The infamous Colonial Pipeline ransomware attack ended up being a win for the good guys. In June 2021, the Department of Justice (DOJ) announced it had seized millions in cryptocurrency that had been paid to the criminal collective DarkSide. Although the attack resulted in a brief shutdown of the pipeline, the DOJ’s long saber of justice brought DarkSide to the light. As Deputy Attorney General Lisa Monaco put it, “Today, we turned the tables on DarkSide.”
She then outlined a key element of the DOJ’s approach. “By going after the entire ecosystem that fuels ransomware and digital extortion attacks, including criminal proceeds in the form of digital currency, we will continue to use all of our tools and all of our resources to increase the cost and the consequences of ransomware attacks and other cyber-enabled attacks.”
The DOJ Takes Down RaidForums
This kind of comprehensive, all-hands-on-deck approach has been a staple of the DOJ’s range of cybersecurity initiatives. For example, in April 2022, the department seized control of RaidForums, a popular website for hackers looking to purchase and sell stolen credit cards and other financial information that include login credentials, social security numbers, and bank routing and account numbers.
Kenneth Polite, Assistant Attorney General of the DOJ’s criminal division, explained the strategy behind the seizure: “The takedown of this online market for the resale of hacked or stolen data disrupts one of the major ways cybercriminals profit from the large-scale theft of sensitive personal and financial information.”
These two initiatives demonstrate a core element of the DOJ’s approach to striking back against ransomware criminals to give IT teams, executives, and regular citizens a new hope: Hit them where it hurts by putting structures in place to reverse ransomware profits.
The DOJ’s Role in Containing Ransomware
There are numerous cybersecurity companies hard at work developing technologies and beefing up their threat intel systems to stop ransomware hackers, but the DOJ has taken the lead in containing this threat. The benefits are two-fold: Organizations that play a critical role in the economy get protection, and so does the United States government, as well as its allies.
To deliver on its mission, the DOJ has combined efforts with cybersecurity officials from a variety of countries, sharing information and teaming up to bring down ransomware attackers. This has made it harder for criminals, no matter where they’re hiding, to conceal the money they steal.
Another key element of the DOJ’s approach has been infiltrating hacker sites on the dark web. This produces multiple strategic benefits:
- DOJ officials can gain inside intel into the operations of cybercriminals
- The DOJ can track down payments made using the dark web
- They can infiltrate the underground markets attackers use to peddle stolen sensitive information and data
Further, by slipping into dark websites, the DOJ and its partners are able to track down some of the key ransomware players—big and small—that make the cybercriminal system work. In this way, the DOJ can be a genuinely disruptive force for organized cybercrime.
Recent Initiatives by Governments and the DOJ Against Ransomware
Some of the recent initiatives the DOJ and partner governments have undertaken to break the hold of ransomware criminals on businesses around the world include:
1. Publication of the Cybersecurity Maturity Model Certification
The Department of Defense (DoD) launched what’s known as CMMC 2.0 (Cybersecurity Maturity Model Certification), which includes a framework designed to safeguard defense contractors from cyberattacks. It outlines a set of requirements that makes it easier for businesses, regardless of size, to gain the upper hand on ransomware attackers and other cybercriminals.
In addition, CMMC 2.0 lays out the DoD’s priorities for protecting sensitive information. This streamlines the process of identifying the data an organization needs to protect, as well as how to safeguard it. Using CMMC 2.0, a company essentially removes the guesswork regarding the most effective way to address cybersecurity issues.
CMMC 2.0 is both practical and symbolic. It cements the partnership between the Department of Defense and the companies providing the weapons and technology that protect the U.S. In effect, CMMC 2.0 sends a message to industry leaders that they’re not alone, while simultaneously enlisting their support in tightening cyber defense measures.
