The U.S. Department of Justice is elevating investigations of ransomware attacks to a similar priority as terrorism in the wake of the Colonial Pipeline hack and mounting damage caused by cyber criminals, a senior department official told Reuters.
Internal guidance sent on Thursday to U.S. attorney’s offices across the country said information about ransomware investigations in the field should be centrally coordinated with a recently created task force in Washington.
The letter was sent to Deputy Attorney General Lisa Monaco and was titled ‘Guidance Regarding Investigations and Cases Related to Ransomware and Digital Extortion,’ according to Cyber Scoop News which obtained a copy of the letter.
‘Recent ransomware attacks – including the attack last month on Colonial Pipeline – underscore the growing threat that ransomware and digital extortion pose to the Nation, and the destructive and devastating consequences ransomware attacks can have on critical infrastructure,’ Monoco wrote in the letter.
John Carlin, acting deputy attorney general at the Justice Department, told Reuters that the guidelines are ‘a specialized process to ensure we track all ransomware cases’
Internal guidance sent on Thursday to U.S. attorney’s offices across the country said information about ransomware investigations in the field should be centrally coordinated with a recently created task force in Washington
‘A central goal of the recently launched Ransomware and Digital Extortion Task Force is to ensure that we bring to bear the full authorities and resources of the Department in confronting the many dimensions and root causes of this threat.’
The guidance added: ‘To ensure we can make necessary connections across national and global cases and investigations, and to allow us to develop a comprehensive picture of the national and economic security threats we face, we must enhance and centralize our internal tracking.’
John Carlin, acting deputy attorney general at the Justice Department, told Reuters that the guidelines are ‘a specialized process to ensure we track all ransomware cases regardless of where it may be referred in this country, so you can make the connections between actors and work your way up to disrupt the whole chain.’
Last month, a cyber criminal group that the U.S. authorities said operates from Russia, penetrated a pipeline operator on the U.S. East Coast, locking its systems and demanding a ransom. The hack caused a shutdown lasting several days, led to a spike in gas prices, panic buying and localized fuel shortages in the southeast.
Colonial Pipeline decided to pay the hackers who invaded their systems nearly $5 million to regain access, the company said.
The Justice Department’s decision to push ransomware into this special process illustrates how the issue is being prioritized, U.S. officials said.
‘We’ve used this model around terrorism before but never with ransomware,’ said Carlin. The process has typically been reserved for a short list of topics, including national security cases, legal experts said.
In practice, it means that investigators in U.S. attorney’s offices handling ransomware attacks will be expected to share both updated case details and active technical information with leaders in Washington.
Chris Krebs, the former director of the Cybersecurity and Infrastructure Security Agency, tweeted about the news on Thursday.
‘This is a positive indication that we’re getting serious about stopping ransomware. Much more needs to be done, but directional shifts are a good thing,’ he tweeted.
Krebs explained how the ransomware situation in the United States has worsened, calling the attacks ‘a profitable business model with low barriers to entry’ and noting that there have been ‘no meaningful consequences against the criminals or their hosts to date.’
He also asserted that the security posture of businesses makes it ‘too easy for the bad guys’ while speculating that the Russian government allows ransomware groups to flourish because it ‘builds a cyber workforce they can call on later’ and ‘creates well-paying jobs’ keeping the country’s residents ‘off the streets.’
Krebs noted that the ransomware attacks also ‘undermines confidence in western citizenry’ of their government’s ability to defend them.
The former federal official said he reviewed a letter from the Deputy National Security Advisor, in which Krebs said a number of things stood out – including that the government is considering ‘all companies are in play’ and could be ransomware targets.
Chris Krebs, the former director of the Cybersecurity and Infrastructure Security Agency, tweeted that the news shows officials are taking the threats seriously
Chris Krebs, the former director of the Cybersecurity and Infrastructure Security Agency, tweeted that the news shows officials are taking the threats seriously
He tweeted that he ‘can’t recall a letter like this’ from a senior National Security official in the White House.
Krebs said that the government is considering ‘all companies are in play’ as ransomware is opportunistic and that it is a risk for business disruption, not just theft.
The cybersecurity expert called on government officials to ‘use various tools of national power to lay down consequences on criminals and the countries that enable them’ and to make it harder to use cryptocurrency for payments.
The White House warned corporate executives and business leaders on Thursday to step up security measures to protect against ransomware attacks after intrusions disrupted operations also disrupted operations at a major meatpacking company.
Anne Neuberger, cybersecurity adviser at the National Security Council, said in a letter that there has been a significant hike in the frequency and size of ransomware attacks.
‘The threats are serious and they are increasing. We urge you to take these critical steps to protect your organizations and the American public,’ she added.
The recent cyberattacks have forced companies to see ransomware as a threat to core business operations and not just data theft, as ransomware attacks have shifted from stealing to disrupting operations, she said.
Strengthening the country’s resilience to cyberattacks was one of President Joe Biden’s top priorities, the White House has said.
‘But we can’t do it alone,’ White House press secretary Jen Psaki said on Thursday. ‘Business leaders have a responsibility to strengthen their cyber defenses to protect the American public and our economy.’
No company, large or small, is safe from ransomware attacks, Neuberger told the business community.
The letter came after a major meatpacker resumed U.S. operations on Wednesday following a ransomware attack that disrupted meat production in North America and Australia.
A Russia-linked hacking group that goes by the name of REvil and Sodinokibi was behind the cyberattack against JBS SA, a source familiar with the matter told Reuters.
The cyberattack followed one last month by a group with ties to Russia on Colonial Pipeline, the largest fuel pipeline in the United States, which crippled fuel delivery for several days in the U.S. Southeast.
Biden believes Russian President Vladimir Putin has a role to play in preventing these attacks and planned to bring up the issue during their summit this month, Psaki said.
Neuberger’s letter outlined immediate steps companies can take to protect themselves from ransomware attacks, which can have ripple effects far beyond the company and its customers.
Those include best practices such as multifactor authentication, endpoint detection and response, encryption and a skilled security team. Companies should back up data and regularly test systems, as well as update and patch systems promptly.
Neuberger advised that companies test incident response plans and use a third party to test the security team’s work.
She said it was critical that corporate business functions and production operations be run on separate networks.
