April 29, 2021

Some of the world’s top tech firms are backing a new industry task force focused on disrupting cybercriminal ransomware gangs by limiting their ability to get paid, and targeting the individuals and finances of the organized thieves behind these crimes.

In a 81-page report delivered to the Biden administration this week, top executives from Amazon, Cisco, FireEye, McAfee, Microsoft and dozens of other firms joined the U.S. Department of Justice (DOJ), Europol and the U.K. National Crime Agency in calling for an international coalition to combat ransomware criminals, and for a global network of ransomware investigation hubs.

The Ransomware Task Force urged the White House to make finding, frustrating and apprehending ransomware crooks a priority within the U.S. intelligence community, and to designate the current scourge of digital extortion as a national security threat.

The Wall Street Journal recently broke the news that the DOJ was forming its own task force to deal with the “root causes” of ransomware. An internal DOJ memo reportedly “calls for developing a strategy that targets the entire criminal ecosystem around ransomware, including prosecutions, disruptions of ongoing attacks and curbs on services that support the attacks, such as online forums that advertise the sale of ransomware or hosting services that facilitate ransomware campaigns.”

According to security firm Emsisoft, almost 2,400 U.S.-based governments, healthcare facilities and schools were victims of ransomware in 2020.

“The costs of ransomware go far beyond the ransom payments themselves,” the task force report observes. “Cybercrime is typically seen as a white-collar crime, but while ransomware is profit-driven and ‘non-violent’ in the traditional sense, that has not stopped ransomware attackers from routinely imperiling lives.”

A proposed framework for a public-private operational ransomware campaign. Image: IST.

It is difficult to gauge the true cost and size of the ransomware problem because many victims never come forward to report the crimes. As such, a number of the task force’s recommendations focus on ways to encourage more victims to report the crimes to their national authorities, such as requiring victims and incident response firms who pay a ransomware demand to report the matter to law enforcement and possibly regulators at the U.S. Treasury Department.

Last year, Treasury issued a controversial memo warning that ransomware victims who end up sending digital payments to people already being sanctioned by the U.S. government for money laundering and other illegal activities could result in hefty fines.

Philip Reiner, CEO of the Institute for Security and Technology and executive director of the industry task force, said the reporting recommendations are one of several areas where federal agencies will likely need to dedicate more employees. For example, he said, expecting victims to clear ransomware payments with the Treasury Department first assumes the agency has the staff to respond in any kind of timeframe that might be useful for a victim undergoing a ransomware attack.

“That’s why we were so dead set in putting forward comprehensive framework,” Reiner said. “That way, Department of Homeland Security can do what they need to do, the State Department, Treasury gets involved, and it all needs to be synchronized for going after the bad guys with the same alacrity.”

Some have argued that making it illegal to pay a ransom is one way to decrease the number of victims who acquiesce to their tormentors’ demands. But the task force report says we’re nowhere near ready for that yet.

“Ransomware attackers require little risk or effort to launch attacks, so a prohibition on ransom payments would not necessarily lead them to move into other areas,” the report observes. “Rather, they would likely continue to mount attacks and test the resolve of both victim organizations and their regulatory authorities. To apply additional pressure, they would target organizations considered more essential to society, such as healthcare providers, local governments, and other custodians of critical infrastructure.”

“As such, any intent to prohibit payments must first consider how to build organizational cybersecurity maturity, and how to provide an appropriate backstop to enable organizations to weather the initial period of extreme testing,” the authors concluded in the report. “Ideally, such an approach would also be coordinated internationally to avoid giving ransomware attackers other avenues to pursue.”

The task force’s report comes as federal agencies have been under increased pressure to respond to a series of ransomware attacks that were mass-deployed as attackers began exploiting four zero-day vulnerabilities in Microsoft Exchange Server email products to install malicious backdoors. Earlier this month, the DOJ announced the FBI had conducted a first-of-its-kind operation to remove those backdoors from hundreds of Exchange servers at state and local government facilities.

Many of the recommendations in the Ransomware Task Force report are what you might expect, such as encouraging voluntary information sharing on ransomware attacks; launching public awareness campaigns on ransomware threats; exerting pressure on countries that operate as safe havens for ransomware operators; and incentivizing the adoption of security best practices through tax breaks.