2. Cybersecurity Executive Order Announcement
The executive order provides an aggressive, forward-thinking set of guidelines that help organizations assume an active posture against ransomware on multiple fronts. It has seven core components:
- Make sharing threat information between the private sector and the government easier
- Modernize and implement more robust cybersecurity standards within the federal government
- Make improvements to the software supply chain. This includes establishing baselines regarding the kinds of cybersecurity software that can be developed and sold to the U.S. government
- Establish a cybersecurity safety review board that combines experts from both the government and the private sector
- Create a playbook that streamlines cybersecurity incident response. This is designed to help federal agencies consistently identify and mitigate threats
- Improve the ways agencies detect incidents that impact federal government networks through the establishment of a system-wide, government-backed endpoint detection and response (EDR) system
- Improve investigation and remediation effectiveness by establishing a consistent set of requirements for logging cyber events for federal agencies
3. Zero-Trust Cybersecurity Pilot Projects
Zero-trust cybersecurity principles play a pivotal role in defending digital infrastructure from ransomware attacks because they presume every person, device, network, and application is a threat. Nickolous Ward, the chief information security officer for the DOJ announced at the Fortinet Security Transformation Summit that they were launching as many as 10 projects with different vendors that focus on zero-trust architectures.
This was done in response to a dramatic expansion of the DOJ’s attack surface as it consolidated over 100 data centers and transitioned about 60 services to the cloud. The goal was to provide quick, decisive protections. Mr. Ward explained, “If we can’t take an action within 15 minutes, a good nation-state actor is already hopping to other systems.”
4. Australian Government’s Critical Infrastructure Uplift Program
In a move that, in many ways, parallels President Biden’s cybersecurity executive order, the Australian government introduced its Critical Infrastructure Uplift Program (CI-UP)—also in May 2021. It’s driven by the same principle that powered the Biden administration’s initiative: take an aggressive stance against cybercrime while providing tools to support the efforts of those doing the work.
Specifically, CI-UP incorporates systems built for:
- Evaluating the cybersecurity maturity of critical systems and infrastructure that directly impact Australia
- Delivering risk mitigation and vulnerability strategies, prioritized in a way that makes it easier to understand which steps should be implemented, when, and why
- Assisting partners of the Australian government in their risk mitigation endeavors
Another similarity between CI-UP and the Biden administration’s executive order is the way it systematically builds a bridge between industry leaders and the government. Those that participate can benefit from:
- Threat briefings
- Cybersecurity exercises
- Products and tools that alert them to attacks, making them easier to mitigate
- Threat-hunting services
- The Cyber Hygiene Improvement Program (CHIP), which helps organizations strengthen their cybersecurity posture through system-wide safety protocols
5. Spanish Government’s €450 Million Commitment to the Cybersecurity Industry
The Spanish government put its money where its mouth was in September 2021 when it chose to invest more than €450 million over the course of three years to boost the cybersecurity industry. The investment was made to support their Strategic Plan 2021-2025, which aligns with pre-established cybersecurity initiatives: the Digital Spain 2025 and the Recovery, Transformation, and Resilience Plan.
Their approach was built around three pillars:
- Boosting Spain’s cybersecurity business ecosystem and attracting talent
- Strengthening the cybersecurity of businesses and citizens
- Making Spain an international hub of cybersecurity
The plan specifically aims to strengthen the security postures of small to medium businesses (SMEs) because these have been regular targets for criminals. In this way, Spain, like the DOJ, is creating a rising tide that can lift all ships.
How Is the DOJ Responsible for National Cybersecurity?
The DOJ has put the responsibility for defending the nation’s cyberinfrastructure on its own shoulders, doing so in a way that seeks to unify the efforts of disparate organizations—both public and private. In this way, the department corrals resources, focusing the efforts of internal and external experts in the battle against ransomware.
A core tenet of the department’s approach involves giving law enforcement officials the tools they need to bring down cybercriminals while also protecting the privacy of American citizens. This involves a delicate dance. While the DOJ has to go after offenders, its systems are designed to do so without impinging on privacy rights guaranteed by the Fourth Amendment of the United States Constitution.
The DOJ Captains a Team Effort Against Cybercrime
The initiatives by the DOJ are being supported by both the US government and leading cybersecurity companies. For example, Cisco, Fortinet, and Palo Alto Networks have developed security measures that intentionally align with the government’s cybersecurity frameworks to provide security solutions to government agencies and companies that desire to be as aggressive as the DOJ in their efforts. By combining forces and developing a unified playbook, the DOJ and its partners are presenting a unified front against ransomware attackers.