For years, the federal government treated ransomware as a criminal menace — not as urgent as hacking by foreign spies. But after a spasm of high-profile attacks that jarred the nation, the U.S. government now has begun framing the issue as a matter of national — and global — security.
“We know that the ransomware threat is urgent, it’s complex, and it’s been increasing over the last several years,” White House press secretary Jen Psaki said. “It feels new to us over the last couple of weeks, but it has been increasing rapidly around the world over the last several years.”
She noted this week that many of the world leaders with whom Biden will gather at the annual Group of Seven meeting next week “have similar concerns.”
Until about a year and a half ago, ransomware extortion — in which hackers lock up victims’ machines with malware and then demand hefty fees to unlock the data — was seen primarily as cybercrime. It afflicted schools, hospitals and businesses, but the disruptions were considered isolated. No one was known to have died, and the effects were limited primarily to the entities that were hacked.
Then came the ransomware attack last month that led Colonial Pipeline to shut down its pipeline, disrupting nearly half the East Coast’s fuel supply. That was followed this week by another that threatened the nation’s largest meat supplier. It became apparent that malware devised by criminals could threaten the health and well-being of all.
“I don’t think that attention is going to go away anytime soon,” said Michael Phillips, co-chairman of the Ransomware Task Force, a group of industry, government and academic experts that in April produced a set of recommendations for the Biden administration on combating ransomware. “People want to know that the U.S. government can protect them from these kinds of attacks.”
After the Colonial Pipeline attack last month, Biden launched an initiative to address the dangers of ransomware, including the creation of a global coalition to hold countries that shelter ransomware criminals accountable. The spadework for that began shortly after Biden took office, and the initiative complements an executive order he signed last month to shore up the federal government’s digital defenses, an effort the administration hopes will spur the private sector to bolster its own cybersecurity.
One of the strategy’s most significant elements is to remove the cloak of anonymity around the digital ransoms victims pay, to crack down on the criminals. The ransoms can run into the millions of dollars — Colonial Pipeline paid $4.4 million last month to a Russia-based group — paid out in cryptocurrencies like bitcoin.
These digital currencies are run on a global network of computers that are not under the control of any central bank. They let users instantly record their transactions on a public digital ledger without a middleman brokering the transaction — but without revealing their identities. The cryptocurrency exchanges that convert the digital tokens into actual cash, if they’re operating outside the United States, often aren’t required to follow the same anti-money-laundering laws that govern U.S. exchanges and banks.
What the White House wants to do, a senior administration official said in an interview Friday, is work with an international coalition of governments to compel cryptocurrency exchanges operating offshore to report suspicious transactions, including the identities of the parties.
“I can’t underscore enough how that cryptocurrency line of effort is key,” said the official, who spoke on the condition of anonymity to discuss an ongoing review.
The growth of unregulated cryptocurrency, the official said, is “what’s driven the growth of ransomware.”
The White House would like to see an international standard, similar to the United States’ “know your customer” regulations that require reporting large transactions to the Treasury Department. “There are cryptocurrency exchanges all around the world, and we want to ensure that there’s a common threshold of ‘know your customer’ rules, which are in place and implemented so there aren’t places to hide funds,” the official said.
“This is exactly the signal that needs to be sent to the ransomware criminals,” said Philip Reiner, executive director of the Ransomware Task Force and chief executive of the Institute for Security and Technology. “The status quo is over. We’re not going to approach this in the same way anymore.”
Right now, criminal hacker groups operate with near impunity. Many of the ransomware rings are based in Russia or Eastern Europe, and countries like Russia ignore their activities as long as they don’t target companies, people or government agencies inside their borders. The hackers lurk in the shadows of the Internet and exploit the anonymity that cryptocurrency affords, officials and experts say.
“I almost feel like it’s ‘bring it on, bro,’” said Rick Holland, chief information security officer at the digital risk protection firm Digital Shadows, making the point that the hackers don’t fear being caught by U.S. authorities.
Indeed, criminal ransomware rings have made clear that they don’t intend to slink away in the face of the U.S. government’s ramped-up efforts. “We will work harder, harder and harder,” said one ransomware hacker, who goes by the handle UNKN, or Unknown, and who belongs to one of the largest ransomware extortion groups, REvil.
Potential U.S. government efforts “will not affect our work in any way,” UNKN told cybersecurity blogger Sergey R3dhunt, according to a translation posted on Twitter by Recorded Future cyberthreat researcher Dmitry Smilyanets.
Kremlin spokesman Dmitry Peskov told the state RIA news agency that hackers exist in every country in the world. Russia has previously denied that state-sponsored hackers launched cyberespionage campaigns against U.S. institutions.
Putin told state television that reports about ransomware attacks by Russia-based hackers on Colonial and JBS, the meat processor, are “nonsense.” Said Putin: “It’s just laughable.” He said the reports were an attempt to “provoke some new conflicts before our meeting with Biden.”
Another major element of the White House ransomware review will be to determine what the government’s formal ransomware policy should be, the official said. The FBI’s guidance has long been for victims not to pay ransoms. But, bureau officials note, in the end it is up to the company or organization. When a CEO is facing the prospect of closing a business, or a hospital might need to cut critical services that keep patients alive, the dilemma is acute.
“We’re sympathetic to companies who say, ‘Look, we’ve got to recover our business operations,’ but on the other hand, [ransom payments are] what fuels the growth of it,” the official said.
The federal government’s efforts began before last month’s pipeline attack. The Justice Department in April created a task force to disrupt the criminal ecosystem that fuels ransomware attacks. On Thursday, Deputy Attorney General Lisa Monaco issued a memo directing all federal prosecutors to inform Justice Department headquarters of ransomware cases.
The directive, Monaco wrote, was meant to ensure that the department has a “comprehensive picture” of the national and economic security threats. “We need to have a national picture, and we need to bring all of our tools to bear,” she said on CNBC.
In January, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency kicked off a campaign to prod public and private-sector organizations to adopt measures to reduce their risk of being victimized by ransomware. And in 2019, CISA launched a similar initiative to encourage state and local officials to secure election infrastructure against ransomware attacks.
Last fall, in the weeks before the presidential election, U.S. Cyber Command, the military’s cyberattack force, temporarily disrupted one of the world’s largest botnets — Trickbot, an army of at least 1 million hijacked computers run by Russian-speaking criminals. Trickbot was often used to launch ransomware attacks, and officials feared it might disrupt the election.
Last month, in the wake of the pipeline attack, Biden refrained from blaming the Kremlin but said that “we do have strong reason to believe that criminals who did the attack are living in Russia.” He added, “We have been in direct communication with Moscow about the imperative for responsible countries to take decisive action against these ransomware networks.”
On Friday, Psaki repeated that Biden would confront Putin with cyber issues, including a major Russian espionage campaign dubbed SolarWinds that compromised nine federal agencies and 100 private-sector firms, as well as the ransomware attacks. “There is no doubt President Biden will be raising that directly in that conversation,” she said.
But administration officials privately sought to lower expectations of any major breakthroughs given the tense relationship between Washington and Moscow.
The stepped-up government attention mirrors a growing sense of concern in the private sector, said Michael Daniel, president and chief executive of the Cyber Threat Alliance and the top cyber official in the Obama White House.
“Ransomware has moved from an economic nuisance to a national security and public health and safety threat,” he said. “So we need to treat it commensurately. That means stepped-up efforts by both the government and the private sector.”
Matt Zapotosky contributed to this report.
An earlier version of this article misstated when President Biden will meet with Russian President Vladimir Putin. This version has been corrected.