This week the National Security Council is facilitating an international counter-ransomware event with over 30 partners to accelerate cooperation on improving network resilience, addressing the financial systems that make ransomware profitable, disrupting the ransomware ecosystem via law enforcement collaboration, and leveraging the tools of diplomacy to address safe harbors and improve partner capacity.
Ransomware incidents have disrupted critical services and businesses worldwide – schools, banks, government offices, emergency services, hospitals, energy companies, transportation, and food companies have all been affected. Ransomware attackers have targeted organizations of all sizes, regardless of where they are located. The global economic losses from ransomware are significant. Ransomware payments reached over $400 million globally in 2020, and topped $81 million in the first quarter of 2021, illustrating the financially driven nature of these activities.
The Biden Administration has pursued a focused, integrated effort to counter the threat. Yet, government action alone is not enough. The Administration has called on the private sector, which owns and operates the majority of U.S. critical infrastructure, to modernize their cyber defenses to meet the threat of ransomware. The Administration has announced specific efforts to encourage resilience, including voluntary cyber performance goals, classified threat briefings for critical infrastructure executives and the Industrial Control Systems Cybersecurity Initiative. And, the Administration has stepped up to lead international efforts to fight ransomware. International partnership is key since transnational criminal organizations are often the perpetrators of ransomware crimes, leveraging global infrastructure and money laundering networks to carry out their attacks.
The Administration’s counter-ransomware efforts are organized along four lines of effort:
- Disrupt Ransomware Infrastructure and Actors: The Administration is bringing the full weight of U.S. government capabilities to disrupt ransomware actors, facilitators, networks and financial infrastructure;
- Bolster Resilience to Withstand Ransomware Attacks: The Administration has called on the private sector to step up its investment and focus on cyber defenses to meet the threat. The Administration has also outlined the expected cybersecurity thresholds for critical infrastructure and introduced cybersecurity requirements for transportation critical infrastructure;
- Address the Abuse of Virtual Currency to Launder Ransom Payments: Virtual currency is subject to the same Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) controls that are applied to fiat currency, and those controls and laws must be enforced. The Administration is leveraging existing capabilities, and acquiring innovative capabilities, to trace and interdict ransomware proceeds; and
- Leverage International Cooperation to Disrupt the Ransomware Ecosystem and Address Safe Harbors for Ransomware Criminals: Responsible states do not permit criminals to operate with impunity from within their borders. We are working with international partners to disrupt ransomware networks and improve partner capacity for detecting and responding to such activity within their own borders, including imposing consequences and holding accountable those states that allow criminals to operate from within their jurisdictions.
Actions to date within these lines of effort include:
Disrupt Ransomware Infrastructure and Actors
- The Department of Justice established a Task Force to enhance coordination and alignment of law enforcement and prosecutorial initiatives combating ransomware. Law enforcement agencies, working through the National Cyber Investigative Joint Task Force (NCIJTF) and with the support of the interagency, are surging investigations, asset recovery, and other efforts to hold ransomware criminals accountable.
- The Department of the Treasury levied its first-ever sanctions against a virtual currency exchange. The exchange, SUEX, was responsible for facilitating ransomware payments to ransomware criminals associated with at least eight ransomware variants. Treasury will continue to disrupt and hold accountable these ransomware actors and their money laundering networks to reduce the incentive for cybercriminals to continue to conduct these attacks.
- The Department of the Treasury published an updated sanctions advisory encouraging and emphasizing the importance of reporting ransomware incidents and payments to U.S. Government authorities.
- US Cyber Command and National Security Agency are dedicating people, technology, and expertise to generate insights and options against ransomware actors. Their technical expertise and insights enable and support whole-of-government efforts, including actions against criminals, their infrastructure, and their ability to profit from their crimes.
- The Department of State’s Rewards for Justice (RFJ) Office has offered a $10 million reward for information leading to the identification or location of any person who, while acting at the direction or under the control of a foreign government, engages in, or aids or abets, certain malicious cyber activities against U.S. critical infrastructure, to include ransomware activities.