A few of the more interesting recommendations (at least to me) included:

-Limit legal liability for ISPs that act in good faith trying to help clients secure their systems.

-Create a federal “cyber response and recovery fund” to help state and local governments or critical infrastructure companies respond to ransomware attacks.

-Require cryptocurrency exchanges to follow the same “know your customer” (KYC) and anti-money laundering rules as financial institutions, and aggressively targeting exchanges that do not.

-Have insurance companies measure and assert their aggregated ransomware losses and establish a common “war chest” subrogation fund “to evaluate and pursue strategies aimed at restitution, recovery, or civil asset seizures, on behalf of victims and in conjunction with law enforcement efforts.”

-Centralize expertise in cryptocurrency seizure, and scaling criminal seizure processes.

-Create a standard format for reporting ransomware incidents.

-Establish a ransomware incident response network.

86 thoughts on “Task Force Seeks to Disrupt Ransomware Payments

  1. The Sunshine State

    Doing daily backups of critical data, should be on your list

    1. Anonymous 5796

      Definitely, but where will you host those backups?

        1. Stephen

          Wont save you…they get in weak security system months before they open trap. I been to many after the fact, its wipe and hope to restore unencrypted data to off site servers… its not easy.

      1. Mahhn

        Offline storage on location and a DR site of course. ’cause both are unlikely to burn down at the same time.

    2. Neil

      Sound advice, but it seems the trend of ransomware is moving away from straight encryption and more to theft of data with threat to release. No backup is going to save you from a guy threatening to release your private customer data to the internet.

    3. me

      1) People put too much information in the “cloud” that doesn’t need to be there.
      2) Some parts of the world that don’t follow the rule of law should be disconnected from the Internet.

  2. Ceyarrecks

    is it just me, or are nearly all advice on Ransomware attempts to treat only the symptom,
    while ignoring the Blue Whale in the room?
    Never does one see steps on how to properly secure & maintain the PC in which one “lives.”
    Never any “closing & locking of the windows & doors.”
    Never a “rooting out of the weeds that have grown in the seat cushions.”
    Never offered training on how to discipline one’s self in this Internet Age.
    However, notice in all OS cases(Linux, iPple, Winos), the purveyors are in fact, encouraging the “ease of use” or rather the “do not ever THINK about what you are doing;” while only giving token efforts on protecting the user and securing the OS… “AFTER the horses have left the barn{and the wolves entered instead}” by closing the “tissue-paper facade.”

    Since the above Principles are purposefully NOT being implemented, Security-related issues & News articles, regardless of what or where they are, will be a constant drone. <period.

    1. Impossibly Stupid

      This. The vast majority of exploits are via insecure Windows systems, yet they include *Microsoft* in their task force? Talk about the fox guarding the hen house! They’re not really looking to find the “root causes” and cure the disease, they’re just going to treat the symptoms in a way that primarily seems to allow them to seize assets now that cryptocurrencies has become widespread. If you liked the results of the drug wars, welcome to the digital version of that . . .

      1. JamminJ

        Research how task forces operate.
        You absolutely want the biggest offenders to be included.

        A task force isn’t just a bunch of people making decisions. But rather collectively evaluating a situation, coming up with courses of action, and executing those actions. Microsoft being a part of the task force… is a GOOD thing. That way they can be tasked directly to fix their crap.

        If they are not a part of the task force…. they could simply refuse to participate in any course of action (fix), because they didn’t have a seat at the table.

        1. Impossibly Stupid

          I’m sorry, but you don’t seem to understand how an *effective* task force operates. Companies, especially large ones, don’t need or *want* some external agency telling them how to run things. If Microsoft or Google or Amazon (or anyone else) wanted to fix their well-known problems, they’d just do the right thing and *fix them*. The only reason to get involved here is to gum up the works, and that’s already obviously the case based on the recommendations listed. You really don’t have a leg to stand on until you show evidence of the task force seeking to bring down the hammer (or even a fly swatter) on the companies that create insecure software in the first place.

          1. JamminJ

            You seem to just want to blame and punish, rather than find actual solutions to problems.

            Collaboration and getting everyone working together on common problems, is the purpose of a task force. They aren’t always effective, but they are more effective than your approach.

            You just want a hammer brought down, but these system problems in our industry are not simple nails. Simplistic ignorance of the problem, such as yours, leads to simplistic and stupid suggestions like, “just fix your insecure software”. And that is why we’re in this mess, because people think its an easy fix, so nothing gets done.

            1. Egotism

              You just like to input your own output, constantly. You’re on zero task forces. Just puffery.

              1. JamminJ

                So, no rebuttal? No argument? Just ad hominem?

      2. Disgusted by my industry

        GDPR and now ISO 27701 are supposed to fix that. However the big OS and application purveyors have not yet noticed the “by design AND BY DEFAULT “ mandate incorporated into each standard.
        The world will not improve until all the tracking and all the bloat ware and all the data stealing is specifically disabled.

      3. Moike

        > vast majority of exploits are via insecure Windows systems

        This phrase might as well be ‘vast majority of exploits are via the most common systems’. Witness the recent MacOS zero day which was just as bad as any of the recent Windows exploits.

        1. Richard

          The Internet was built for resilience, not to operate as a secure conveyance or environment for persons,
          businesses, or governments. Yet, it is access convenience, terms of service, and sloppy infosec that perpetuate data breach and malware infection.

          Einstein defined insanity as doing the same thing over and over and expecting different results. What’s curious about legal Internet use is the expectation of result — no breach or malware — but the outcome is the same: breach or malware infection.

          Internet components are fundamentally defect-laden, and this includes the human components.

          This ransomware suppression effort will become (or already is) the Vietnam and Afghanistan Wars of infosec.
          The exploitation of vulnerable organizations and components will intensify until there’s an international treaty enforced uniformly by all signatory nations to globally regulate cryptocurrency payments/transfers, and suppress malware deployment.

          Maybe when cats sprout wings and fly.

        2. Impossibly Stupid

          None of that is true. There is a *big* difference between the trojan that was just disclosed for macOS and the endless bugs in Windows that make it vulnerable just connecting it to the Internet. And Windows hasn’t been the “most common” system in a long time; Linux via Android phones dwarfs it. Regardless, Windows has always been *disproportionately* affected by insecurity. Even with an 80-90% market share, they weren’t sitting at 80-90% of the most damaging exploits, but 99.999%. It is baffling why anybody who isn’t a shill would be defending them. Astroturfing doesn’t fix actual problems.

          1. JamminJ

            I won’t defend Microsoft.
            But won’t give a pass to Google, Apple or Linux devs either.

            We are seeing an upwared shift in trend when it comes to exploiting MacOS, now that more corporate networks are are deploying Macs. That should tell you a lot about why there’s been such a difference in apparent security between Mac and Windows.

            Android, MacOS, iOS and Linux have all had LOTS OF MAJOR exploits. Not 0.001%
            What is your criteria for “most damaging exploits”? What you hear in the news? What news are you watching then?
            When you are a system admin focusing on a particular vendor product, it may SEEM like all the news is about your stuff.
            But when your a security engineer or architect who covers an entire enterprise… you start to understand how a Linux bug is a HUGE deal, even though it doesn’t make the news. You have to subscribe to security bulletins to really get a picture. Or better yet… talks to your vulnerability management team and look at all the critical CVEs.

            And if you have Macs, iPhones and Androids in your environment… you start to understand how end-user devices still have a lot of exploits, but since they don’t actually run your infrastructure, their exploits aren’t as impactful.

            So when you get told “market share” for Windows is why there are so many exploits… ask this…. “market share” for what? Business use, infrastructure, personal use?
            Personal end-user devices that don’t join corporate domains… aren’t getting the attention from exploit developers that “business” devices get. And certainly not the attention that corporate infrastructure gets.

            1. Impossibly Stupid

              > But won’t give a pass to Google, Apple or Linux devs either.

              Straw man. I didn’t give anyone a pass, I just called out MS for their history and questionable presence as part of this task force. Same with Amazon. My server logs show so many attacks coming from their IP space that it is laughable that anyone would turn to them for consultation on what to do about abuse. The DoJ should not be sleeping with the enemy.

