US DOJ: Continue to Expect Arrests, Ransom Payment SeizuresDeputy AG Lisa Monaco Outlines Department's Aggressive Ransomware Approach
The U.S. deputy attorney general said this week that the nation is ramping up efforts to cripple ransomware operations and other cybercrime through arrests and seizures of ransom payments. The Biden administration has called ransomware both a threat to national security and an economic threat - resulting in several U.S.-led counter-offensives.
Lisa Monaco, the nation's second-highest-ranking attorney, told The Associated Press, "In the weeks to come, you're going to see more arrests" and the seizure of ransom payments issued in cryptocurrency, among other operations.
While Monaco did not offer specifics, she declared: "If you come for us, we're going to come for you."
Assessing the state of ransomware crimes, generally, Monaco - who has taken an increasingly public role in pursuing threat actors - said, "We have not seen a material change in the landscape. Only time will tell as to what Russia may do on this front."
Still, she added, "We're going to continue to press forward to hold accountable those who seek to go after our industries, to hold our data hostage and threaten national security, economic security and personal security."
U.S. National Cyber Director Chris Inglis, however, told House lawmakers on Wednesday that the nation is seeing a "discernible decrease" in Russia-based cyberattacks.
Meg King, formerly an international manager for the U.S. Department of Defense’s Cooperative Threat Reduction Program, tells ISMG, "We need to give [this strategy] time to work, and if one of our most seasoned cyber experts - National Cyber Director Chris Inglis - says the U.S. has seen a 'discernible decrease' in attacks emanating from Russia, I'm encouraged."
Rosa Smothers, a former CIA threat analyst and technical intelligence officer, tells ISMG, "Aggressive extradition of cybercriminals to make an example of them, coupled with an aggressive bounty program, shows that the DOJ means business and is moving with a sense of urgency on the ransomware issue."
Smothers, currently the senior vice president of cyber operations at the firm KnowBe4, also notes, "To put this into context, Thursday's announcement of a $10 million bounty for information leading to the identification or location of senior members of the DarkSide gang … is the same amount of money offered for Sirajuddin Haqqani … who is wanted for questioning in connection with the January 2008 attack on a hotel in Kabul, Afghanistan, that killed six people."
Alleged Cybercriminal Extradited to US
Monaco's statement comes after an alleged Russian hacker appeared in court in the U.S. last week after being extradited from South Korea on allegations of facilitating transnational cybercrime.
Vladimir Dunaev, 38, a Russian national, is alleged to have pushed TrickBot malware in global cyberattacks between 2015 and 2020 - in particular, targeting schools, government entities and financial institutions. Microsoft acted against the malware group last October, ultimately seizing control of its infrastructure.
According to the DOJ, Dunaev, who faces a maximum of 60 years in prison, is suspected to be a malware developer for the group. He has been charged with conspiracy to commit computer fraud and aggravated identity theft, along with money laundering, wire fraud and bank fraud.
Follow the Money
In June, the DOJ also announced that it had seized 63.7 bitcoins - then valued at $2.3 million - which was considered approximately half of the proceeds from the May ransom payment Colonial Pipeline Co. made to the DarkSide ransomware group. The attack, which led to the pipeline halting operations after finding its systems crypto-locked, resulted in fuel shortages on the East Coast (see: $2.3 Million of Colonial Pipeline Ransom Payment Recovered).
Commenting on that attack, Monaco noted at the time, "Following the money remains one of the most basic, yet powerful tools we have. Ransom payments are the fuel that propels the digital extortion engine."
The U.S. government has advised against paying ransoms, suggesting they only embolden cybercriminals.
More Actions by Monaco
The DOJ confirmed in October that it will pursue government contractors that fail to report cybersecurity incidents. Monaco said the department's Civil Cyber-Fraud Initiative will use the False Claims Act, which imposes liability on those defrauding government programs, to hold entities accountable for "knowingly violating obligations to monitor and report incidents and breaches" (see: US DOJ to Fine Contractors for Failure to Report Incidents).
Monaco also in October announced the creation of a National Cryptocurrency Enforcement Team, or NCET, which she said will investigate and prosecute the misuse of cryptocurrency - particularly crimes committed by crypto exchanges, mixing and tumbling services used to obfuscate funds, and money laundering infrastructure.
This month, the DOJ listed a job opening for the director of NCET, who will aid in enforcing digital currency laws and head a team of prosecutors to investigate crypto-related cases. The DOJ says the director will liaise with U.S. Attorneys' Offices and other law enforcement agencies, and partner with the Department of the Treasury's Financial Crimes Enforcement Network, or FinCEN; the Securities and Exchange Commission; and similar agencies around cryptocurrency regulation.
On targeting ransomware operators' cryptocurrency-based model, King, currently director of the science and technology innovation program at The Wilson Center, a nonpartisan think tank, says, "Seizing cryptocurrency ransomware payments puts a big dent in the core of the business model: Criminals are no longer assured that they can keep proceeds. This is a critical element of an overall U.S. government strategy to deny ransomware attackers access to the tools they need to succeed."