Since its initial appearance “in the wild” in 1989, ransomware has become what one analysis called “one of the most intractable — and common — (cybercrime) threats facing organizations across all industries and geographies.” State actors and other cybercriminals behind ransomware attacks have made highly effective use of what Crowdstrike termed “increasingly damaging tactics, techniques and procedures”, even as various stakeholders have failed to adapt to and remain abreast of those tactics, techniques, and procedures.
U.S. and other law enforcement authorities have had isolated, through often significant, successes against ransomware. For example, on January 27, 2021, eight countries collaborated in disrupting the infrastructure of the Emotet botnet, which cybercriminals frequently used to disseminate ransomware and other types of malware. That same day, the U.S. Department of Justice announced that it had successfully disrupted NetWalker, a sophisticated form of ransomware-as-a-service, and charged a Canadian national in relation to NetWalker attacks.
Isolated successes, however, have failed to stem the problem. There is certainly no lack of relevant expertise in the Department’s Computer Crime and Intellectual Property Section and United States Attorneys’ Offices across the country, as well as the FBI and the United States Secret Service, to investigate ransomware operations. What the Department has lacked to date are a comprehensive anti-ransomware strategy and sufficient resources to combat the ransomware threat in accordance with that strategy.
That state of affairs may be changing. On April 21, the Wall Street Journal reported that the Justice Department has formed a task force “to curtail the proliferation of ransomware cyberattacks.” The task force’s basic approach is to target the “the entire digital ecosystem” that supports such attacks.
In an internal Department memorandum issued last week, Acting Deputy Attorney General John Carlin reportedly said that ransomware poses not just an economic threat to businesses but “jeopardizes the safety and health of Americans.” The memorandum also indicated that the task force “will increase training and dedicate more resources to the issue, seek to improve intelligence sharing across the department, and work to identify ‘links between criminal actors and nation-states’.”
The principal issue for federal prosecutors and agents will not be identifying in broad terms which state actors and cybercriminals are behind specific ransomware attacks. Law enforcement agencies and cybersecurity firms are already well aware of specific state actors and cybercriminal groups, such as the North Korean Lazarus Group and the Chinese organization APT 41, that have been successfully using ransomware.
There are two more critical questions for the Department in implementing its anti-ransomware strategy. The first will be whether it can locate key ringleaders of the leading ransomware organizations, amass enough evidence to tie those ringleaders to specific cyberattacks, and secure their extradition to the United States. If those ringleaders are based inside authoritarian regimes that have shown political hostility to the United States, the best that the Justice Department may be able to do in this Administration, as it did in the Trump Administration, is to obtain indictments that “name and shame” individual participants in a cybercrime organization within countries such as China and Russia, with no realistic hope of obtaining their extradition. Ringleaders in third countries may be more reachable, although much will depend on timely cooperation by numerous governments to obtain the necessary evidence.
The second question will be whether the Department can persuade entities in both the private and public sectors – and not just corporate cybersecurity teams within those organizations – to take more stringent measures to safeguard their operations from ransomware attacks. While chief information security officers and chief security officers recognize the magnitude of the threat that ransomware poses to their organizations, the increased incidence and prevalence of ransomware attacks indicate how far behind companies and government agencies are in responding to that threat.