Bolster Resilience against Ransomware
- The President launched an Industrial Control System Cybersecurity (ICS) Initiative in April – a voluntary, collaborative effort between the federal government and the critical infrastructure community. The ICS Initiative has led to over 150 electricity utilities representing almost 90 million residential customers to deploy or commit to deploy control system cybersecurity technologies, bolstering the security and resilience of these facilities. The ICS Initiative has been expanded to natural gas pipelines, and will shortly be expanded to the water sector.
- In July, the U.S. Department of Homeland Security (DHS) and the U.S. Department of Justice (DOJ) established the StopRansomware.gov website to help private and public organizations access resources to mitigate their ransomware risk.
- The Transportation Security Administration (TSA) at the Department of Homeland Security issued two Security Directives, requiring critical pipeline owners and operators to bolster their cyber defenses, enabling DHS to better identify, protect against, and respond to threats to critical companies in the pipeline sector.
- Deputy National Security Advisor for Cyber and Emerging Technology, Anne Neuberger, sent an open letter to CEOs in June communicating best practices to defend against and prepare for ransomware incidents, including backing up data, implementing multi-factor authentication, and testing incident response plans.
- In August, President Biden met with private sector and education leaders to discuss the whole-of-nation effort needed to address cybersecurity threats – and leaders announced ambitious initiatives to bolster the Nation’s cybersecurity.
- The National Institute of Standards and Technology (NIST), within the Department of Commerce, is working with industry to improve current and emerging standards, practices, and technical approaches to address ransomware. Their efforts include the development of the Cybersecurity Framework Profile for Ransomware Risk Management, which builds off the NIST Cybersecurity Framework to provide organizations a guide to prevent, respond to, and recover from ransomware events.
- Treasury and the Department of Homeland Security’s CISA are engaging the cyber insurance sector to explore incentives to enhance implementation of cyber hygiene and improve visibility of ransomware activity.
Combat Virtual Currency Misuse to Launder Ransom Payments
- The United States remains at the forefront of applying anti-money laundering/countering the financing of terrorism (AML/CFT) requirements on virtual currency businesses and activities. We continue to hold U.S. virtual currency exchanges accountable to our regulatory requirements, and we have shared indicators and typologies of virtual currency misuse with the virtual currency and broader financial sector through venues like the Financial Crimes Enforcement Network (FinCEN) Exchange program.
- Treasury is leading efforts to drive implementation of international standards on financial transparency related to virtual assets at the Financial Action Task Force and to build bilateral partnerships designed to strengthen AML/CFT controls for virtual currency exchanges overseas. Uneven implementation of international AML/CFT virtual currency standards creates vulnerabilities ransomware actors exploit and inhibits the U.S. Government’s ability to disrupt ransomware-associated money laundering.
- Led by the Federal Bureau of Investigation, the Administration is building an Illicit Virtual Asset Notification (IVAN) information sharing partnership and supporting platform to improve timelines of detection and disruption of ransomware and other illicit virtual currency payment flows.
Bolster International Cooperation
- The Administration is working closely with international partners to address the shared threat of ransomware and galvanize global political will to counter ransomware activities – as reflected in the recent G7 and North Atlantic Treasury Organization (NATO) joint statements, and Financial Action Task Force (FATF) efforts, among others. The Administration continues to advocate for expanded membership in, and implementation of, the Budapest Convention and its principles.
- Departments and Agencies continue to engage with States to improve their capacity for addressing ransomware threats, including through capacity building that promotes cybersecurity best practices and combats cybercrime, such as trainings on network defense and resilience, cyber hygiene, virtual currency analysis, and other training and technical assistance to foreign law enforcement partners to combat criminal misuse of information technologies.
- The United States remains committed to eliminating safe harbors for ransomware criminals through a more direct diplomatic approach. President Biden has directly engaged President Putin, and established the White House and Kremlin Experts Group to directly discuss and address ransomware activity. The Experts Group continues to meet to address the ransomware threat and to press Russia to act against criminal ransomware activities emanating from its territory. The President has made clear the United States will act to protect our people and critical infrastructure.