DOJ, FBI need better metrics for tracking ransomware disruption efforts, audit finds

The Justice Department and FBI need to redefine what counts as success in fighting the scourge of ransomware, a new internal audit recommends.

In the 26-page audit released Tuesday, Department of Justice (DOJ) Inspector General Michael Horowitz outlined the department’s actions related to ransomware from April 2021 to September 2023. The report also takes into consideration the takedown of LockBit, which took place in early 2024. 

The inquiry found three areas the DOJ and FBI need to improve on to more effectively fight ransomware. 

The Justice Department needs a better way “to determine what metrics for the ransomware threat, including metrics tracking disruption efforts, are most impactful, and which demonstrate the effectiveness of its actions to combat the ransomware threat.”

Documents examined by the investigators found that “success” at the Justice Department in relation to ransomware is based on increasing the percentage of reported ransomware incidents “where cases are opened, added to existing cases, resolved or action was taken within 72 hours to 65 percent.”

The FBI said action was taken within 72 hours in 47% of ransomware incidents, an improvement on the 39% for 2022. 

The FBI and DOJ also sought to increase the number of seizures or forfeitures in ransomware matters by 10 percent in 2022 and 2023. 

“We believe the Department’s existing metrics for ransomware do not capture the effectiveness of its disruptive activities against malicious actors,” the investigators said. 

“Regardless of whether the Department maintains ransomware as a priority goal, it should determine which metrics are most impactful to ensure they capture the effectiveness of its actions to combat the ransomware threat.”

The report lauds the DOJ and FBI for several infrastructure takedowns involving ransomware gangs like LockBit, Hive and AlphV — which allowed them to distribute hundreds of decryption keys to current and past victims. The FBI specifically has developed a strategy centered on targeting the actors, infrastructure, and finances that comprise and enable the ransomware ecosystem. 

The investigators said they believed ransomware disruptions — including the number of disruptions and the number of decryptor keys provided to victims — should be tracked by the DOJ as important metrics of success.

But according to the audit the Justice Department has not published an action plan around ransomware for the next two-year period nor reported any progress over the previous two fiscal years on performance.gov, as required.

Horowitz and his team also found that specific ransomware investigations have been mired in infighting between different law enforcement agencies that often decline to share information with each other. 

The “failure to coordinate and deconflict can damage investigations, prosecutions, and relationships that are critical to law enforcement; waste resources; and undermine public safety, national security, and confidence in the Department,” they said. 

FBI officials told investigators there have been instances where federal prosecutors overseeing two related ransomware cases “did not share information as the deconfliction policy intended, and a Criminal Division Official told us United States Attorney’s Offices differed as to their awareness and implementation of the policy.”

The audit also says the FBI needs to create a more clear, concrete mission for the National Cyber Investigative Joint Task Force (NCIJTF) Criminal Mission Center, which it leads. 

That task force, which was responsible for coordinating whole-of-government ransomware plans in 2021 and 2022, was left in limbo when Congress created the new multi-agency Joint Ransomware Task Force (JRTF) in 2022. 

The report found that the NCIJTF “did not produce meaningful outcomes in combatting ransomware” once the other task force  was created.

“We found that the creation of the Joint Ransomware Task Force impacted the role of the Criminal Mission Center, leaving its ransomware role not well defined,” Horowitz said. 

Bradley Weinsheimer, associate deputy attorney general, sent a letter in response to the report concurring with the findings and pledging to work on the issues. 

FBI Assistant Director of the Cyber Division Bryan Vorndran similarly agreed with the recommendations and said the FBI would better define the role of the National Cyber Investigative Joint Task Force.