Biden Administration announces flurry of new anti-ransomware efforts

Under pressure to halt ongoing and highly damaging ransomware attacks from Russian criminal groups, the Biden administration yesterday announced a flurry of defensive initiatives to deal with the crisis. These announcements come one week after President Biden issued a stark warning to Russian President Vladimir Putin to deal with the ransomware threat groups in his country or else the US will take action to dismantle the threat.

First, the State Department announced that its Rewards for Justice program, which the Diplomatic Security Service administers, will give a $10 million reward to anyone offering information that leads to identifying state-sponsored threat actors. Specifically, rewards will be given to those who supply information that leads to the “identification or location of any person who, while acting at the direction or under the control of a foreign government, participates in malicious cyber activities against US critical infrastructure in violation of the Computer Fraud and Abuse Act (CFAA).”

The Rewards for Justice (RFJ) program has set up a Tor-based dark web reporting site to protect the safety and security of potential sources. Additionally, the RFJ program works with interagency partners to enable the rapid processing of information and the possible relocation of and payment to sources.

Second, the Treasury Department’s Financial Crimes Enforcement Network (FinCEN) announced it would convene a FinCEN Exchange in August 2021 focused on ransomware concerns. The Exchange will be composed of financial institutions, other key industry stakeholders, and federal government agencies. The goal of the meeting is to inform FinCEN’s next steps in addressing ransomware payments.

The announcement stops short of saying that the new group would examine how to disrupt payments to ransomware actors, one widely touted solution to the ransomware problem. FinCEN’s Acting Director Michael Mosier said that “since this extortion threatens our collective safety, it is critical that we collaboratively gather to confront this threat together and determine the best way to increase our collective resilience to these malicious attacks.”

Further, the Department of Justice and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) announced the launch of a new educational website focused on ransomware called StopRansomware.gov. CISA’s newly installed leader Jen Easterly called the site “a new one-stop location with tools and resources for organizations of all sizes today.”

White House inter-agency task force will coordinate ransomware measures

The White House has formed a previously unannounced inter-agency government task force to coordinate government measures against ransomware. According to reports, the task force oversees efforts to create more resilient federal networks, halt ransomware payments to threat actors, and coordinate with US allies. The group is also tracking efforts of the anti-ransomware initiatives.

The White House ransomware task force differs from the ransomware task force formed by the Institute of Security and Technology (IST) earlier this year. That task force, representing more than 60 public and private organizations, also includes government agencies such as the FBI, CISA, and the Secret Service.

The Administration has seemingly only just started with its multi-pronged approach to tackling ransomware. White House officials have said they are also exploring partnerships with cyber insurance companies and critical infrastructure players so that the government can receive more information about ransomware attacks.

New initiatives take place against the backdrop of ongoing US-Russia talks

These developments are taking place even as an informal US-Russian working group meets to hammer out a solution to the problem. The latest meeting of the working group was on Wednesday.

Those talks are “part of the ongoing engagement that has been occurring at the expert level since the President met with [Russian] President Vladimir Putin,” White House press spokesperson Jen Psaki said during a press briefing Thursday. “No one meeting is necessarily decisive. It’s about having a continued discussion about our expectations and the steps that need to be taken to address ransomware attacks and cyberattacks.”

One missing component from the Administration’s announcements is a clear and specific articulation of the need for the US to collaborate with other nations in taking down ransomware actors. Earlier this week, INTERPOL’s Secretary General Jürgen Stock said during a speech at the INTERPOL High-Level Forum on Ransomware that although individual nations are working to curb ransomware, effective solutions require international collaboration on the level used to fight terrorism and human trafficking. “Despite the severity of their crimes, ransomware criminals are continuously adapting their tactics, operating free of borders and with near impunity,” he said.

First small steps on a long road

Reaction to the spate of initiatives seems cautiously optimistic. Senator Angus King (I-ME), the co-chair of the congressionally chartered Cyberspace Solarium Commission, said on Twitter he’s impressed with the Administration’s approach, but more work is needed. “I’ve been impressed by the Administration’s steps to address ransomware, starting with [President Biden] confronting Putin to hammer home that attacks on US networks will bring a response. There’s much more work to do, but we’re headed in the right direction.”

Megan Stifel, global policy officer and capacity and resilience program director with the Global Cyber Alliance and co-chair of IST’s ransomware task force, likewise praises the White House efforts but thinks more action is required. “I think these are strong first steps,” she tells CSO. “Some of the resources that were made available today, particularly Stopransomware.gov, make more accessible the steps that particularly vulnerable users can take.”

Matthew Rojansky, director of the Wilson Center’s Kennan Institute, concurs with Stifel. “These are the first small steps on a long road,” he tells CSO. “As a defensive measure, we as a country are trying to turn the tide on this.”

Broader, global toolkit needed but is years away

Rojansky agrees with INTERPOL’s Stock that a global response to ransomware is necessary for the long run. “We are going to need a better, broader global tool kit for dealing with the problem of ransomware,” he says. “One could argue that it’s not that different from any other kind of global criminal activity. We’ve had to deal with trafficking, we’ve had to deal with terrorism, we’ve had to deal with all kinds of global bad actors.”

However, the kind of collective, multilateral action needed to address cybersecurity is a very long-term proposition. “These things take years and years to come together,” Rojanksy says. “I’m not overly optimistic that’s our go-to resource.

More emphasis on robust security practices needed

Shawn Kanady, director of threat fusion and hunt at Trustwave SpiderLabs, wishes the White House would emphasize the need for more robust security practices as a first-line defense against ransomware attackers. “There isn’t anything that is terribly novel in how ransomware is deployed,” he tells CSO. “Unfortunately, it has been too easy for attackers to infiltrate companies. There are too many sectors that are using legacy solutions and architecture and are not able to react quick enough, let alone be proactive in their cybersecurity approach.”

Kanady is also skeptical of the State Department’s $10 million rewards. “I think this is a good-faith effort in getting information, but I would be curious to know how well this has worked historically as it relates to cybercrime. Shadow operations and undercover cyber ops are probably the way to get to the source of who the attackers really are and how they operate.”