"It’s time for the United States to start putting heads on spikes when it comes to confronting and dismantling ransomware groups," Kitchen said.
"If President Biden does not confront Vladimir Putin about the ransomware groups perpetrating from within Russia, he will be failing in his duty to protect the United States from these types of attacks," he added.
Oh sure, it's all Putin's fault. Well, no.
When have we put heads on spikes when it comes to the flow of fentanyl precursors out of China, for example? That would be never, and why? Because Nike, Apple and myriad other firms are all over there. I think it's fair to assume that Putin's government itself is unlikely to be involved in such things, but there are criminal gangs everywhere, including here. Why haven't we, for example, put Mexico's government heads on spikes over their criminal drug gangs that are all over the United States? How about the "refugees" coming from places that are full of MS-13 and similar?
Ransomware is rather simple, really: Don't do stupid things with critical control and infrastructure equipment. As I've said before the real problem isn't "ransomware" per-se; it has no value unless the ransom can be paid and further, unless said infrastructure is connected to the Internet either directly or indirectly (e.g. through some other device) it can't get on the network in the first place.
I'd be more than happy to redesign anyone's infrastructure so that this can't happen. You could run Windows XP on that network if you wanted to and, other than by direct, intentional sabotage by an employee nothing's getting in there.
But -- your snowflakes that work there couldn't use their computer on their desk to play on Facesucker, Instascrew or the myriad other time-wasting things they do. They couldn't run their "side hustle" on the company dime or play around on Tinder. Their phone wouldn't work in the building network and the USB ports would either be disabled in firmware or stuffed full of hot glue to prevent someone from jamming a thumb drive in there contaminated with whatever. And there could be no exceptions, including out of the CEOs and CTO's offices, which is where a lot of them originate these days because, well, privilege with office. Nope.
Without both policy and enforcement you have nothing and that means putting a stop to the cryfest from people up and down the line. You're here to do a job, period, and here are the parameters. Violate them, you will get caught and my boot is going to be up your ass ejecting you out the door no matter who you are.
In the US at least we could ban cryptocurrency transactions entirely, which would make paying a ransom impossible. If you can't pay then there is no way for a cryptojacking (which is what I dubbed these years ago) to be profitable and therefore no point. If firms cut the bull**** about shared privilege and authorization across devices there'd be a hell of a lot less of a problem too, but also much less convenience. Oh, work from home eh? Fine -- with a machine that is owned and controlled by the company and can't do anything else as it's nailed back into the corporate infrastructure and if you **** with it you both get fired and it's immediately disabled, with enough auditing to catch it very rapidly if you do play around.
As I've repeatedly pointed out in these pages over the last 10 or so years these problems are not THAT hard to solve but you have to put process before stupid, which nobody wants to do because, well, snowflake and diversity hires in front of merit.
Hope you don't like running water and power as eventually they'll get hit too.