The US Justice Department (DOJ) is creating a task force to tackle the growing threat of ransomware and related extortion schemes targeting school districts, hospitals and others, according to an internal department memo that began circulating the third week of April 2021.
The newly established Ransomware and Digital Extortion Task Force (RDE-TF) will include DOJ officials as well as representatives from the FBI and the Executive Office for US Attorneys. The task force will target the "ransomware criminal ecosystem as a whole," which means prosecuting those behind the attacks as well as those who launder money that is extorted, the memo states. "This will include the use of all available criminal, civil, and administrative actions for enforcement, ranging from takedowns of servers used to spread ransomware to seizures of these criminal enterprises' ill-gotten gains.”
The new task force's goals also include devising ways to:
- Increase training and resources to address ransomware attack risks.
- Increase intelligence gathering.
- Leverage investigative leads, including connections between cybercriminal gangs and nation-state groups and improve coordination across the Justice Department.
In recent months, ransomware gangs have been demanding multimillion-dollar extortion payments from victims, including several large corporations, in exchange for not publishing stolen data. Recently, the ransomware gang REvil aka Sodinokibi threatened to release stolen Apple device blueprints unless it received a $50 million payoff from the company after the gang attacked one of its third-party partners.
Blockchain analysis firm, Chainalysis published a report in March 2021 that estimated criminal groups reaped $370 million in ransom payments in 2020, up 336% from 2019.
An Acting Deputy US Attorney General, who wrote the DOJ task force memo, notes that 2020 was the "worst year ever" for ransomware attacks and extortion attempts. The goal of the task force, he wrote, is to protect businesses and individuals alike. "If we don’t break the back of this cycle, a problem that’s already bad is going to get worse."
The task force will seek to build on the success of DOJ's previous takedowns of ransomware and other cybercriminal operations, according to the memo. This includes the disruption of the Emotet botnet earlier this year as well as the seizure of servers and infrastructure in January that belonged to the Netwalker ransomware group.
The DOJ task force needs to be coupled with ongoing efforts at both the State and Treasury departments to curb ransomware, says the executive director of the Americas for the Global Cyber Alliance, who calls for a "whole of government" strategy.
Coalfire notes that without the full cooperation of those companies and organizations targeted by ransomware, the DOJ task force will have a harder time bringing cases and enforcing the law. "At the end of the day the DOJ needs to develop clear rules, processes and requirements that provide everyone an idea on what their limitations are," they said. "If these aren’t done in a transparent nature, this task force will just respond to possible litigation and cleanups of other federal systems."
The new installed Homeland Security Secretary announced in March 2021 that the agency would conduct a 60-day "sprint" exercise focused on battling ransomware. DHS also will provide an additional $25 million in grants to state and local cybersecurity preparedness programs with a particular focus on combating ransomware.
In addition, the US Cybersecurity and Infrastructure Security Agency (CISA) is preparing to use new administrative subpoena powers authorized under the 2021 National Defense Authorization Act to help it address ransomware attacks and other cyberthreats. CISA will now be able to compel internet service providers to turn over certain subscriber information that would help better identify potential attacks as well as targeted organizations.
Red Sky Alliance has been analyzing and documenting these type of cyber threats for 9 years and maintains a resource library of malware and cyber actor reports available at https://redskyalliance.org at no charge. Many past tactics are often dusted off and reused in current malicious campaigns. Red Sky Alliance can provide actionable cyber intelligence and weekly blacklists to help protect your network.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or firstname.lastname@example.org
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings