Following several significant ransomware attacks against U.S. companies last summer, the Biden administration has acted internationally and domestically to punish the perpetrators and prevent future attacks. As part of a shift from addressing ransomware as a law enforcement matter to treating it as a national security threat,Footnote 1 the administration has targeted ransomware infrastructure, clawing back ransom payments and disrupting ransomware groups, while also targeting individual ransomware operators with indictments and sanctions. The administration is also offering rewards for information leading to the identification and arrest of ransomware operators and continuing diplomatic efforts aimed at convincing other governments to act against ransomware groups.Footnote 2 Whether the administration's holistic approach to combatting ransomware will prove effective in decreasing ransomware attacks remains to be seen.
Ransomware is a type of malicious software that is “designed to encrypt files on a device, rendering any files and the systems that rely on them unusable,” and then ransomware operators “demand ransom in exchange for decryption.”Footnote 3 Sometimes ransom demands are accompanied by threats “to publish exfiltrated data, or sell it on the dark web” if the ransom is not paid.Footnote 4 In recent years, ransomware attacks have disrupted state and local governments, caused outages at healthcare facilities, and targeted other critical infrastructure.Footnote 5 Ransomware incidents have increased significantly in frequency, cost, and severity.Footnote 6 For example, U.S. authorities “observed incidents involving ransomware against 14 of the 16 U.S. critical infrastructure sectors” in 2021,Footnote 7 and according to the U.S. Treasury Department, “[r]eported ransomware payments in the United States . . . reached $590 million in the first half of 2021,” up from $416 million reported in all of 2020,Footnote 8 which in turn quadrupled the amount paid in 2019.Footnote 9
Beginning in May 2021, a series of significant ransomware attacks raised the profile of ransomware as a national security concern for the U.S. government and the public.Footnote 10 The first incident disabled the networks of Colonial Pipeline Co. and became the “largest publicly disclosed cyber attack against critical infrastructure in the [United States].”Footnote 11 Although the attack did not directly affect the systems regulating the flow and delivery of oil, Colonial Pipeline shut down the pipeline to prevent the ransomware's spread after it infected other parts of the company's network.Footnote 12 The pipeline spans Texas to New Jersey, and its closure left consumers vulnerable to shortages, partly due to a wave of panic buying across the country.Footnote 13 The FBI quickly attributed the incident to a group called DarkSide.Footnote 14 Eventually, Colonial Pipeline paid a $5 million ransom in Bitcoin to decrypt its compromised data.Footnote 15 In a press conference, President Biden noted that “we do not believe the Russian government was involved in this attack. But we do have strong reason to believe that criminals who did the attack are living in Russia,” and he explained that “[w]e have been in direct communication with Moscow about the imperative for responsible countries to take decisive action against these ransomware networks.”Footnote 16
Weeks later, JBS, “[t]he world's largest meat processor,” suffered a ransomware attack that shut down “U.S. beef plants and disrupted operations at poultry and pork plants.”Footnote 17 The FBI attributed the attack to REvil, a Russia-based “ransomware as a service” group that was formerly affiliated with DarkSide.Footnote 18 JBS paid the hackers $11 million dollars in Bitcoin and restored its operations quickly,Footnote 19 though the interruption caused meat prices to rise around the world.Footnote 20 The White House noted that it was “engaging directly with the Russian government on this matter and delivering the message that responsible states do not harbor ransomware criminals.”Footnote 21
The third significant ransomware incident struck over the July 4 weekend, affecting Kaseya, a company that sells software to managed service providers who in turn use it to support other businesses.Footnote 22 REvil demanded a $70 million ransom,Footnote 23 but Kaseya declined to pay and ultimately obtained a decryption key from a “trusted third party.”Footnote 24 After the Kaseya incident, President Biden had a call with Russian President Vladimir Putin and “underscored the need for Russia to take action to disrupt ransomware groups operating in Russia” and emphasized that “the United States will take any necessary action to defend its people and its critical infrastructure.”Footnote 25 Days later, REvil disappeared from the internet,Footnote 26 albeit temporarily.Footnote 27
In response to these ransomware incidents, the Biden administration began a whole-of government effort to address ransomware as a national security priority. The United States has reportedly conducted several operations both to recover ransom payments and to disrupt ransomware operators. In June 2021, federal authorities recovered $2.3 million of the ransom that Colonial Pipeline had paid to DarkSide in Bitcoin.Footnote 28 In announcing the seizure, executed pursuant to a warrant issued by a federal judge, Deputy Attorney General Lisa O. Monaco explained, “[f]ollowing the money remains one of the most basic, yet powerful tools we have,” and noted that the seizure “demonstrates that the United States will use all available tools to make these attacks more costly and less profitable for criminal enterprises.”Footnote 29 The Justice Department explained,
by reviewing the Bitcoin public ledger, law enforcement was able to track multiple transfers of bitcoin and identify that approximately 63.7 bitcoins, representing the proceeds of the victim's ransom payment, had been transferred to a specific address, for which the FBI has the “private key,” or the rough equivalent of a password needed to access assets accessible from the specific Bitcoin address.Footnote 30
How officials obtained the key remains unclear.Footnote 31
Reports indicate that the United States disrupted REvil's infrastructure in the fall of 2021, prompting the group to shut down.Footnote 32 According to the Washington Post, a foreign government hacked REvil's servers in the summer of 2021, and in October, after cooperation with the FBI, U.S. Cyber Command (CyberCom) “blocked [REvil's] website by hijacking its traffic,” and thereby “deprived the criminals of the platform they used to extort their victims.”Footnote 33 CyberCom's actions caused REvil to shut down again, at least temporarily, due to fear of discovery.Footnote 34 A REvil leader with the username o_neday wrote that “‘[t]he server was compromised’ . . . ‘and they are looking for me,’” following up with “‘Good luck everyone, I'm taking off.’”Footnote 35 In December, Gen. Paul M. Nakasone, who leads both CyberCom and the National Security Agency, noted that the government had shifted away from treating ransomware as “the responsibility of law enforcement” and publicly confirmed that “‘with a number of elements of our government, we have taken actions and we have imposed costs,’” though he declined to specify which groups had been targeted.Footnote 36
The Biden administration has also targeted the financial infrastructure underlying ransomware operations by imposing sanctions on cryptocurrency exchanges that launder ransom payments. On September 21, 2021, the Treasury Department used authority provided by the Obama administration's cybersecurity sanctions executive order to sanction Suex, “a virtual currency exchange, for its part in facilitating financial transactions for ransomware actors,” including “transactions involving illicit proceeds from at least eight ransomware variants.”Footnote 37 According to the Treasury Department, “[a]nalysis of known SUEX transactions shows that over 40% of SUEX's known transaction history is associated with illicit actors.”Footnote 38 In November, the Treasury Department sanctioned another virtual currency exchange, Chatex, for facilitating transactions on behalf of many ransomware actors.Footnote 39 The Treasury Department alleged that half of Chatex's “known transactions . . . are directly traced to illicit or high-risk activities such as darknet markets, high-risk exchanges, and ransomware,” and Chatex has “direct ties with SUEX.”Footnote 40 The Department also designated three companies for providing “material support and assistance to Chatex” by “set[ting] up infrastructure for Chatex, enabling [its] operations.”Footnote 41
In addition to its efforts to target ransomware infrastructure, the Biden administration has targeted individual hackers through criminal indictments and sanctions. On November 8, 2021, the Justice Department announced charges against two ransomware operators linked to REvil.Footnote 42 In announcing the indictments, Attorney General Merrick Garland said that “[c]ybercrime is a serious threat to our country: to our personal safety, to the health of our economy, and to our national security,” and continued, explaining that “[t]he United States, together with our allies, will do everything in our power to identify the perpetrators of ransomware attacks, to bring them to justice, and to recover the funds they have stolen from their victims.”Footnote 43 The first indictment charged a Ukrainian national, Yaroslav Vasinskyi, for his role in the July ransomware attack on Kaseya.Footnote 44 Vasinskyi was arrested in Poland and extradited to the United States for prosecution.Footnote 45 The second indictment charges Russian citizen Yevgeniy Polyanin with crimes related to “conducting Sodinokibi/REvil ransomware attacks against multiple victims, including businesses and government entities in Texas on or about Aug. 16, 2019.”Footnote 46 Simultaneously, the Department announced “the seizure of $6.1 million in funds traceable to alleged ransom payments” to Polyanin.Footnote 47 The Warrant to Seize Property Subject to Forfeiture denoted seizure of a cashier's check totaling $6,123,652.21, but also requested “[a]ll funds up to $13 million in the FTX Trading Limited account” in Polyanin's name.Footnote 48 Both defendants face charges of “conspiracy to commit fraud and related activity in connection with computers, substantive counts of damage to protected computers, and conspiracy to commit money laundering,” and if convicted on all counts could be sentenced to more than one hundred years in prison.Footnote 49 The same day that the indictments were released, the Treasury Department sanctioned both Vasinskyi and Polyanin.Footnote 50
Rounding out a carrot-and-stick approach, the State Department now offers rewards for information leading to ransomware operators. In July 2021, the Department's Rewards for Justice program began offering rewards “of up to $10 million for information leading to the identification or location of any person who, while acting at the direction or under the control of a foreign government, participates in malicious cyber activities against U.S. critical infrastructure.”Footnote 51 In November 2021, the State Department cited the Colonial Pipeline incident in announcing additional rewards pursuant to its Transnational Organized Crime Rewards Program of up to $10 million for information on leaders of DarkSide and up to $5 million “for information leading to the arrest and/or conviction in any country of any individual conspiring to participate in or attempting to participate in” a DarkSide ransomware attack.Footnote 52 Days later, citing the JBS and Kaseya incidents, the State Department offered a parallel reward for information about leaders or participants in REvil ransomware operations.Footnote 53 Evincing concern for the safety of potential tipsters, the Department has established a “Dark Web (Tor-based) tips-reporting line to protect the safety and security of potential sources” and advertises that “[p]ossible relocation and rewards payments by cryptocurrency may be available to eligible sources.”Footnote 54
After debate throughout the fall about whether the U.S. counter-ransomware actions were proving effective,Footnote 55 on January 14, Russia “arrested 14 alleged members of the REvil ransomware gang, including a hacker that U.S. officials say executed May's Colonial Pipeline attack, and announced that it had eliminated the group at Washington's request.”Footnote 56 Russia's Federal Security Service also seized $1 million in various currencies, including Bitcoin and computer equipment.Footnote 57 Although the United States attributed the Colonial Pipeline incident to DarkSide, U.S. officials believe that the hacker responsible for the attack shifted to REvil when Darkside disappeared.Footnote 58 The arrests came amidst growing tensions with Russia over Ukraine, and experts noted “that the arrests, while significant, seem aimed at sending a signal that such cooperation would cease if the United States and Western allies impose sanctions in the event of a Russian invasion of Ukraine.”Footnote 59