This week the National Security Council is facilitating an international counter-ransomware event with over 30 partners to accelerate cooperation on improving network resilience, addressing the financial systems that make ransomware profitable, disrupting the ransomware ecosystem via law enforcement collaboration, and leveraging the tools of diplomacy to address safe harbors and improve partner capacity.
Ransomware incidents have disrupted critical services and businesses worldwide – schools, banks, government offices, emergency services, hospitals, energy companies, transportation, and food companies have all been affected. Ransomware attackers have targeted organizations of all sizes, regardless of where they are located. The global economic losses from ransomware are significant. Ransomware payments reached over $400 million globally in 2020, and topped $81 million in the first quarter of 2021, illustrating the financially driven nature of these activities.
The Biden Administration has pursued a focused, integrated effort to counter the threat. Yet, government action alone is not enough. The Administration has called on the private sector, which owns and operates the majority of U.S. critical infrastructure, to modernize their cyber defenses to meet the threat of ransomware. The Administration has announced specific efforts to encourage resilience, including voluntary cyber performance goals, classified threat briefings for critical infrastructure executives and the Industrial Control Systems Cybersecurity Initiative. And, the Administration has stepped up to lead international efforts to fight ransomware. International partnership is key since transnational criminal organizations are often the perpetrators of ransomware crimes, leveraging global infrastructure and money laundering networks to carry out their attacks.
The Administration’s counter-ransomware efforts are organized along four lines of effort:
- Disrupt Ransomware Infrastructure and Actors: The Administration is bringing the full weight of U.S. government capabilities to disrupt ransomware actors, facilitators, networks and financial infrastructure;
- Bolster Resilience to Withstand Ransomware Attacks: The Administration has called on the private sector to step up its investment and focus on cyber defenses to meet the threat. The Administration has also outlined the expected cybersecurity thresholds for critical infrastructure and introduced cybersecurity requirements for transportation critical infrastructure;
- Address the Abuse of Virtual Currency to Launder Ransom Payments: Virtual currency is subject to the same Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) controls that are applied to fiat currency, and those controls and laws must be enforced. The Administration is leveraging existing capabilities, and acquiring innovative capabilities, to trace and interdict ransomware proceeds; and
- Leverage International Cooperation to Disrupt the Ransomware Ecosystem and Address Safe Harbors for Ransomware Criminals: Responsible states do not permit criminals to operate with impunity from within their borders. We are working with international partners to disrupt ransomware networks and improve partner capacity for detecting and responding to such activity within their own borders, including imposing consequences and holding accountable those states that allow criminals to operate from within their jurisdictions.
Actions to date within these lines of effort include:
Disrupt Ransomware Infrastructure and Actors
- The Department of Justice established a Task Force to enhance coordination and alignment of law enforcement and prosecutorial initiatives combating ransomware. Law enforcement agencies, working through the National Cyber Investigative Joint Task Force (NCIJTF) and with the support of the interagency, are surging investigations, asset recovery, and other efforts to hold ransomware criminals accountable.
- The Department of the Treasury levied its first-ever sanctions against a virtual currency exchange. The exchange, SUEX, was responsible for facilitating ransomware payments to ransomware criminals associated with at least eight ransomware variants. Treasury will continue to disrupt and hold accountable these ransomware actors and their money laundering networks to reduce the incentive for cybercriminals to continue to conduct these attacks.
- The Department of the Treasury published an updated sanctions advisory encouraging and emphasizing the importance of reporting ransomware incidents and payments to U.S. Government authorities.
- US Cyber Command and National Security Agency are dedicating people, technology, and expertise to generate insights and options against ransomware actors. Their technical expertise and insights enable and support whole-of-government efforts, including actions against criminals, their infrastructure, and their ability to profit from their crimes.
- The Department of State’s Rewards for Justice (RFJ) Office has offered a $10 million reward for information leading to the identification or location of any person who, while acting at the direction or under the control of a foreign government, engages in, or aids or abets, certain malicious cyber activities against U.S. critical infrastructure, to include ransomware activities.
Bolster Resilience against Ransomware
- The President launched an Industrial Control System Cybersecurity (ICS) Initiative in April – a voluntary, collaborative effort between the federal government and the critical infrastructure community. The ICS Initiative has led to over 150 electricity utilities representing almost 90 million residential customers to deploy or commit to deploy control system cybersecurity technologies, bolstering the security and resilience of these facilities. The ICS Initiative has been expanded to natural gas pipelines, and will shortly be expanded to the water sector.