              > We are seeing an upwared shift in trend when it comes to exploiting MacOS

              No, we are not. No system is 100% secure, and the Mac is no exception. But it *is* still so secure that somehow people will conflate the story of a mere vulnerability to trojans with things like the widespread Exchange exploit. They’re not the same; they’re not even in the same ballpark. Anyone who says otherwise should not be employed in the security field.

              > What is your criteria for “most damaging exploits”?

              Pwnable out of the box remotely, of course. Microsoft *dominates* that space.

              > So when you get told “market share” for Windows is why there are so many exploits…

              Again, nobody worth listening to will try to tell you that. There are so many bad Windows vulnerabilities because it is inherently insecure, full stop. If such a system is put into service in a manner that makes a subsequent *exploit* of those vulnerabilities valuable, that is a poor security decision and should result in IT management and staff being either retrained or retired.

              1. JamminJ

                “I didn’t give anyone a pass”
                I didn’t say YOU did. I said that I won’t.

                “Same with Amazon. My server logs show so many attacks coming from their IP space”
                Everyone with a security background will be laughing at you now.
                Are you really so triggered at Amazon?
                They are the largest hosting provider… so duh, the attacks will be coming from them. Don’t act surprised or indignant at them, just because you don’t understand how the Internet works.

                When I say “we are seeing an upward shift in trend when it comes to exploiting MacOS”… “we”, does NOT include you. You obviously don’t work in the enterprise security field. If you work in security at all, it’s probably some smaller organization. There are a lot of security handymen, in positions that really need experienced and licensed professionals.
                You are translating your lack of experience and visibility into what’s going on,… into proof that nothing is going on. Get out of your bubble, and join the security community at large. Then you’ll understand the scope of the problem.

                1. DSM

                  Picking fights again there pufferfish? Hint : it’s not everybody else. It’s you.
                  This isn’t ad hominem, this is a lighthearted way of saying you need to calm, cool your ego and stop being so confrontational in opine. It’s not helping.

                  1. JamminJ

                    So you didn’t actually defend or agree with anything he wrote?

                    My comments are perfectly calm. If you are reading hostility, then you may be projecting your own emotion.

                    Instead of commenting with name calling, did you actually contribute anything to the topic being discussed?

                2. Impossibly Stupid

                  > I didn’t say YOU did. I said that I won’t.

                  But you are. You *are* defending Microsoft. You *are* giving Amazon a pass. If it’s not a straw man, it’s motivated reasoning and/or moving the goal post. You’re a fount of logical fallacy, and I’m beginning to see why people with more experience with your comments here are writing you off. It did at first seem like an ad hominem attack to me, too, but you’ve proven you’ve earned your reputation.

                  > Everyone with a security background will be laughing at you now.

                  Only the incompetent ones. Organizations should fire anyone in their ranks that says something like “Oh, the attackers are coming from AWS hosts, so that’s OK!”

                  > Are you really so triggered at Amazon?

                  That makes no sense. What is getting “triggered” are my automated defenses, by hostile traffic, from Amazon servers. In objective reality, we call that evidence.

                  > They are the largest hosting provider… so duh, the attacks will be coming from them.

                  As with Microsoft, you again engage in the ad populum fallacy. No. Neither one (nor Google et al.) must *necessarily* be insecure just because they are large. Or perhaps you’re simply arguing that they’re monopolies that need to be split up because they’re causing harm? Whatever the case, get your thinking straight.

                  > Don’t act surprised or indignant at them, just because you don’t understand how the Internet works.

                  You’re confusing how things “work” with how things *fail*. Allowing attackers to be mixed in with an innocent population is usually seen as [a war crime](https://en.wikipedia.org/wiki/Human_shield). To consider such corruption acceptable says a lot about you.

                  > You are translating your lack of experience and visibility into what’s going on,… into proof that nothing is going on. Get out of your bubble, and join the security community at large. Then you’ll understand the scope of the problem.

                  I already do:

                  * Organizations compromised by the latest macOS trojan: 0
                  * Organizations compromised by the latest Exchange hack: 20,000+

                  It is you who has been living in a bubble. It is you who appears to be lacking the experience necessary to work in the security field, and demonstrating the Dunning-Kruger Effect in full force here. It’s probably for the best that you don’t actually link your comments to your real identity. I’m done with you.

                  1. JamminJ

                    “You are defending Microsoft. You are giving Amazon a pass.”
                    Nope. If that is your take away, then your bias is really skewing your vision. Simply pointing out that these huge companies are not some absolute evil, is not “defending them”. It is putting the reality in context. They have the largest market share, specifically in business. They are the biggest targets, which explains what you think you see, and interpret as something particularly malicious. Hanlon’s Razor applies.

                    “says something like “Oh, the attackers are coming from AWS hosts, so that’s OK!””
                    That’s an extreme/absurd statement. You like saying things are “straw man” arguments. This one is.
                    Nobody is arguing that it’s “Okay”. But if someone suggests blaming Amazon directly… then yeah, that person doesn’t understand how it works.
                    First offense, is a sit down with their manager… where the manager explains that Amazon is a hosting provider, and they aren’t the ones attacking them. Rather, it’s coming from rented space. Then show them the procedure for sending reports to Amazon and read them the relevant SLAs. There is a process to follow, and Amazon has contracts to follow. The offending host are generally taken down fairly quickly.
                    If this person keeps insisting the organization terminate our relationship with Amazon, or that we block the entire IP space, because “so many attacks coming from their IP space”… yeah, they would likely be laughed at (behind their backs of course). This kind of persistent ignorance and unwillingness to learn, isn’t tolerated for long, so transferred out or let go.

                    If Amazon, or any provider, fails their SLAs consistently, and is unresponsive to notices…. then that’s another story.
                    Like Parler… shutting down infrastructure services for the offending tenant is common and expected.

                    “… must necessarily be insecure just because they are large”
                    Again, you are making up this counter argument. Nobody has suggested this.
                    Being large is not an “excuse for being insecure” that is afforded to these companies. It is a “reason”!

                    Insecure software is a really vague, nuanced and complicated concept. Lots of factors, and can’t really be simplified. But SCALE is a significant factor.
                    Just as lines of code increase, the probability of errors increase. The overall size of an organization, increases the “attack surface”.
                    The “market share” of users, particularly in business, increase the the threat landscape. More bad actors are targeting your software/services. And not just more, but threat actors at higher sophistication levels. Compromising one Mac that isn’t on a corporate domain isn’t even interesting compared to compromising everyone’s business email system in one go.

                    All of this scales with size. So it “explains” why Microsoft, Google, Amazon, etc…. the industry titans… all seem the least secure.
                    You seem fond of accusing me of lots of logical fallacies, yet you don’t see your glaring observation bias. You aren’t working in a corporate enterprise with a diverse environment, where you would have visibility into all that goes on.

                    “Allowing attackers to be mixed in with an innocent population is usually seen as a war crime”
                    Geez dude… are you a conspiracy nutjob too? This is cyberspace. It’s been this from the start.

                    So you compared the MacOS trojan (which is newer, and the vast majority of businesses do not have MacOS on the corporate network)… to the nation-state attack on a Microsoft Exchange exploit (which has been going on for some time, nearly all organizations use Microsoft for infrastructure services)??
                    Apple doesn’t make an equivalent to Exchange. If Apple was the big corporate enterprise software giant, instead of in the consumer niche market, they would have a lot more vulnerabilities.
                    And again… compromising one Mac that isn’t even on a corporate domain isn’t remotely interesting compared to compromising everyone’s business email system in one go.

                    Nobody else is disagreeing with my actual argument, just that I’m too mean. I guess I come off as aggressive, but I don’t have sympathy for people who spout nonsense when they obviously don’t have any clue about this subject.
                    Seems like your a philosophy student, rather than someone who actually works in cyber security. Stick to your day job of calling out what you think are logical fallacies while ignoring your own. My experience is speaking for itself, you’re free to search for my handle on this blog and others. Your handle fits your personality, and your comments have not conveyed any real information on this forum, just airing of grievances against companies you hate.
                    I really hope you’re done. 🙂

    2. JamminJ

      “are nearly all advice on Ransomware attempts to treat only the symptom”

      The clue is in the name. RANSOMware is called that precisely because it relates to a specific endgame. Malware comes in all shapes and sizes, they don’t become ransomware until and unless the attacker demands a ransom. Cyber attacks have all sorts of motivations. Not all are based on extorting the victim.

