New US ransomware strategy prioritizes victims but could make it harder to catch cybercriminals

By Sean Lyngaas, CNN

US and European law enforcement’s disruption last week of a $100-million ransomware gang is the clearest public example yet of a new high-stakes strategy from the Biden administration to prioritize protecting victims of cybercrime — even if it means tipping off suspects and potentially make it harder to arrest them.

The extent to which the FBI and Justice Department can carry out similar operations on other ransomware groups — and get the balance right between when to collect intelligence on hackers’ operations and when to shut down computer networks — could affect how acute the threat of ransomware attacks is to US critical infrastructure for years to come.

In the case revealed last week, the FBI says it had extraordinary access for six months to the computer infrastructure of a Russian-speaking ransomware group known as Hive, which had extorted more than $100 million from victims worldwide, including hospitals. That covert access, officials said, allowed the FBI to pass “keys” to victims so that they could decrypt their systems and thwart $130 million in ransom payments.

Justice officials are still trying to arrest the people behind Hive and know where some of them are located, a senior Justice Department official told CNN. But sometimes waiting for an arrest before seizing hacking infrastructure “may mean waiting for a very long time — perhaps an unacceptably long time,” the official said in an interview granted on the condition of anonymity to discuss the case.

The decision to go public with a splashy news conference, fronted by FBI Director Christopher Wray and Attorney General Merrick Garland, before making any arrests is evidence of a new approach to ransomware attacks which cost the US hundreds of millions of dollars, if not billions, annually.

The strategy shift toward doing more to help victims of cybercrime — announced a year ago — is loosely based on the US government’s approach to counterterrorism, which centers around disrupting plots and thwarting attacks.

“I was preparing for this to be public long, long ago and was kind of surprised that we were able to do this for this long,” the senior Justice Department official said of US officials’ covert access to Hive computer servers.

After multiple ransomware attacks hobbled US critical infrastructure firms in 2021, pressure grew on US law enforcement from Congress, the White House and the public to do more to disrupt the hackers’ operations.

Still, the FBI announcement raised questions about why the bureau decided to go public with the action now rather than continuing to lurk in the Hive hackers’ networks and collect intelligence. And it is possible or even likely, US officials concede, that Hive’s operators will set up new infrastructure to try to resume their extortion attempts.

One law enforcement source told CNN the timing made sense because US officials may have exhausted the intelligence they were going to glean from Hive’s servers.

The senior Justice Department official explained the decision this way: “We saw significant value in the reputational damage we were going to incur against Hive by announcing this.”

Like in other businesses, customers of ransomware gangs have a choice of who they buy hacking tools from. One goal of the operation, the senior Justice official said, was to “discredit” Hive in the eyes of other ransomware criminals and have a psychological effect on their operations.

“Other [ransomware] groups will watch this and have to spend more time and money securing their infrastructure,” said Bill Siegel, CEO of Coveware, a cybersecurity firm that works closely with victims and the FBI.

Victim data still sparse

The spate of significant ransomware attacks in the US in 2021 brought more scrutiny to how quickly the FBI and its partners can mitigate the impact the attacks.

After a July 2021 ransomware attack on a Florida-based software firm compromised up to 1,500 businesses, multiple US government agencies, including the FBI, deliberated about how and when to get the decryptor to victims. At least one victim organization, a Maryland tech firm, complained that they could have used the decryption key earlier to save on recovery costs, the Washington Post reported.

US officials weigh a number of factors when considering law enforcement operations to disrupt cybercriminal groups, a senior FBI official told CNN, including how the disruption will impact the broader cybercriminal ecosystem, how the FBI can help victims of the hackers recover, and the long-term “pursuit of justice” for the victims.

“Each case is different as far as what access [to the hackers’ infrastructure] looks like … what can be done quietly versus noisily,” the senior FBI official said. “Those all go into it.”

John Riggi, a former senior FBI official who is now national adviser for cybersecurity and risk at the American Hospital Association, applauded the disruption of Hive and hoped the crackdown on ransomware groups would continue. But ransomware attacks on health care organizations will likely continue as long as the hackers are getting paid off and are willing to tolerate the risk of carrying out the attacks, Riggi said.

Some cybercriminals “still view their attacks on hospitals as primarily data and financially motivated,” he told CNN.

One lingering problem for the FBI: Not enough victims are reporting ransomware attacks, leaving the bureau in the dark about the scope of the threat. Just 20% of Hive’s victims reported an incident to the FBI, Director Christopher Wray said last week.

“I still think that people have concerns that when they call the FBI that we’re going to come in with coats and we’re going to take their servers and they’re going to lose control of their business,” the senior FBI official told CNN. “And that’s so far from the truth, but most people are not interacting with the FBI on a daily basis.”

The-CNN-Wire
™ & © 2023 Cable News Network, Inc., a Warner Bros. Discovery Company. All rights reserved.