug Biden defense chief voices support for Ukraine in call MORE with a list of 16 areas of critical infrastructure that it considers off-limits, including the energy, health care and agriculture sectors.