The US Department of State has announced that its Rewards for Justice (RFJ) program is now offering:
...up to $10 million for information leading to the identification or location of any person who, while acting at the direction or under the control of a foreign government, participates in malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act (CFAA).
The reward is a clear sign that the Biden administration is increasing its efforts to disrupt state-sponsored cyberattacks, and to punish the criminals who launch them. The press release specifically calls out ransomware campaigns, saying that violations of the statute "may include transmitting extortion threats as part of ransomware attacks."
Other violations of the CFAA that it mentions include:
- Intentional unauthorized access to a computer or exceeding authorized access and thereby obtaining information from any protected computer.
- Knowingly causing the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causing damage without authorization to a protected computer.
"Protected computers" includes US government and financial institution computer systems, and also those used in or affecting interstate or foreign commerce or communication.
To enable the reward system the RFJ has set up a Dark Web reporting channel. Exactly the same privacy-enhancing technology ransomware gangs use to conduct their ransom negotiations without being located or identified.
Some may be surprised at the size of the reward. One of the key reasons we have seen ransomware get progressively worse is that the spoils often outweigh the risks. With the $10 million reward the US is hoping to rebalance the equation. Cybercrime has become a mature industry, with different groups specializing in different parts of the value chain. That requires a level of trust to operate smoothly, and with this financial incentive, the US has just given everyone involved in the cybercrime industry a new and very significant reason to doubt the trustworthiness of their suppliers and affiliates. A method to divide and conquer if you will.
Even though the press release mentions “a foreign government” everybody will understand that this is mostly aimed at Russia, although China, North Korea, Iran and others have also been implicated in cybercrimes committed inside the US. The strategy is necessary after Russian President Vladimir Putin's obvious reluctance to curb ransomware operators. Mainstream ransomware operates know that if they avoid running inside Russia and the Commonwealth of Independent States they will probably be left alone.
Giving out rewards is not the only path the US will be pursuing though. The rewards are a part of a larger strategy that also entails:
- Hardening US institutions' defenses against ransomware attacks.
- Making it harder to cash out cryptocurrencies gained by illegal means.
- Better international cooperation against ransomware.
We have seen some examples of these strategies at work when:
- The US Department of Justice recovered much of the ransomware payment that Colonial Pipeline paid to free itself from an attack that derailed the oil and gas supplier’s operations for several days.
- Warnings to expose ongoing Russian Foreign Intelligence Service (SVR) exploitation of five publicly known vulnerabilities.
- International actions against ransomware groups like Emotet and Cl0p.
The U.S. is not alone when it calls for more international cooperation against ransomware. Speaking at the INTERPOL High-Level Forum on Ransomware, Interpol’s secretary general Jürgen Stock urged police agencies and industry partners to work together to prevent what looks like a future ransomware pandemic. Secretary General Stock said that while some solutions existed nationally or bi-laterally, effectively preventing and disrupting ransomware meant adopting the same international collaboration used to fight terrorism, human trafficking, and mafia groups.
Sharing information would be an important part of such international cooperation, but there are talks about opening up other information sources. Like making it mandatory that victim organizations share information about how frequently such attacks occur and how they’re perpetrated, so others can learn from them.
More information about the reward offer is located on the Rewards for Justice website. The Tor-based tips-reporting channel can be found at the .onion URL below (you will need the Tor browser to access it):
A good fit in the overall strategy is the launch of the StopRansomware website launched by the Cybersecurity and Infrastructure Security Agency (CISA) with the intention to become an official one-stop location for resources to tackle ransomware more effectively. The new StopRansomware.gov website is a collaborative effort across the federal government and the first joint website created to help private and public organizations mitigate their ransomware risk.
The Secretary of Homeland Security said: "As ransomware attacks continue to rise around the world, businesses and other organizations must prioritize their cybersecurity ... I urge every organization across our country to use this new resource to learn how to protect themselves from ransomware and reduce their cybersecurity risk."