White House Urges Businesses: Improve Ransomware DefensesBiden Orders Federal Ransomware Task Force to Coordinate Federal Investigations
The White House continues to make multiple moves to try and better combat the increasing damage being done by ransomware-wielding attackers.
"The number and size of ransomware incidents have increased significantly, and strengthening our nation's resilience from cyberattacks - both private and public-sector - is a top priority" for President Joe Biden, says a memo issued by the White House to U.S. corporate executives and business leaders on Wednesday, urging them to ensure they're following a detailed list of cybersecurity best practices.
On Thursday, the Justice Department issued new guidance for prosecutors, to ensure that all cases they're tracking - domestically and abroad - get coordinated with the government's recently launched Ransomware and Digital Extortion Task Force. Based in Washington, the task force counts the FBI, National Security Division, computer crime, anti-money laundering and other parts of the DOJ as participants.
Those efforts follow the seemingly non-stop spate of ransomware attacks. Last month, the DarkSide gang hit Colonial Pipeline Corp., leading to supply concerns and panic-buying of fuel along the U.S. Eastern seaboard. Ireland's national health service was also hit last month, leading to disruptions in medical care.
On Sunday, the world's largest meat producer by sales volume, Sao Paulo-based JBS, warned that a ransomware attack had disrupted operations in the U.S., Canada and Australia. The FBI attributed that attack to REvil, aka Sodinokibi, which is a notorious ransomware-as-a-service operation.
Move to Coordinate Ransomware Investigations
On Thursday, meanwhile, U.S. Deputy Attorney General Lisa Monaco issued a memo to all federal prosecutors detailing "new requirements relating to ransomware or digital extortion attacks and investigations and cases with a nexus to ransomware and digital extortion."
Her guidance, the release of which was first reported by Reuters, notes that the ransomware attack that disrupted privately run Colonial Pipeline underscores "the growing threat" posed by such attacks to the U.S., "and the destructive and devastating consequences ransomware attacks can have on critical infrastructure."
Accordingly, she says, the imperative is to better focus, coordinate and appropriately resource the government's response, including investigating suspects who use ransomware or digital extortion, or provide supporting cybercrime services, all of which which can be complicated by so many such efforts being transnational.
"To ensure we can make necessary connections across national and global cases and investigations, and to allow us to develop a comprehensive picture of the national and economic security threats we face, we must enhance and centralize our internal tracking," her guidance says.
DOJ says the guidance applies not just to all cases involving ransomware and digital extortion, but also to individuals being investigated for operating infrastructure used in such schemes. It says this can include - but is not limited to - services meant to counter antivirus tools; illicit online forums and marketplaces that supply the cybercrime-as-a-service economy, for example, by selling tools or remote desktop protocol credentials; "cryptocurrency - or digital currency - exchanges, mixers or tethers"; bulletproof hosting services; botnets; and online money laundering services.
"It’s a specialized process to ensure we track all ransomware cases regardless of where it may be referred in this country, so you can make the connections between actors and work your way up to disrupt the whole chain," John Carlin, the DOJ's principle associate deputy attorney general, tells Reuters. "We’ve used this model around terrorism before but never with ransomware."
White House to Businesses: Act Now
But attempting to deter and disrupt ransomware-wielding suspects will never be a complete strategy for stopping such attacks, especially if suspects are operating from countries in Eastern Europe such as Russia that never extradite citizens.
So notes the Biden administration in its Wednesday call to businesses to "take ransomware crime seriously and ensure your corporate cyber defenses match the threat."
That memo, issued by Anne Neuberger, Biden's deputy national security advisor for cyber and emerging technology, says that one lesson to be learned from recent, damaging attacks that have hit not just the U.S., but also the Irish and German healthcare sector, U.K. banks and others, "is that companies that view ransomware as a threat to their core business operations rather than a simple risk of data theft will react and recover more effectively."
Accordingly, the government is urging businesses to ensure they immediately implement six best practices:
- Follow Biden's Cybersecurity Executive Order guidance: Specifically, implement multifactor authentication, endpoint detection and response, encryption, and employ a skilled security team.
- Backup and restore: Ensure robust data backup and restoration processes are in place and regularly tested, with data being stored offline so it cannot be accessed or disrupted by attackers.
- Update and patch promptly: Consider using a dedicated patch management system to coordinate fixes across operating systems, applications and firmware.
- Test incident response plans: Plan for attacks and outages and test those plans, because "there's nothing that shows the gaps in plans more than testing them."
- Review your security team's work: Employ third-party penetration testing firms to stress-test defenses before ransomware gangs do.
- Segment networks: Especially to separate corporate functions from manufacturing or production operations.
Biden's Diplomatic Moves
Among other ransomware-battling strategies, the Biden administration has also been attempting to increase diplomatic pressure on Moscow to do something about cybercriminals, operating from inside Russia, who hit U.S. targets.
"The White House is engaging directly with the Russian government on this matter and delivering the message that responsible states do not harbor ransomware criminals," press secretary Karine Jean-Pierre told reports aboard Air Force One on Tuesday, in the wake of the attack on JBS.
The REvil ransomware operation has now responded to the Biden administration's move, as spotted by Mikko Hypponen, chief research officer of Finnish security firm F-Secure.
"We're not going anywhere, we will work even harder," reads the Russian-language message from the group, which regularly issues self-promoting, public pronouncements (see: Charm Offensive: Ransomware Gangs 'Tell All' in Interviews).
REvil's message also asks what exactly the White House thinks it can do to truly disrupt ransomware. "Even if they pass a law banning the payment of ransoms in the United States or put us on a terrorist list, this will not affect our work in any way," it claims.
On that front, the White House is also investigating how authorities might better track the flow of cryptocurrency from victims to attackers, The Wall Street Journal reports.
Western governments are also continuing to revise their approach domestically. Britain's Financial Conduct Authority on Wednesday, for example, warned that for U.K. vendors of bitcoin and other cryptocurrencies, "a significantly high number of businesses are not meeting the required standards under the Money Laundering Regulations."
The FCA, which regulates Britain's financial services sector, says it has temporarily extended the ability of some of those businesses to continue operating until March 31, 2022, but that it expects to see robust AML processes in place by then, amongst numerous other requirements.
"Anti-money laundering and counter terrorist financing legislation are aimed at protecting against enabling the transfer and disguise of funds from criminal activity, or funding of terrorist groups," it says. "The FCA will only register firms where it is confident that processes are in place to identify and prevent this activity."
But many cryptocurrency-using criminals are based in Eastern Europe, and specifically countries that lack extradition treaties with the United States. Attackers have also historically favored cryptocurrency exchanges operating from countries that lack anti-money laundering and "know your customer" rules.
Experts say the U.S. and other governments must bring more international pressure to bear on such countries to drive them to better regulate domestic exchanges, before law enforcement can hope to better disrupt the flow of digital currencies - and by extension, the ongoing surge in ransomware and digital extortion.