A “Ransomware Task Force” initiative led by the U.S. Department of Justice is including a broad coalition of big tech firms in an effort to put an end to ransomware payments. The project, which also includes Europol and the UK National Crime Agency, proposes designating “digital extortion” as a national security threat and elevating ransomware as a priority item for intelligence agencies.
Task force seeks to disrupt ransomware payments with response network, federal assistance
An 81-page report presented to the Biden administration last week outlined the task force’s general strategy. In addition to the various intelligence agencies, it names some major tech firms as partners in the campaign against ransomware payments: Microsoft, Amazon, Cisco, and security companies FireEye and McAfee among them. These organizations would participate in an international ransomware investigation network that would establish standard formats for ransomware attempt reporting and incident response. It appears that tax breaks will also be offered to companies that adopt certain security best practices.
The ambitious plan calls for going after the “root causes” of ransomware, characterizing it as something that now “routinely imperils lives.” While that statement might be a bit grandiose, it is true that ransomware has evolved in its potential to do bodily harm. The first death attributed to ransomware was recorded in September of 2020, as a German woman being transported by emergency medical services had to be turned away from a hospital that had been compromised and passed away en route to the next available facility. And the issue is not just what ransomware groups are capable of today, but what they might expand to tomorrow. With the largest of these groups collecting hundreds of millions of dollars in payments every year, they are becoming the world’s most well-funded cyber criminals and could be first in line to purchase zero-day exploits as they emerge.
The report points out that ransomware has been surging in recent years and is one of the most common cyber threats, but it is also likely underreported as many victims never come forward. One item that the report makes clear is off the table is making ransomware payments illegal, an idea that was broached in a controversial US Treasury memo last year. That memo had raised the possibility of fines for companies that make ransomware payments to threat actors associated with parties sanctioned by the US government. The proposal appears to back away from that idea, opining that banning ransomware payments would be unlikely to dissuade a significant amount of attacks. However, the plan would require organizations to disclose all incidents (along with any ransomware payments made) to the Treasury Department. These disclosures would also need to be made prior to making any payments, giving law enforcement an opportunity to issue a “freeze letter” to the cryptocurrency service being used.
Beyond the public-private partnership aspect, a number of other items are proposed in the report’s 81 pages. These include public awareness campaigns, increased pressure on foreign nations that ransomware operators favor as operation centers (Russia being the prime example), limiting legal liability for ISPs that attempt to help customers secure systems, additional funding for assisting state and local governments, and requiring cyber insurance companies to maintain a “subrogation fund” to assist both victims and law enforcement investigations. One proposal that will no doubt be controversial is that cryptocurrency exchanges be subject to the same “know your customer” (KYC) and anti money laundering laws that banks are subject to.
Offensive measures described by the plan include increased investigation and prosecution of dark web marketplaces that are known to be used by ransomware gangs, and identifying and taking down servers used for ransomware attacks (particularly those used by ransomware-as-a-service operators). Anthony Pillitiere, Co-Founder and CTO at Horizon3.AI, sees this as a particularly important component as the ransomware market peaks and transitions to a “shovel seller’s” economy: “While I believe this is a great step, it’s a bit late in the game. Criminals are already seeing that the “don’t pay” message is starting to stick, as only 27% of victims are paying. As the money dries up, a new tactic of “breach-as-a-service” is growing in popularity. Criminals are taking a lesson from the gold rush – once the peak is hit, you can generate a longer term revenue stream from selling pickaxes to the laggards. The 2021 DBIR analysis shows that credential and brute force attacks are the source of 80% of breaches.”
Some security researchers have pointed out that the ambitious plan is only likely to be successful if all of it is implemented at once, and that would require quickly convincing some business rivals (along with the government agencies that regulate them) to work together in unprecedented ways. They also note that the plan could create massive pools of sensitive information that these organizations have access to, something that might require further regulation to properly safeguard. Dirk Schrader, Global Vice President of Security Research at New Net Technologies (NNT), sees this plan as potentially useful but something that could unfold over years rather than months: “It is time to have such an initiative in place. It was surely propelled by the recent developments with Emotet (which was used to drop various ransomware strains) and the takedown of web-shells, that the initiators of the task force do think they can make that move. It will be more a question of convincing lawmakers across the globe to actually join that coalition, to work out or improve their own country’s legal frameworks, so that ransomware gangs can effectively be prosecuted or at least the market structure is changed so much that they get frustrated and leave that business. That is by all means not a sprint.”
Baber Amin, COO of Veridium, provided some additional detailed recommendations based on his firm’s experience:
“The Task Force report is very comprehensive, informative and pragmatic. Ransomware actors are an extension of organized crime. Most of the time we seem to forget this because when it comes to cyber security, we are prejudiced to think of lone wolf actors in black hoodies. The report lists four goals of Deter, Disrupt, Help and Respond. These goals are great, but I believe that there should have been more emphasis on the following as part of these goals, or perhaps as additional goals:
Action 3.4.4. does not go far enough to alleviate fines and provide immunity from regulations imposed by OFAC (office of foreign assets controls). We need to encourage transparency and not penalize the company or individual who is trying to get their business back together.
Another missing part seemed to be the lack of involvement from ISP(s) network equipment manufacturers and data center operators. Even CDN operators. All of these entities can and should play a larger role in identifying, tracking and isolating attacks, and also have consistent processes for evidence preservation.
Table top exercises need to go farther. A ransomware attack in a red vs blue scenario should play it out to the end to identify all possible paths.
We should also consider limiting liability for PII disclosure in a ransomware attack where a baseline of appropriate measures were taken.
Technical controls and end user education needs to play a larger part in ransomware mitigation. Simple measures like MFA (multi factor authentication), elimination of passwords, elimination of security theater, encryption of important information at rest, and timely and ongoing backups can make a big difference. These are all well understood processes, and can help from the perspective of making it difficult for an attacker and making it easy for an organization to recover without paying a ransom.”
Guidance will be key to the effort if the initiative is to be successful. The report notes that there are a myriad of information sources about ransomware and cybersecurity defense products designed to tackle it, but a combination of lack of documentation for some and overly dense and technical documentation for others leaves organizations feeling overwhelmed when they try to plan out defense and response strategies. The NIST-like framework that the plan proposes aims to cut through that confusion. However, only the broadest strokes of that aspect of the information sharing plan are available at present.