The US Department of Justice, particularly through the FBI is making great strides in the fight against ransomware. Their recent focus on disrupting cybercrime has been crucial in the takedown of notorious cybercriminals like Hive, and the breakdown of malware tools like Qakbot.
In our more recent #federalfridays posts, we’ve been discussing federal changes that will shape the future of cybersecurity. Understanding forward-looking policy is important, but the reality is that cybercrime is happening every day. This #federalfriday, we will examine how the US Department of Justice (DOJ) is combatting this growing issue, primarily through the US Federal Government’s principal law enforcement agency, the Federal Bureau of Investigation (FBI).
This week, the FBI disrupted another international malware tool, Qakbot. Qakbot malware infiltrated a computer through malicious links in phishing emails, then connected the infected computer with other compromised computers, in a network called a botnet. Qakbot enabled threat actor groups like Royal and BlackBasta to launch ransomware attacks, costing victims millions. The FBI disrupted the botnet by directing Qakbot traffic to servers they controlled and using the servers to remove the Qakbot malware through an uninstaller file. This operation involved over 700,000 computers worldwide and shows how this remote method of disruption can be remarkably impactful.
The Qakbot takedown is an excellent illustration of the DOJ’s evolving focus on cybercrime. Under the Biden Administration, both the FBI specifically, and the DOJ in general, have pivoted their efforts to hone in on attackers and their illicit infrastructure and supply chains.
In July, the DOJ merged its cryptocurrency and computer crimes investigation units, combining the Computer Crime and Intellectual Property Section (CCIPS) and the National Cryptocurrency Enforcement Team (NCET). Principal Deputy Assistant Attorney General Nicole M. Argentieri, who announced the merger, described how the new combination would be impactful in fighting ransomware in her speech at the Center for Strategic and International Studies: “the CCIPS cybercrime experts will investigate ransomware crimes, and NCET cryptocurrency specialists will pursue all available opportunities to track criminals through their ransomware payments, vigorously pursuing cryptocurrency payments and freezing or seizing them before they go to Russia and other ransomware hotspots.” Argentieri pointed out that “ransomware is a threat to all - national security, public safety, and economic prosperity”, so a more collaborative effort is needed to counter it.
The unification came one month after the creation of the National Security Cyber Section (NatSec Cyber) in the National Security Division (NSD), which also encourages collaboration between the CCIPS and the FBI’s Cyber Division. According to Assistant Attorney General Matthew G. Olsen, NatSec Cyber is part of the NSD’s efforts to “[disrupt] the criminal ecosystem by making cybercrime and ransomware less lucrative and higher risk”.
This approach reflects the DOJ’s new modus operandi. At the 2023 RSA conference, U.S. Deputy Attorney General Lisa Monaco said that after a “comprehensive cyber review”, they found out the best way for the DOJ to maximize its tools in its fight against cybercrime would be to change direction. “We needed to pivot to disruption and make that our focus.” Monaco pointed out that “...doing so will not always yield a prosecution”, so “[w]e are not measuring our success only with courtroom action or courtroom victories.”
Prioritizing disruption of cybercrime groups was key in the FBI’s recent takedown of Hive. By November of 2022, the Hive ransomware group “victimized over 1,300 companies worldwide, receiving approximately $100 million in ransom payments”, according to the FBI. Their targets spanned many industries, including Information Technology, Healthcare, Communications, and Education. FBI agents were able to undermine the group by remotely breaking into their administration panel, which allowed the FBI to find out who Hive attacked and then give them the decryption keys to restore their systems. Under the RaaS (ransomware-as-a-service) model that Hive used, companies would have to pay exorbitant amounts of cryptocurrency to get the decryption keys. This method prevented more than 300 victims from being extorted, ultimately saving upwards of $130 million, even while not leading to any immediate arrests.
Apart from disrupting and recovering, the FBI's collaboration with the DOJ and their international counterparts has led to significant advancements in charging the perpetrators of these cybercrimes. The Department of Justice announced a massive global operation against NetWalker ransomware. NetWalker had become a significant threat due to its sophistication and impact on various sectors - companies, municipalities, hospitals, law enforcement, emergency services, school districts, colleges, and universities. The healthcare sector, in particular, was significantly targeted during the COVID-19 pandemic. The FBI seized more than $450,000 in cryptocurrency as well as infrastructure used by NetWalker to communicate with victims. While the investigation was led by the FBI force based in Tampa, Florida, the operation’s success was achieved with the DOJ’s Office of International Affairs and the Bulgarian National Investigation Service.
In a notable case involving North Korean ransomware actors, the Justice Department recently managed to recover approximately $500,000 paid as ransom by U.S. healthcare providers. The North Korean hackers deployed a ransomware strain called "Maui" to encrypt the files and servers of a medical center in the District of Kansas and a healthcare provider in Colorado. In this instance, the collaboration between the Kansas medical center and the FBI led to the operation’s success. By promptly reporting the incident and cooperating with law enforcement (something that will soon be required by CISA), the FBI was able to identify this new North Korean ransomware and trace the funds to China-based money launderers.
The proactive approach taken by federal agencies, including the DOJ and FBI, demonstrates a strong commitment to combating the ever-evolving landscape of cybercrime. Through consolidation of expertise, collaboration, and the prioritization of disruption strategies, these agencies are successfully dismantling cybercriminal operations and protecting the interests of the public at large.
By focusing on the wider criminal ecosystem and not solely on prosecution, federal agencies can make cybercrime less lucrative and more risky, ultimately deterring future attacks. The significant milestones achieved thus far in disrupting ransomware groups like Hive and NetWalker, and the recovery and forfeiture of stolen funds, emphasize the importance of this comprehensive and strategic approach. In the long run, these efforts will not only combat current cyber threats but also shape the future of cybersecurity.
This post is part of DAR's "Federal Fridays" series. Be sure to follow DAR on LinkedIn for the latest updates!