      So it makes sense that this effort is laser focused on thwarting only the end result of the attack.

      I’d rather have this focus, than see them try to boil the ocean by trying to fix all cyber security related vulnerabilities and risk across the entire US private sector.

  3. Casual Reader

    It appears that the Washington Metropolitan Police Department paid the ransom for their data in the last few days as the sample and threat has been removed from Babuks leak page.

    So it appears while the police suggest people do not pay, they are doing so themselves.

    Some sort of task force is needed but I see them making all the wrong moves such as attacking cryptocurrency instead of the many other options they can take.

    1. EddieMunster

      The Government wants you to do as they say, not do as they do. Haven’t you been wearing your mask?

      1. JamminJ

        Federal government is different than city, county or state government.

        Local governments have been paying these ransoms for years. Even the small, rural governments that are diametrically opposed to federal government policies and oversight.

  4. Scott Schober

    Thanks for sharing/reporting Brian…great information.

    Interesting recommendations they have mentioned. I think a fair amount of ransomware attacks go unreported and we don’t always have a clear picture of how ‘bad’ it really is out there.

    stay safe


  5. Nostradamus T

    “DOJ was forming its own task force to deal with the “root causes” of ransomware”.

    We all know that Biden’s administration will find that white supremacy and racism are the root cause, right?

    1. EddieMunster

      There are “not enough people of color and 57 different genders, dealing with ransomware”.

  6. Paul B

    I’ve read a number of reports saying 90% of ransomware attacks started with a phishing email. If you’re looking at “root causes” it’s the security around email and user education that has to be addressed first.

    Email systems typically have few security features turned on and the ones that are typically are not strictly enforced. This is all done to ensure “business processes” flow smoothly and people can communicate properly, I get that but it does no good if the bad guys can send in links that download ransomware or worse.

    User education is also important and I know from running a number of phishing campaigns that some people just don’t get it or don’t pay attention, both attitudes are dangerous to a companies security. Strict enforcement of consequences for failing a phishing test should be the norm, but often I’ve seen just the education being pushed and no other consequence for the failure. I have also heard of the other side of that coin with draconian measures like dismissal for failing a phishing test, which is way too harsh and really only should be considered in extreme multiple failures.

    Taking the human factor out of the mix by hardening the email systems and enforcing strict security protocol policies will go a long way to reduce issues. we still have a PEBKAC issue which is always going to be a tricky one to solve.

    1. Impossibly Stupid

      It’s wrong to focus on email, since that is simply the channel that has the largest online reach. Just like crooks used the telephone to run scams before the Internet, they can and do just as easily slide over to some other non-email messaging systems to find their marks online. As you say, this is fundamentally a human problem, brought about by how poorly certain technologies are implemented and used. For example, use of unique/disposable email addresses for individual contacts would go a long way toward identifying and eliminating phishing attempts from the start. I’ve done this for years, and not only does it make me difficult to phish, it allowed me to recognize when TD Ameritrade’s systems were compromised and customer information was used to send stock scam spams.

      1. Steve

        I agree with your name. As the original user said, it starts with email security and user education; I’m not sure why you stopped reading the sentence after the ‘and’.

        It also completely makes sense to go after the thing that is currently causing 90% of your problems. In what world are you living in where it doesn’t make sense to focus on the thing that is causing the vast majority of the problems…

  7. Jerry Horton

    Where do I begin?….
    “Root cause” – the majority of ransomware attacks are extremely low risk for the cybercriminal and easy to launch; they are insanely profitable; the infrastructure and personnel used to develop and launch ransomware attacks are globally distributed and largely not subject to US laws, regulations, or law enforcement scrutiny; cryptocurrency is not tied to any country, government, regulation, or even any real specie, not to mention the fact that is decentralized by design; basic cybersecurity hygiene, while generally improving, is horribly lacking in most businesses, especially those with extremely tight budgets dependent on public monies – i.e. hospitals, schools, governmental agencies.
    Clearly, this is not an exhaustive list, but it should give the Feds a running start.

