- Following the Colonial Pipeline ransomware attack, the FBI recovered almost half of the company's $4.4 million ransom payment. The practice could become the norm as law enforcement agencies grow more proficient at the practice, said Jeremy Sheridan, assistant director of investigations in the U.S. Secret Service within the Department of Homeland Security, during a House Committee on Homeland Security hearing Wednesday.
- Law enforcement uses cryptocurrency, computer scientists, blockchain analysts and crypto-tracers to recover ransoms, said Sheridan. "But we need to get better … We need to have greater technical capability in this arena and we can certainly seize more of it."
- While the U.S. government is working to make crypto more transparent, the Secret Service has the same technical capabilities to pursue and seize cryptocurrencies. However, law enforcement cannot say what techniques they employ or the intelligence used to execute the mission, said Sheridan.
The ransomware as a service model, where unrelated affiliates can collaborate, "has sharply escalated" attacks on the U.S., according to Robert Silvers, under secretary for the office of strategy, policy and plans within DHS, during the hearing. If domestic and international law enforcement could disrupt the RaaS affiliate model, it would change the severity of ransomware attacks.
In addition to overall defense and deterrence, more offensive operations for "candidly scaring" ransomware actors would force them to change their targets, said Silvers. Law enforcement investigations could facilitate that kind of activity while also sanctioning cryptocurrency exchanges.
"I think that is what we're doing as an administration — by making ransomware actors feel like they cannot trust their partner," Silvers said. Earlier this month the FBI announced additional arrests related to REvil, and seized $6.1 million from a pool of its extortions.
"Law enforcement, particularly the FBI, can exploit the transparency of blockchain for ransom recovery," said Rep. Ritchie Torres, D-N.Y.
The most direct way law enforcement can improve their ability to recover ransom funds is if overall ransomware reporting increases from private industry. For DHS to perform more assessments of ransomware groups and the actors involved, the agency is relying on increased data sharing and the incident reporting rule included in the FY2022 National Defense Authorization Act (NDAA). Mandatory reporting "would actually be transformative," said Silvers.
The U.S. is also tackling cyber diplomacy, but the limited accountability for international criminals is a concern for Congress. The U.S.'s official stance is to treat all ransomware attacks as a prosecutable crime, but President Joe Biden's National Security Council (NSC) is tackling how to handle the safe harbor of ransomware actors in Russia.
The Secret Service has a list of countries with high tolerance for ransomware actors, and "in some cases offer outright support to cybercriminals," said Sheridan. "Russia is one of those countries."
The Biden administration has warned Russia-linked attackers that the 16 critical infrastructure sectors previously outlined by the U.S. are off-limits to cyberattacks. However, "the implication is that we will tolerate Russia safe harbor for ransomware attacks on individuals and institutions that fall outside the 16 areas of critical infrastructure," said Torres. Because the U.S. wouldn't apply the same principle to the physical world, "why should we make that distinction in the digital realm?"
Even with limited ransomware data due to underreporting, the FBI and Cybersecurity and Infrastructure Security Agency (CISA) have not seen a change in the number of ransomware incidents, according to Brandon Wales, executive director of CISA, during the hearing.
"So there's no evidence that Russia is keeping its promise," said Torres.