News about ransomware gang takedowns and ransom recoveries make for great headlines, and the way some people talk you’d think we had this ransomware thing licked. But while these are certainly “wins,” they’re not really having a noticeable impact, and if we keep going at these issues in a plodding, ad hoc, linear fashion they absolutely won’t.
Not that long ago that botnet takedowns were receiving similar levels of attention. I was lucky enough to be a part of some of these actions. Nay-sayers at the time said there was no real impact because replacements popped up so quickly. I was inclined to agree, but argued that the value of such actions would be realized once more people could do them, and do them more often.
Botnet takedowns required a lot of challenging legal legwork. If you’ve ever worked with lawyers, you know very few of them like to be at the cutting edge. In a system that places a high value on precedence, being the first at anything poses a serious risk of failure. But once that nut was cracked and a few cases got through the system, the potential to move a lot faster in more jurisdictions seemed like a real possibility.
Years later, botnet takedowns are still not a frequent occurrence, even though botnets are certainly still a thing. This is, to my mind, one of the bigger ‘shames’ in this space (“it’s a shame that…” not shameful behavior), because if we could manage to take down multiple botnets on a weekly basis vice, say, one a year, it dramatically drives up the risk factor (and potentially the cost) for would-be botnet creators. If you’re more likely to get hit by a meteor than arrested, life as a digital crime lord seems pretty attractive. As soon as prison becomes likely, suddenly it is time to consider getting a regular job.
Bad actors will always have a number of advantages over defenders and law enforcement. In some cases you’re dealing with super-empowered individuals, who can work much faster than adversaries that have to operate in an industrial-age model, be sure to address the ‘equities’ of all the ‘stakeholders’ involved, fight for budget, hunt for increasingly rare talent to do the work, etc. Especially when you’re dealing with governmental organizations, “taking down 1000 botnets” is probably not a bullet on anyone’s performance evaluation. From the organization’s point of view it is important to “measure what matters,” but from the employee’s point of view all that matters when it comes to applying effort is what is measured. These types of activities require extensive industry cooperation, and such measures are not revenue-generating. Read into that what you will.
The work that goes into both botnet and ransomware takedowns is not insignificant, and those involved deserve to be recognized and congratulated. But until actions like these become so commonplace that they cease being news, they are novelties. Unless government, defenders, and industry can devise a system of processes and incentives that make such actions practical and rewarding, such activity will eventually wane, and it will be like nothing anyone did mattered.