The U.S. Department of Justice (DOJ) is elevating investigations of ransomware attacks to a similar priority as terrorism, a senior official told Reuters.
According to Reuters, internal guidance sent recently to U.S. attorney's offices across the country stated information about ransomware investigations in the field should be centrally coordinated with a recently created task force in Washington. "It's a specialized process to ensure we track all ransomware cases regardless of where it may be referred in this country, so you can make the connections between actors and work your way up to disrupt the whole chain," said John Carlin, principle associate deputy attorney general at the Justice Department.
The DOJ guidance references the Colonial Pipeline ransomware attack as an example of "the growing threat that ransomware and digital extortion pose to the nation."
The guidance, seen by Reuters, said, "To ensure we can make necessary connections across national and global cases and investigations, and to allow us to develop a comprehensive picture of the national and economic security threats we face, we must enhance and centralize our internal tracking."
According to Carlin, this model has been previously used by investigators in U.S. attorney's offices when handling terrorism, but never before with ransomware. Now, investigators will be expected to share updated case details and active technical information with leaders in Washington, Reuters reports.
In addition, the guidance asks the offices to look for and include other investigations, such as cases involving: counter anti-virus services, illicit online forums or marketplaces, cryptocurrency exchanges, bulletproof hosting services, botnets and online money laundering services.
Tyler Shields, CMO at JupiterOne, a Morrisville, N.C.-based provider of cyber asset management and governance solutions, notes, "Viewing ransomware attacks as an act of terrorism in a generic sense is likely incorrect and requires additional nuance. Ransomware isn't something that can be labeled with a broad stroke like that. If someone attacked a small dental office with ransomware, it's most certainly not an act of terrorism. However, if they take down critical infrastructure such as an oil pipeline or water system then it is. It's more about the target of the attack and the meaning and intention than it is about the type of attack. However, if this is what it takes to get strong responses out of the U.S. Government to track down issues then it may still be the best option."
Though raising the priority of ransomware attacks is a good step, says Dirk Schrader, Global Vice President, Security Research at New Net Technologies (NNT), a Naples, Fla.-based provider of cybersecurity and compliance software, it cannot remain the only one in order to be effective in reducing the amount of ransomware cases. "For now, it is more about collecting and centralizing information. Additional steps should be focused around a requirement to report any case of ransomware to authorities, strongly discouraging the payment of a ransom. Also, it will be necessary to influence the extended ecosystem around ransomware, the protection against, the risk transfer to insurances, any international legal aspects related to investigation and enforcement. Companies might not be willing to report a ransomware incident if that reporting will delay the resolution, will delay the return to normal operation due to investigations being slow and will be time and resource consuming. That is another aspect that would have to considered in the overall efforts in tackling ransomware. One of the first things a company should do to reduce the likelihood of becoming a ransomware victim, and to limit the impact, is to follow the essential guidelines of CIS (or others), so that its attack surface is as small as possible. Incentivizing this behavior is crucial to root out ransomware."
