ARGUMENT: Fighting ransomwareIt’s Time to Surge Resources into Prosecuting Ransomware Gangs

The Biden administration has declared cybersecurity a top priority and, in the wake of the attack against Colonial Pipeline, has reiterated its resolve to battle ransomware. The Department of Justice, for its part, has launched a ransomware task force charged with developing a strategy to target the entire criminal ecosystem around ransomware. Yet,when Attorney General Merrick Garland appeared before the House Appropriations Committee earlier this month to highlight the key priorities in the department’s 2022 budget request, cyber did not make the list. 

Kellen Dwyer writes in Lawfare that to fight ransomware, the Justice Department should follow the playbook that it used against organized crime in the 1960s and terrorists after 9/11.

The department needs a “troop surge” of cyber prosecutors and agents to conduct long-term, proactive investigations into ransomware gangs and the organizations that enable them.

None of this is meant to diminish the need for policy changes or to increase investment in defensive cybersecurity. The recent executive order addressing information sharing, breach notification and supply chain security is a step in the right direction. Policymakers should also consider proposals that discourage ransomware payments by helping victims rebuild their systems and by limiting the distribution of stolen data that was the subject of a ransom demand. But a surge of resources for proactive investigations into organized cybercrime is the lowest-hanging fruit on the tree of possible policy responses to ransomware. It should be picked immediately. 

Dwyer notes that in the popular imagination, hacking is committed by lone wolves with exceptional computer skills. But in reality, the vast majority of hackers do not have the technical sophistication to create the malicious tools that are essential to their trade. Hacking has exploded in recent years because criminals have specialized and subspecialized so that each one can concentrate on facilitating just a single phase of a successful data breach. This is known as cybercrime-as-a-service and it is a massive business.

“This specialization is critical to the success of ransomware gangs,” Dwyer writes, adding that “here are a number of other important subspecialties within each of the categories that are also critical to the cybercrime and ransomware ecosystem.”

This intricate ecosystem offers the key to fighting it: “While organization and specialization are strengths of cybercriminals, they are also weaknesses. That means there are organizations that can be infiltrated and exploited.”

Dwyer concludes:

In the 1960s, the Justice Department expanded its Organized Crime and Racketeering Section from just a few lawyers to more than 60. These attorneys helped the department shift from prosecuting individual mobsters to conducting long-term investigations into entire criminal organizations. After 9/11, the department adopted a proactive approach to terrorism and established the National Security Division to manage the department-wide effort. The department did not wait for another attack to occur; it launched investigations into terrorist organizations and anyone who dared to support or finance them. Today, no terrorists can seek the support of anyone anywhere without wondering if their co-conspirators are actually undercover FBI agents. That same approach should be used to take on ransomware actors and those who support them. Ransomware gangs might seem ubiquitous.  But like mobsters and terrorists, they are a finite group of criminals who depend on aid from a limited number of sources.  They can be investigated and prosecuted and the organizations that support them can be dismantled, if we are willing to pay the modest price.