US lawmakers attempt to brand ransomware gangs as terrorists

US lawmakers are considering a new proposal to designate countries where cybercriminal ransomware gangs operate as states that sponsor terrorism.

The bill is part of the Fiscal Year 2025 Intelligence Authorization Act, which was introduced by Mark Warner, a Democratic senator from Virginia and chairman of the Senate Intelligence Committee.

Countries such as Russia, which are said to have supported a ransomware application scheme and which, among other things, provided a safe haven to criminal gang members, would fall into the same category as Cuba, Iran, North Korea and Syria and be subject to the same penalties and sanctions.

A number of ransomware gangs are named that the Committee considers to be hostile foreign cyber actors whose home countries benefit from their activities. These include some of the most dangerous and prolific operations in recent years, such as Black Basta, BlackCat, Cl0p, Conti, DarkSide, LockBit and ReVIL, all of which have or had ties to Russia.

There are four main categories of sanctions for countries designated as state sponsors of terrorism, including bans on U.S. foreign aid, defense exports and sales, controls on the export of dual-use items – items that can be used for both civilian and military purposes – and “miscellaneous” financial and other restrictions. Russia, of course, is already subject to broad Western sanctions for its illegal invasion of Ukraine.

The bill also includes a proposal to designate ransomware attacks on critical national infrastructure (CNI) as an intelligence community priority under the U.S. National Intelligence Priorities Framework.

Jon Miller, founder and CEO of Halcyon Security, an AI-driven anti-ransomware platform, told Computer Weekly that it’s high time ransomware attacks were called out for what they are, especially when they target healthcare providers and other CNI operators such as utilities or communications service providers (CSPs).

He explained that ransomware gangs have always hidden behind the appearance of their actions as criminal activities, but they often have a two-way street as they often pursue geopolitical agendas, such as not attacking organizations in Russian-speaking jurisdictions.

They also have the tacit support of their “host” governments, as evidenced by the arrests of members of the REvil gang by Russia’s FSB security service in January 2022, proving that Russia is very capable of being an effective partner in the fight against cybercrime when it wants to be.

“Ransomware operators can walk and chew gum at the same time. While ransomware is lucrative for them and they need to make money to fund their activities, we should not ignore the fact that many of these attacks are carried out with the aim of causing disruption, sowing doubt and advancing geopolitical agendas. It is therefore not a stretch to classify some of these as acts of terrorism,” he said.

“The fact that ransomware attacks may appear at first glance to be merely cybercriminal activity provides a convenient level of plausible deniability when those attacks also serve the larger geopolitical goals of hostile governments. That’s why it’s critical for the U.S. government and allied nations that are the targets of these attacks to distinguish some of them and reclassify them as acts of terrorism — particularly those that target healthcare and other critical infrastructure functions where lives are endangered or lost.”

“If a state-sponsored actor were to physically attack a hospital, a water treatment plant or other critical infrastructure provider, we would not hesitate to call that terrorism. Why would we do that, just because it was cyberattacks?” he said.

Miller described the U.S. proposal as a step in the right direction, saying it is a measure that should be taken if authorities are given more options by classifying ransomware attacks as terrorist attacks.