How the FBI and CISA look to mature the government’s top ransomware task force

Nearly two years after its creation, a task force meant to streamline federal efforts to combat ransomware hopes to further cement how the government handles key aspects of such attacks and do a better job trumpeting its contributions to the broader fight.

The goals mark what the leaders of the Joint Ransomware Task Force, co-led by the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI, see as the natural evolution of the organization as its various working groups begin to bear fruit and it looks at better ways to raise awareness of its efforts.

“What we're trying to build through the JRTF is really a collaborative cycle in which we are identifying the ransomware groups” and how they target U.S. critical infrastructure and businesses, Eric Goldstein, CISA’s executive assistant director for cybersecurity, said during a recent interview.

That data can then be used to “drive a whole of government, and in fact a whole of society response, such that CISA can use that information to notify possible victims before incidents happen.”

“We can improve our guidance to drive attention towards the mitigations that are actually most effective against the intrusions that we're seeing” and then tap other federal entities, like the State and Treasury departments, to take action, according to Goldstein.

The task force was established in 2022 as part of incident reporting legislation to bring together the full breadth of federal authorities and resources to better disrupt malicious activity and coordinate operations with state and local governments and the private sector.

While the group has stayed under the radar compared to other coordinating bodies, such as the Cyber Safety Review Board and the Joint Cyber Defense Collaborative, its work has helped government agencies, critical infrastructure operators, and others stay secure.

For instance, CISA’s Ransomware Vulnerability Warning Pilot Program, which the JRTF coordinates, has informed over 1,700 entities they use common software bugs that cybercrime groups exploit. Meanwhile, through its oversight of CISA’s pre-ransomware notification efforts, more than 1,200 victims were alerted in the calendar year and it re-issued guidelines to help organizations protect themselves against such attacks.

Additionally, the task force has been involved in decisions to sanction ransomware gangs like Conti and TrickBot, according to Bryan Vorndran, the head of the FBI’s Cyber Division who co-chairs the group with Goldstein.

He also noted they are working on a task force seal, for branding purposes, that will begin appearing on future cybersecurity advisories the two entities publish along with other federal components.

Still, there have been challenges along the way.

On a larger level, ransomware incidents continue to rage across the country. Despite efforts from a wide range of government agencies, attacks continue to escalate, according to data collected by Recorded Future. There were about 4,300 publicly known ransomware attacks in 2023, compared to 2,600 the year prior.

In terms of the JRTF itself, last year the chair of its External Partners Working Group, one of three created to tackle specific facets of ransomware, left CISA and was temporarily replaced by contractors — a move that upset some in the digital research community.

Vorndran acknowledged the criticism but highlighted how much the FBI has worked with the private sector and others to combat illicit operators, like in the case of Hive ransomware where the bureau shared its decryption capability months before it moved to disrupt the criminal enterprise.

“That model of early sharing of unique technical intelligence or unique technical capability, prior to disruption is directly derivative of that external partners working group,” he said.

Overall, Vorndran stressed the task force had “moved to a model trying to share as much as possible in those trusted circles — to include the partners in the JRTF — so that we can provide relief to victims and provide unique intelligence to some of those organizations to harden their systems.”

He also emphasized how hard the bureau and CISA are working on victim notification.

“I'm very, very comfortable that the bureau and CISA are on a tremendously positive glide path. But I just want to continue to see more evolution and more maturity to really pursue perfection.”

Goldstein said there will also be “significant” attention on measurement, he added, a nod to the fact that federal officials don’t have a firm grasp on the scope of the ransomware epidemic because only about 20 percent of incidents are reported to the government.

Both men predicted a cyber incident reporting mandate for critical infrastructure companies, the initial draft of which is expected to be published next month, would help the task force gain a better understanding of the scale of the problem — though the final rule won’t be in place until sometime in 2025.

“Right now we are at a tremendous data deficit because we simply don't see the breadth of intrusions that are impacting American organizations,” according to Goldstein.

“That is going to be substantially remedied once” reporting is in effect, he said.