Ransomware to be investigated like terrorism

Ransomware to be investigated like terrorism

The impact of recent ransomware attacks on vital infrastructure in the US has triggered a reaction from the US Attorney’s office. In an internal guidance it says that all ransomware investigations in the field should be centrally coordinated with a recently created task force in Washington.

According to Reuters, the internal communication states:

“To ensure we can make necessary connections across national and global cases and investigations, and to allow us to develop a comprehensive picture of the national and economic security threats we face, we must enhance and centralize our internal tracking.”

Terrorism model

This model of investigation and cooperation is used only in a few fields that touch upon national security, e.g. terrorism. According to US officials this shows how the issue of ransomware is being prioritized. According to Reuters, this means investigators will have to share updated case details and active technical information with leaders in Washington. It also means they will receive guidance from Washington on how to proceed. If implemented optimally this will surely result in a better understanding of the ransomware landscape.

In his recent executive order on improving the nation’s cybersecurity President Biden already pointed out that the US faces persistent and increasingly sophisticated malicious cyber-campaigns. Section two of the order it titled Removing Barriers to Sharing Threat Information, and this new cooperation seems to fall under that banner.

Ransomware Task Force

In April we reported about international cooperation in this field in the form of the Ransomware Task Force (RTF), a think tank composed of more than 60 volunteer experts who represent organizations encompassing industries and governments. In its report (PDF) the RTF recommended that ransomware be treated as a threat to national security.

“Ransomware attacks have shut down the operations of critical national resources, including military facilities. In 2019, a ransomware attack shut down the operations of a U.S. Coast Guard facility for 30 hours,  and in February 2020, a ransomware attack on a natural-gas pipeline operator halted operations for two days. Attacks on the energy grid, on a nuclear plant, waste treatment facilities, or on any number of critical assets could have devastating consequences, including human casualties.”

This was before the attack on Colonial Pipeline which prompted  President Biden to sign an executive order that broadly directs the Commerce Department to create cybersecurity standards for companies that sell software to the federal government.

Whether the RTF and the proposed task force in Washington will work closely together is unknown but perhaps unlikely given the international character of the RTF. Sharing information might be benificial for both though.

REvil is not impressed

In an interview published by cybersecurity blogger Sergey R3dhunt, a spokesperson for the REvil appears to indicate they are not worried by the new “terrorism approach.“

Translated, the transcript says:

Q: What happened as a result of the cyber attack?

A: As a result, the United States has put us on the agenda of the discussion with Putin. The question is, why there is such confidence that at the moment everyone is in the CIS, and even more so in the Russian Federation. In connection with the recent events with fuel [Colonial Pipeline], the United States are in every possible way avoided, as well as work inside CI.

Further inquiries seemed to indicate that it will only make matters worse, because if they are going to be prosecuted anyway, they may as well open the floodgates. When asked why they attacked JBS, this was the answer:

“Revenue. The parent company is located in Brazil, where the attack was directed. Why the US intervened is not clear. She was avoided by all means.”

History tells us the words of ransomware criminals should be taken with a heavy dose of salt.

Treated as or investigated like

Even though some gut reactions were indicating that ransomware attacks would be treated in the same way as terrorist attacks, this is not entirely true. Even though some ransomware attacks have had worse outcomes than terrorist attacks. It is the way in which the US Attorney’s office wants to organize the ransomware investigations that is similar to other national security issues. Not the severity of the punishments or the way convicted persons will be apprehended.

Ransomware infrastructure

Ransomware, especially Ransomware-as-a-Service (RaaS), has a similar organizational structure to some terrorist organizations. You have the enablers, that provide the software and the infrastructure for the ransomware itself and for receiving payments. And you have the executioners that go out and attack victims. These groups do not have to know each other’s true identities and usually communicate through encrypted channels.

A thorough knowledge of the ransomware landscape and successful infiltration of the communication platforms could provide methods to hinder operations. Maybe the inherent distrust between criminals can be used to launch successful misinformation campaigns to disrupt the cooperation between enablers and executioners. And maybe the fear of being tracked down by a strong dedicated task force will keep some potential participants away from the scene.

Tracking payments or making it illegal to pay ransom could make another dent in the severity of the threat. According to the report by the RTF, about 27 percent of victims choose to pay a ransom. With this, these victims are fuelling the ransomware industry. Not that they want to, but sometimes they feel it’s the only viable choice. This feeling is often strengthened by the additional threat to publicly disclose exfiltrated data.

All in all, a US centralized task force to investigate ransomware could contribute to the goals that the international RTF has set:

  • Deter ransomware attacks
  • Disrupt the ransomware business model
  • Help organizations prepare
  • Respond to ransomware attacks more effectively

Let’s hope so.


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.