US finds its ‘center of gravity’ in the fight against ransomware
Momentum is building around a recently created Biden administration task force meant to unite the federal government in a common purpose: stem the tide of ransomware attacks that has flooded the country.
The Joint Ransomware Task Force, established as part of the landmark incident reporting legislation signed into law by President Joe Biden earlier this year, held its second meeting on Wednesday and unveiled a series of working groups focused on specific areas of the digital epidemic — the most concrete action taken to date by the work-in-progress group.
“Broadly, success needs to look like reduced impacts from ransomware intrusions affecting American organizations. That's why we are here,” Eric Goldstein, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency (CISA), told The Record last Friday during an interview
“That is the end state that we are trying to achieve: where we are not having K-12 schools and hospitals impacted by ransomware in a way that is really potentially causing harm to too many Americans' lives,” he added.
Goldstein and Bryan Vorndran, the head of the FBI’s Cyber Division, serve as the co-chairs of the interagency group that lawmakers believed was necessary to streamline the government’s efforts to disrupt the cybercriminals behind ransomware attacks and better coordinate the fight between federal, state and local governments, as well as the private sector.
“I would look at the Joint Ransomware Task Force as a center of gravity for purposes of prioritization and aligning resources against a common problem,” Vorndran said last week during the same sit-down interview at FBI headquarters in Washington, noting officials need to identify what should take precedence, be it malware developers, infrastructure providers or financial transactions.
“That becomes a pretty complex process pretty quickly.”
The group’s creation adds to other high-profile steps the administration has taken to lessen the impact of widespread malware, including standing up Stop Ransomware, the government's first unified site for ransomware information, and launching the global Counter Ransomware Initiative.
Yet the threat remains pervasive.
Nearly 2,500 organizations have had their data released on extortion sites run by ransomware groups in 2022, according to data collected by Recorded Future. Vulnerable organizations have been hit particularly hard — 210 health care companies and 158 school systems have been hit by ransomware over the last year, according to the data, which is collected from extortion sites, government agencies, news reports, hacking forums, and other sources.
A reduction in ransomware attacks is one “metric” the task force will track to determine if its efforts are being successful, “but we will also know if we're being effective if we see the adversary move,” according to Vorndran. For instance, the group will track if a hacking group shifts its tactics, techniques and procedures away from traditional encryption and data exfiltration events toward a more narrow focus on extortion.
Vorndran noted officials are beginning to see “slight movement” among actors in that direction, but declined to characterize it as an overall trend.
Recent attacks by the notorious criminal group Lapsus$ on tech giants like Samsung and Uber were extortion-only schemes. Earlier this year, CISA, FBI and the Treasury Department said victims of data extortion group Karakurt had not reported encryption of compromised systems, but instead were told their stolen information would be auctioned off unless a ransom was paid.
Goldstein said the discourse around ransomware groups and cybercriminals paint them as “abstractions,” when they are actually “individuals and groups with bosses and budgets and priorities.”
“The more that we can work together to increase their marginal costs for a given intrusion attempt, whether through better cybersecurity and cyber defense” publicly preached by CISA — like adopting phishing resistant, multifactor authentication for all accounts and assets — or through work by the FBI or other agencies to “impose costs on those actors through their infrastructure, their financial flows, or as individuals, that is going to change their cost calculus.”
The new working groups reflect how multi-faceted the effort is, with entities working on topics like victim support, intelligence integration and partner engagement.
Still, Vorndran warned, the nascent task force will “face a lot of significant barriers to truly conquering the adversary,” such as how quickly actors can move through cyberspace.
“The policies, the laws, the regulations that we all face, they do not face,” he said, adding faster, real-time intelligence sharing with the private sector could help close the gap.
Goldstein highlighted that CISA’s work for the interagency group will be executed through the Joint Cyber Defense Collaborative, its public-private coordination hub where both sides can swap information about threats they see.
Lawmakers have sounded the alarm over the threat posed by ransomware — especially after major attacks such as the ones on Colonial Pipeline, JBS Foods and Kaseya — and put their support behind the task force.
Senate Homeland Security Committee Chair Gary Peters (D-Mich.), who co-authored the cyber incident reporting legislation that created the team, described it as an “additional effort” in the battle against ransomware.
“We've got to try to be working on it from many different angles and I think this is an important step,” he told The Record. “It's definitely an important, big problem that we’ve got to get our hands around.”
Peters, who is set to retain his gavel in the next Congress, urged the FBI and CISA to be “thoughtful” as they build out the new enterprise.
“They're moving forward, which is a good thing.”
Martin Matishak is a senior cybersecurity reporter for The Record. He spent the last five years at Politico, where he covered Congress, the Pentagon and the U.S. intelligence community and was a driving force behind the publication's cybersecurity newsletter.