Microsoft says “it’s just too difficult” to effectively disrupt ransomware

Someone holding a padlock in front of the Microsoft logo
(Image credit: Getty Images)

A leading Microsoft security executive said the efforts of law enforcement to try and shut down ransomware operations aren’t enough to provide a meaningful deterrent.

Although he praised the strong work that has been done to take down the likes of REvil in recent years, Tom Burt, CVP of customer security and trust at Microsoft said the volume of takedowns isn’t enough to stop the crime altogether.

His comments were delivered at a press event on Thursday alongside a pre-publication briefing on Microsoft’s annual Digital Defence Report, which was released on Friday.

"The problem with the efforts by law enforcement globally to try to address ransomware is that the challenges of conducting traditional law enforcement investigations and prosecutions against ransomware actors are just too difficult given the the cross-border nature of that activity, the fact that a lot of the actors are beyond the reach of law enforcement that care about this issue. It's just too difficult," said Burt.

"And while there have been some notable successes in the last year by law enforcement going after cyber criminals, and we applaud those efforts, and we work in partnership with law enforcement whenever we can, the volume of those successful prosecutions is just way too small to be a meaningful deterrent."

Asked about the nature of ransomware organisations’ evolving tactics, such as triple extortion, Microsoft said the primary development in tactics, techniques, and procedures (TTPs) is in how they evade detection.

Burt said he and Microsoft expect this trend to continue especially now the ransomware as a service (RaaS) model is continuing to see an increase in popularity.

“We continue to see the proliferation of human-operated ransomware where the targets of these ransomware attacks have been researched in detail by the criminals so that the demands that they make for ransom to be paid, continue to escalate,” he said.

“The groups that are most active in providing ransomware as a service are very sophisticated and well-resourced, and as we and law enforcement and others seek to detect what they are doing and disrupt their activity, we will certainly see them continuing to evolve their approaches to try to avoid detection and to avoid disruption.”

Disrupting the disruptors: A change in tack

Microsoft is now shifting its focus on ransomware, and cyber crime more generally, towards publicising the inner workings of cyber criminal operations, while continuing to assist in any law enforcement operations that require its insight and services.

Specifically, it believes changing its focus towards identifying the infrastructure being used to deliver ransomware and the infrastructure being used to receive ransom payments will help the industry more in the long term.

The company’s cyber security team regularly posts detailed blogs detailing its investigations into various ransomware and other cyber criminal groups to raise awareness in the security community of the common tactics used by ransomware gangs to successfully target organisations.

Microsoft’s disruption efforts also extend to the wide use of botnets in the cyber criminal underground too, Burt said.


Building a better password strategy for your business

Exploring the strategies and exploits that hackers are using to circumvent password security measures


The company detailed its ongoing efforts in the space in its annual Digital Defence Report. It said it was able to disrupt the infrastructure of seven different threat groups in the past year which has led, by its estimates, to the safety of more than 17 million potential malware victims.

Botnets continue to act as a principal pathway through which cyber crime is conducted, said Burt, and they are becoming increasingly sophisticated and resilient to disruption efforts.

Emotet is one such botnet operation that has proven especially difficult for cyber security experts to take down in recent years. Europol famously took down the botnet’s infrastructure in January 2021 after years of work to reach that goal, but even then experts warned that it may make a resurgence.

That resurgence came less than a year later when, in November 2021, its infrastructure went back online, growing in numbers rapidly in the proceeding days. This week, according to the Emotet-tracking group Cryptolaemus, the botnet has started distributing malware again after a four-month break.

“You will see our botnet disruptions, instead of being a single-day or a single-week operation in which we successfully disrupt them, we now know that our successful disruption is going to take months or even a year to ultimately bring down botnets,” said Burt.

“But I think you will see over the course of the coming year, that we'll continue to do that work as we try to find ways to scale what we can bring to the battle against cyber crime.”

Microsoft said ransomware, and cyber crime more broadly, is showing no signs of slowing down. It's expected to drain $6 trillion (£5.3 trillion) from the global economy by the end of next year - a figure rising to $10 trillion (£8.9 trillion) in 2025, according to research it presented from Cybersecurity Ventures.

One of the reasons why cyber crime continues to see an uptick in popularity and success is due to the way in which the barrier to entry is being consistently lowered, Microsoft said in its report. Cyber criminals’ tactics evolve and new tools are always being built to make conducting cyber attacks easier for lower-skilled individuals.

Previously highlighted by Microsoft's regular security reporting, it once again cited the growing proliferation of so-called cyber mercenary groups, like the Austria-based DSIRF.

These groups belong to a growing industry of cyber experts that develop powerful hacking tools and sell them to the highest bidder, which are commonly nation-states.

When it comes to ransomware defence, organisations are still failing to implement the basics of cyber security, according to the insights provided by Microsoft’s incident responders. Insufficient privilege access controls were cited as the most common error made by organisations that led to ransomware attacks, Microsoft said. 93% of incidents the team investigated this year saw poor controls implemented, allowing for easier lateral movement.

This was closely followed by ‘the limited adoption of security frameworks’ and ‘insecure configuration of identity providers’ as leading facilitators of successful ransomware attacks, with 87% and 86% of victims falling short in these areas respectively.

Multi-factor authentication (MFA) was another key contributor to successful attacks - 74% of victims did not implement an MFA solution in the workplace.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.