DOJ Reorganizes Units to Better Fight Ransomware
The U.S. Justice Department is expanding its whole-of-government approach to battling cyberthreats by folding the team that investigates cryptocurrency-related criminal cases into its cybercrime unit. The move brings together the capabilities for investigating the ransomware life cycle, from the initial access to the ransom payment.
In a talk this month at the Center for Strategic and International Studies, Nicole Argentieri, principal deputy assistant attorney general and soon-to-be acting assistant attorney general, said the DOJ’s two-year-old National Cryptocurrency Enforcement Team (NCET) will merge with its Crime and Intellectual Property Section (CCIPS).
The merged unit will enable the investigators with deep cryptocurrency expertise to work more closely with those focused on cybercrime, essentially doubling the number of attorneys who can work on criminal crypto cases and giving the work equal status within the DOJ’s Criminal Division, Argentieri said.
“The potential for crossover and collaboration is enormous,” she said. “It’s become obvious to everyone in the cybercrime field that cryptocurrency work and cyber prosecutions are intertwined and will become even more so in the future.”
Cryptocurrency’s Role in Ransomware
The tight relationship between ransomware and crypto has been known for years, with some experts saying the rise of ransomware largely can be attributed to the growth of cryptocurrencies like Bitcoin, Ethereum and Monero.
In a report last year, the U.S. Senate’s Committee on Homeland Security and Governmental Affairs noted that the “use of cryptocurrencies has further enabled ransomware attacks, particularly because cryptocurrency is decentralized and distributed and illicit actors can take steps to obscure transactions and make them more difficult to track.”
Cybersecurity vendor Sangfor Technologies wrote in a report last month about the rising number of ransomware attacks and the growing use of cryptocurrency platforms by the attackers.
“With the use of cryptocurrency, cybercriminals can automatically transport large amounts of money across international boundaries within seconds,” researchers for China-based Sangfor wrote. “The lack of trackability and ease make this the ideal way to demand a ransom.”
Merger Means More Resources
CCIPS, with NCET in the fold, will help the government better meet the demands of the White House’s National Cybersecurity Strategy Implementation Plan released this month, which among other things identifies ransomware as a major concern throughout the country and a significant national security threat.
“The CCIPS cybercrime experts will investigate ransomware crimes, and NCET cryptocurrency specialists will pursue all available opportunities to track criminals through their ransomware payments, vigorously pursuing cryptocurrency payments and freezing or seizing them before they go to Russia and other ransomware hotspots,” Argentieri said.
NCET was created by pulling in experts from CCIPS and the Money Laundering and Asset Recovery Section (MLARS) and adding assistant AGs with cryptocurrency experience. She said that NCET “has been an enormously successful startup,” noting arrests connected to fraudulent activities by individuals against the Bitzlato and Mango Markets crypto exchanges.
Merging with CCIPS will give it even more resources to draw on, according to Argentieri.
The Fight’s Not Over
The DOJ has had some victories against ransomware gangs. In January, the FBI infiltrated and disrupted the Hive ransomware operation by seizing the threat group’s websites and servers. The CCIPS also showed victims how to decrypt their computers without having to pay a ransom, Assistant Attorney General Kenneth Polite said at the same Center for Strategic and International Studies event.
Polite said the DOJ has run 23 successful cybercrime disruption operations against such malware families as Netwalker and CryptoLocker while also shutting down forums on the dark web, including Silk Road, BreachForums, and Genesis Market.
More of that is needed if there’s hope of stemming the rising tide of ransomware. GuidePoint Security, in a report last week, said there was a 38% increase between the first and second quarters in the volume of victims that ransomware groups publicly posted and a 100% increase year-over-year in Q2. GuidePoint researchers also pointed to a rise in the number of ransomware-as-a-service operations, with 14 new RaaS groups emerging in the second quarter.
