DOJ signals plans to coordinate anti-ransomware efforts with the same protocols as it does for terrorism
On Thursday, Deputy Attorney General Lisa Monaco issued an internal memo directing US prosecutors to report all ransomware investigations they may be working on, in a move designed to better coordinate the US government’s tracking of online criminals.
The memo cites ransomware — malicious software that seizes control of a computer until the victim pays a fee — as an urgent threat to the nation’s interests.
“We must enhance and centralize our internal tracking of investigations and prosecutions of ransomware groups and the infrastructure and networks that allow these threats to persist,” Monaco wrote.
The tracking effort is expansive, covering not only the DOJ’s pursuit of ransomware criminals themselves but also the cryptocurrency tools they use to receive payments, automated computer networks that spread ransomware and online marketplaces used to advertise or sell malicious software.
The DOJ directive requires US attorneys’ offices to file internal reports on every new ransomware incident they hear about.
The Justice Department process outlined in the memo is one that it generally reserves for high-priority issues such as terrorism, said CNN legal analyst Elie Honig.
“Essentially, DOJ now will treat ransomware attacks as high-priority crimes, and will devote more resources to fighting back,” Honig said.
In recent weeks, cybercriminals have increasingly targeted organizations that play critical roles across broad swaths of the US economy. The fallout from those attacks show how hackers are now causing chaos for everyday Americans at an unprecedented pace and scale.
A high-profile attack against Colonial Pipeline last month disrupted fuel shipments to gas stations all along the east coast, prompting widespread panic buying. This week, the meat supplier JBS disclosed a cyberattack that led to a temporary shutdown of all nine of its US beef processing plants, prompting anxiety among some workers over potential lost wages.
And on Wednesday, New York’s transit agency disclosed it had been the target of a cyberattack in April, though it added that there was “no evidence operational systems were impacted, no employee or customer information breached, no data loss and no changes to our vital systems.”
Amid the onslaught, the Biden administration has taken an all-hands approach. In addition to the DOJ memo, the White House issued a letter Thursday to industry leaders urging them to take the threat of ransomware more seriously, and to adopt proactive security measures such as installing critical software updates, using multi-factor authentication and developing an incident response plan.
White House press secretary Jen Psaki told reporters Thursday that the United States intends to build an international coalition against ransomware, citing recent attacks in Ireland, Germany, France and the United Kingdom.
“These attacks have been on the rise for years,” she said, “because these criminal groups are able to make a profit off the backs of businesses, schools, local governments, and more.”
The United States was hit by more than 15,000 ransomware incidents against organizations last year alone, according to Brett Callow, threat analyst at the cybersecurity firm Emsisoft. Factoring in the lost productivity caused by the attacks, ransomware cost the US between an estimated $596 million and $2.3 billion in 2020, Callow said. The true figures may likely be even higher, Callow said, because Emsisoft’s estimates only account for confirmed cases of ransomware incidents.
“It’s a feeding frenzy that’s resulted from the fact that millions of dollars are up for grabs,” he said. “Companies keep on paying, so the attacks keep on coming. While critical infrastructure is now being hit, that doesn’t mean it’s being specifically targeted. The reality is that companies in every sector are being targeted. Simply put, if an organization can afford to pay a ransom, it’s in the cybercriminals’ crosshairs.”
After a sophisticated Russian cyberattack against the software vendor SolarWinds led to the compromise of nine federal agencies and roughly 100 businesses, the Biden administration this year has sought to mount an aggressive response. President Joe Biden signed an executive order aimed at bolstering federal networks and using the government’s massive procurement power to elevate federal contractors that make cybersecurity a priority. Following the Colonial Pipeline hack, the Department of Homeland Security issued mandatory hacking reporting requirements to pipelines in a bid to gain better visibility into future cybersecurity incidents.
But there are limits to what the US government can do publicly to prevent the hacking of private businesses, said Alexis Serfaty, a senior analyst at the Eurasia Gruop, a political risk consulting firm.
“They’re dependent on the private sector to work with them,” Serfaty said. While recent steps by the administration to appoint senior cybersecurity officials and beef up federal networks can make a big difference in the long run, he added, it doesn’t change the short term financial incentives that motivate ransomware gangs.
Still, the US government has quietly taken some specific actions in response to recent ransomware attacks, which include helping to take ransomware networks offline and, in some cases, identify specific actors involved in those incidents, according to two sources familiar with the situation.
While the Biden administration has made clear it needs help from private companies to stem the recent wave of ransomware attacks, federal agencies do maintain some specific capabilities that far exceed what industry partners can do, including their ability to trace currency used to pay ransomware groups involved, the sources told CNN.
But the government’s ability to effectively respond to a ransomware attack is very “situationally dependent,” both sources said.
In some cases, US officials can find the ransomware operators and “own” their network within hours of an attack, one of the sources explained, noting that allows relevant agencies to monitor the actor’s communications and potentially identify additional key players in the group responsible.
But when ransomware actors are more careful with their operational security, including in how they move money, disrupting their network or tracing the currency becomes more complicated, the sources added.
“It’s really a mixed bag,” they told CNN, referring to the varying degrees of sophistication demonstrated by groups involved in these attacks.
“Getting after these actors in an effective way takes a lot of work,” the first source said, adding that it requires knowing the specifics of the group involved, knowing those specifics in a particular moment in time and being able to affect the group on a timescale where it will be effective.”
And even if the government is able to take specific individuals out of the equation as far as their role within a ransomware group at a given time, the impact of that effort typically dissipates in just a few months as a new group or spin-off emerges, the source added.
The second source also cautioned against putting too much stock in US government actions, telling CNN that the unique circumstances around each attack and level of detail needed to effectively take action against these groups is part of the reason there is “no silver bullet” when it comes to countering ransomware attacks.
“It will take improved defenses, breaking up the profitability of ransomware and directed action on the attackers to make this stop,” the source added.
This story has been updated with additional reporting.
CNN’s Alex Marquardt contributed to this report.