    Next, in typical political fashion, the efforts are focused almost entirely on the aftermath of ransomware rather than an aggressive plan to incentivize cybersecurity hygiene and bolster CISA – the only government agency that has a reasonable chance of assisting in prevention and incident response, assuming they actually have the budget and agents to work with the private sector partners. It has been my experience that reporting and intelligence regarding why the barn door was open in the first place is rarely effective in bringing the cows back and keeping them in the barn if those lessons aren’t applied aggressively.

    Finally, having sat on more than one governmental working group regarding cybersecurity, I can categorically state that a) they consume enormous efforts and resources; b) do not always produce results which are effective outside of government agencies; and c) do not effectively propagate public-private partnerships well. At least the efforts have improved over the years, but we seem to fight the same battles over and over with only a modicum of progress.

    All that having been said, I will likely serve on any working group or committee dedicated to these efforts. And good luck to all…

  8. BaliRob

    From the moment I was held to ransom and refused to pay – I was one of the very first victims recorded – I have said BAN CRYPTO CURRENCY – its only purport is for use in crime.

    Every opportunity I get I broadcast this FACT.but never receive supporting comments.

    Am I the only.one to expose Crypto Currency for.what it is – an enormous multi-marketing tool for crime. I challenge ANYONE to justify this obscene monetary system ?

    Hiding any transaction is tantamount to crime even if just to avoid tax.

    Without Crypto Currency the would be NO ransomware QED

    1. JJHunter

      They would find another method of getting payments. Gift cards, Western Union to name a few.

      1. JamminJ

        Cryptocurrency lowers the risk for these criminals. By a huge factor.
        Gift cards and Western Union might indeed be the fallback… but that comes with significant risk, and is much harder to scale.

        Money mules start to eat into their profits, and the gift card / wire transfer payment industry can be the next target for crackdowns.

        Banning cryptocurrency doesn’t kill the problem entirely… but it can be a deep wound that could mitigate this huge problem to something more manageable.

      2. example

        “They would find another method of getting payments. Gift cards, Western Union to name a few.”

        Ah yes, 14 million dollars in WU and Steam GCs are so easy to acquire and launder!

        What’s with all the weird trolls in the comments here?

    2. SentientSystems

      Ban crypto currency? It’s only use is in crime? REALLY? BaliRob; nobody owes you an education or their time, least of all me, but there is much that you and others have yet to learn and to internalize about cryptoassets.

      Firstly, the same thing was said about banning the internet back in the day by many who lacked understanding, education and vision – They said that the only use for the internet was for sharing of unspeakable forms of pornograpy involving children, for illicit file sharing and for enabling the sale of narcotics.

      I should also remind you that the US Dollar is the favoured currency of the worldwide criminal fraternity and it is in fact regulated BANKS that are their complicit facilitators. Further, the vast majority of bank notes, if lab tested will show traces of narcotics.

      With possible exceptions of Monero and Dash, the vast majority of crypto currencies running on open public blockchain networks are transparent public ledgers with all transactions visible for all of the world to view and trace, enabling law enforcement to gather evidence and to bring bad actors to justice. Many companies such as Chainalysis and Ciphertrace assist law enforcement to do this.

      There are many studies which have investigated and found that the vast majority of cryptoasset transactions are for lawful purposes and there are many useful applications for cryptoassets and their native blockchains. In the years ahead, this will become self evident and beyond dispute.

      1. JamminJ

        Lot of bold, unverified claims.

        First, nobody really suggested banning the Internet. Scientific collaboration and E-commerce was a huge benefit from the start. So don’t even try this false comparison with cryptocurrency.

        The US dollar has actual buying power. Cryptocurrency is usually an intermediary. People don’t buy legal goods and service with cryptocurrency, they exchange them for cash first.
        And you’ll have to provide a credible source for your claim of narcotics being present on “the vast majority” of bank notes. Extraordinary claims.

        Cryptocurrency can indeed be traced, but criminals use it because there are breaks in the chain. As they get exchanged, it is trivial to stop an investigation dead. Criminals know tricks to launder money. With cash, it’s easy. But with cryptocurrency it is MUCH easier. So that’s why criminals prefer cryptocurrency.

        And again, as with your other unverified claims… you’ll have to show credible sources regarding your wild claim that “the vast majority” of transactions are lawful.

