The US government is stepping up action against the current epidemic of ransomware, which this week has seen one of the world’s largest meat suppliers, JBS, hit by attackers, alongside revelations of attacks on public transport organisations – and doubtless countless others yet to be made public.
According to Reuters, the US Department of Justice (DoJ) has revealed it will in future give ransomware investigations the same or similar priority to terrorism investigations.
The DoJ is understood to have already reached out to US attorneys’ offices to tell them to coordinate with and pass information on ransomware attacks to its recently created central Ransomware Task Force (RTF).
Reuters said the guidance – which makes explicit reference to the Colonial Pipeline attack as one of the most significant recent incidents – is designed to reflect the growing threat of ransomware attacks.
It hopes to ensure it can draw connections between attacks both inside the US and globally, build up a coherent picture of the situation.
The DoJ guidance also goes after the services ransomware operators use to host their infrastructure, the dark web forums and marketplaces where they advertise their products to affiliates and publicise their attacks, and the cryptocurrency exchanges and money laundering services used to make their profits appear legitimate.
At the same time, in a memo issued from the White House to organisations across the US, Anne Neuberger, deputy national security advisor for cyber and emerging technology, urged the private sector to take more responsibility to deflect ransomware attacks.
Neuberger said that while the US government is conducting important work in disrupting ransomware networks, calling out the nation states that harbour ransomware gangs, and developing new policies, businesses should also take steps to protect themselves.
“Much as our homes have locks and alarm systems and our office buildings have guards and security to meet the threat of theft, we urge you to take ransomware crime seriously and ensure your corporate cyber defences match the threat,” wrote Neuberger.
“The most important takeaway from the recent spate of ransomware attacks on US, Irish, German and other organisations around the world is that companies that view ransomware as a threat to their core business operations rather than a simple risk of data theft will react and recover more quickly.
“To understand your risk, business executives should immediately convene their leadership teams to discuss the ransomware threat and review corporate security posture and business continuity plans to ensure you have the ability to continue or quickly restore operations,” she said, before going on to outline the US government’s recommended best practices for dealing with ransomware.
James Shank, chief architect for community services at threat hunting specialist Team Cymru, and also a committee member on the RTF, welcomed the increased focus on ransomware. “It is no longer speculation that ransomware can impact our way of life. It can. Colonial Pipeline and JBS USA impacted US citizens’ behaviours and prompted fears of shortages that turned into actual shortages. To think of it as terrorism fits the effects and impact of real-world ransomware cases today,” he said.
“Seeing this increase in prioritisation and to hear of this coordinated response by the US government is wonderful! We need coordinated response both in terms of public-private partnership but also on the global stage. Ransomware is impacting lives beyond our borders and involves actors beyond our borders. We can not handle this alone and we must collaborate with the world community to address this global threat,” said Shank.
He added: “I hope this results in curbing the ongoing increases in ransomware events and ransomware demands. Right now, too much of the risk is borne by the victims, and the ransomware actors operate, more or less, with impunity. It is time to change the balance of that equation.”
Five questions
In the UK, the National Cyber Security Centre (NCSC) has outlined five questions that board members should be asking their security and technical teams to develop an anti-ransomware action plan:
- To ask as an organisation and as board members, how you would know when an incident had happened;
- To ask what measures should be taken to minimise damage an attacker can do if they gain access to your network;
- To ask if there is an incident management plan, and how to ensure it is effective;
- To ask if the incident management plan meets the specific challenges of ransomware attacks;
- And to ask how data is backed up, and if the organisation is confident that backups will be protected from a ransomware infection.
More specific details of all these points are available from the NCSC.