Space assets could be held ransom. Will we have any choice but to pay?

Ransomware exploits value. Attackers put victims against a decision to pay for the hope of the return of their system or lose it. For victims, it is hard to justify not paying even though it sets a harmful precedent. At heart, this is an economics question that cyber professionals find it difficult to answer on Earth. In space, the steep initial investments, slow times to market and operational costs of satellites and in-orbit infrastructure make the payment of a future ransomware attack against a satellite nearly assured.

There is an unaccounted-for gap in current space cybersecurity policies that omits the potentially devastating effects of widespread ransomware attacks on space assets. The technical capability to execute a ransomware attack against a satellite is there. Once the first malicious actor successfully ransoms a satellite and receives payment, the floodgates will open. Because of the economics of space assets, owners and operators will likely be forced into a position where payment is their only option and the technical and policy cybersecurity communities are not ready.

As the space domain grows both in adversarial competition and economic value, the ransomware issue should serve as a credible and specific use case for companies to develop minimum cybersecurity standards and for governments to refine current space cybersecurity policies. Disabling or denying satellite services to Earth represents an attractive attack vector, particularly if it can be done quietly and without attribution.

Ransomware against satellites

Cyberattacks against satellites are the cheapest and most effective way to disable a satellite without the fuss of a debris field or the bad press. Cyberattacks on satellites can occur through complex supply chain operations prior to launch or after the asset is in orbit. In either case, an attack could cause permanent and irreparable damage to an expensive satellite that has taken years to come to market and become operational. Satellites present an attractive ransomware target that should motivate innovation in space cybersecurity technical measures and policies..

Ransomware attacks on Earth work by encrypting the target system and all its valuable data in exchange for paying a ransom. Once used as a tool for financial gain by cybercriminals, state-sponsored actors are getting the message. In May 2024, reports emerged of the introduction of custom ransomware by the North Korean cyber group Moonstone Sleet. Given the effectiveness of ransomware, malicious cyber actors from various countries — who may or may not intend to return access to the data — are using ransomware actively to achieve geopolitical, not just criminal, goals. 

In December 2024, Dylan Smyth and Marin Donchev of the University of Munster demonstrated how a ransomware tool could be implanted on a space asset already in orbit. Their method, using software defined radios (SDR), provides attackers with a more expedient and effective way to disable critical space assets. The incentive to use ransomware against a satellite is clear — and now so is the attack vector. 

If it is difficult to justify not paying a ransom on Earth, it is nearly impossible in space. The economics of a prolonged outage of a satellite or constellation when factoring the time to market, launch cost and time to profitability make paying the ransom a near certainty. Let’s look at the decision chain: 

• Great power adversaries want the capability to disable satellites.
• Cyberattacks are the preferred method for disabling satellites.
• Ransomware is one of the most attractive cyberattack types.
• A ransomware attack can be launched from the ground via SDRs.
• The economics of commercial satellites make payment of the ransom a near certainty.

Those factors are as clear an indicator of the method and vector for a cyberattack against space assets as any cybersecurity professional could hope for. The question is whether the industry and policy community are ready for when this attack is deployed and how they will handle the precedent set. 

Minimum cybersecurity standards in space

Ransomware is neither purely a technical nor a policy problem. Its effectiveness is in its blend of the two. As companies and industries expand their presence in space, the discussion of cybersecurity for those assets is ongoing. The specificity and economic impact potential of ransomware should inspire technical research and development and policy action specific to this threat. Such action will naturally form the basis of a minimum cybersecurity standard for space assets that is defined by industry and not imposed as part of federal regulation. 

Minimum cybersecurity standards have been hotly debated in terrestrial circles because they smack of regulation. However, the space domain has a real opportunity to define its own cybersecurity environment and culture. There was a time when encryption and security standards were not viewed as necessary for space assets, but that notion is no longer valid. Cybersecurity is critical for the continuity of the space economy and continued innovation in the domain. The threat of ransomware attacks cuts directly against that continuity, and demands evenly applied cybersecurity standards to mitigate known attack vectors (such as supply chain attacks and SDR-enabled attacks) and to research future attack vectors. As the industry grows, this standard will be harder to create and enforce as ransomware becomes more attractive.

Policy options

To date, none of the major space policy documents since the reinvigoration of the National Space Council in 2017 address ransomware against space assets, even during an era when terrestrial systems have been harmed by ransomware. Space systems should be built with resilience to ransomware attacks given the significant threat they pose. Without a high-level recognition of the issue or education for operators and designers, such technical measures may lack. 

While the federal government produced cybersecurity principles and called for the introduction of contract language around cybersecurity, the job is not finished. The next step for cybersecurity in space is to engage in public-private partnerships around specific cybersecurity use cases and attack vectors. Ransomware against satellites presents a perfect opportunity for the next steps in cybersecurity policy for space. It is specific, demonstrable and highly incentivized for malicious actors. Minimum cybersecurity standards should be a goal — but industry needs to start smaller: 

1. Using the ransomware attack demonstration from the University of Munster, government and industry should run tabletop exercises to evaluate the feasibility of these attacks against specific critical assets.
2. Government and industry should work together on an inventory of satellites that are susceptible to SDR-enabled cyberattacks.
3. Research should be funded to find technical solutions and resilience measures to mitigate these attacks.
4. That research should inform minimum cybersecurity standards.

This approach is about protecting the value of the space economy. Once the first ransomware attack in space is successful, it will invite more. This will not only cause terrestrial disruption but will impact the economic value the industry is creating. This threat is specific and credible and requires a unified approach led by industry and supported through the National Space Council. 

Nick Reese is the co-founder and COO of Frontier Foundry and an adjunct professor at the NYU Center for Global Affairs. He is the former Director of Emerging Technology Policy at the U.S. Department of Homeland Security where he led space policy efforts for the department and advised the White House on space policy issues.

SpaceNews is committed to publishing our community’s diverse perspectives. Whether you’re an academic, executive, engineer or even just a concerned citizen of the cosmos, send your arguments and viewpoints to opinion@spacenews.com to be considered for publication online or in our next magazine. The perspectives shared in these op-eds are solely those of the authors.