The US Department of Justice has advised US attorney offices to send information on ransomware attacks to a centrally coordinated task force in Washington in a move that gives the system-locking malware a similar priority to terrorism.
The internal guidance, sent on Thursday and first reported by Reuters, comes in the wake of several high-profile ransomware attacks including the Colonial Pipeline hack.
“To ensure we can make necessary connections across national and global cases and investigations, and to allow us to develop a comprehensive picture of the national and economic security threats we face, we must enhance and centralise our internal tracking,” the memo said.
John Carlin, principal associate deputy attorney general at the Justice Department, said: “We’ve used this model around terrorism before but never with ransomware.”
The DOJ’s guidance is aimed at building a better picture of cybercrime networks to disrupt the entire operation at once.
Historically it has been difficult to disrupt ransomware gangs and even more challenging to prosecute them. They often operate beyond US shores and require coordinated multijurisdictional efforts to target their infrastructure.
How well do you really know your competitors?
Your download email will arrive shortly
Not ready to buy yet? Download a free sample
Investigations involving counter antivirus services, cryptocurrency exchanges, illicit online forums or marketplaces and online money laundering services also require centralised reporting.
“The US government is absolutely right to raise the fight against cybercriminals to the same level as its efforts against violent extremism, with attacks in recent months highlighting the devastating impact that ransomware can have,” said Francis Gaffney, director of threat intelligence and response at cybersecurity firm Mimecast.
John Hultquist, VP of analysis at Mandiant Threat Intelligence, said: “We are encouraged by whole-of-government response that potentially includes efforts to disrupt this activity. We will have to be creative and aggressive if we want to turn back the tide of this problem.”
However, Marcus Hutchins, the security researcher who discovered the kill switch for the 2017 WannaCry ransomware attack, said there should be “less focus on trying to use the DOJ to solve ransomware.”
He added: “Many of the perpetrators live outside judicial reach. We need more focus on proactive disruption. Hard to make a profit if [the US government] keeps bricking your servers or stealing your ransom money.”
The guidance also makes specific reference to the Colonial Pipeline hack an example of the “growing threat that ransomware and digital extortion pose to the nation.”
The operator of the biggest US fuel pipeline took its IT systems offline on Friday 7 May after they were infected with file-encrypting malware. It forced a five-day closure of the line carrying 45% of the East Coast’s fuel supply, sparking a jump in fuel prices and shortages at the petrol pump.
The attack, along with other high-profile incidents including the hack of meat processor JBS, has propelled ransomware high up the agenda of US President Joe Biden.
In May he issued an executive order aimed at improving supply chain security in the wake of the Exchange Server and SolarWinds hacks.
Biden last month proposed an allocation of $2.1bn for the Cybersecurity and Infrastructure Security Agency.
However, the Department of Defence’s national security budget for 2020 was approximately $721.5bn, suggesting that while ransomware reporting practices are becoming more aligned to that of terrorism, there remains a vast gap between levels of funding.
Ransomware, in which cyber gangs demand a fee to unlock files or systems locked by malware, continues to be a profitable enterprise because companies or cyber insurers continue to pay the ransom.
The CEO of Colonial Pipeline said he decided to pay the ransomware gang $4.4m for the decryption key to regain access to company systems because he thought it was “the right thing to do for the country.” However, the company ultimately found the tool to be inefficient to restore access promptly.
For more information on ransomware and what to do in the event of an attack, read our explainer here.