          1. JamminJ

            Thanks. Yuck, gross. That article also links to studies that say the vast majority of bills also have poop on them.
            So not exactly an indication that drug distributers in 2020 still prefer cash to cryptocurrency. Anything, it shows that bills in circulation 30 or 40 years ago would still skew the numbers.

            And yep, very few people accept bitcoin, the most popular of the cryptocurrencies. Something like 0.001% of vendors accept it.
            It is growing, but merely accepting it is not really an indication of how much it’s actually used in transactions.

            Interestingly, Tesla as a brand has become popular with criminals as a status symbol.
            Not be surprised if several Tesla’s were purchased as a form of money laundering and gifts.

            Newegg is no surprise, they were first to adopt cryptocurrency because they were also one of the top sellers of the hardware needed to mine cryptocurrency. Kind of a self-fulfilling circle of demand.

    3. JamminJ

      There are many who agree with you. Just don’t expect too many replies that express agreement, as disagreement is a much more significant motivation to write a comment.

      I think there are only 3 reasons to have cryptocurrency:
      1) Speculators – people who buy/sell coin strictly to profit of the movement of value. Not to actually buy or sell products or services, or to contribute to the economy at large. These people only buy or sell when volatile, so if stable, they hold.

      2) True believers – These folks really want to see a world without centralized control of money. They are the privacy evangelists, sometimes overly paranoid, and occasionally conspiracy minded people who want to buy goods and services with cryptocurrency. Some are math geeks who see the beauty in concepts like blockchain.

      3) Criminals – These people will pretend to be either (1) or (2). The real value for these guys is in the anonymity, not the immutable ledger, nor the speculative value, nor the resistance to inflation or other features.

      (3) is probably the largest share of cryptocurrency market transactions. (1) may “hold” more cryptocurrency by volume, but (3) criminals do way more in transactions, and are truly using it as currency, not just a speculative commodity.
      (2) simply isn’t a lot of people. There may be an over-representation here on a security forum, but there really aren’t a whole lot of true believers in the real world.

      1. Charlie B

        You missed a fourth reason, JamminJ:

        4) Rubes or suckers who get taken in by (1) or (2) because it’s new and shiny and it’s all electronic and by golly, there can’t be anything wrong with something so new and exciting. Similar to “early adopters” who don’t have any understanding at all of what they’re adopting.

        1. JamminJ

          Not sure those people exist anymore.
          Only the first cryptocurrency to hit the news would be new and shiny enough. And only when it was cheap enough too. Like pennies.

          Anything beyond that first cheap novelty, and people can only justify buying if they think of it as an investment.
          Technophiles who just want the latest and greatest, still need some intrinsic value. Currency isn’t that.

          Even real world coin collectors who may not fall under the label of “speculator”, justify collecting with historical value and/or scarcity. So maybe a fourth type (collector) will be a thing after bitcoin has reached its mining limit. Even then, owning multiple would mean they are still speculators.

          Perhaps this:
          4) Founder – the very small group of silicon valley types who develop their own cryptocurrency coin and are “gifted” via an ICO (initial coin offering).
          But still technically a subset of the “speculator” I guess.

  9. Wayne

    While the concept is fine and laudable – trying to make it unprofitable for those launching the attacks, the problem is that the model has changed to blackmail after the encryption to prevent the release of sensitive documents. If they consistently thwart the criminals from getting paid, then considering how little effort goes in to compromising and extracting the information, I see them changing their model to purely a revenge model and just extracting and publishing.

    They’ve already made a lot of money. If their effort is minimal, and they’ve got a big enough cushion/bank balance, why not just coast and make their lack of income as painful as possible for those punishing them until they come up with a workaround that isn’t being blocked.

    1. JamminJ

      That is a good explanation the describes why these efforts will result in a lagging indication of success.

      Ongoing cyber crime operations will continue. It can’t really deter anything already in motion.
      But after a few months or even years… will a cyber crime group really be able to recruit? Will their hackers really want to spend time hacking an organization if the payoff seems less and less likely?

      If the effort is truly “minimal” then maybe it’ll still be worth a shot to compromise a company. But that bar gets lowered as you decrease the chance of payoff. So the “minimal effort” to hack a company becomes so low, it becomes a “crime of opportunity”.
      This is great, because then companies can easily meet that bar with the bare minimum security. Patching the low hanging fruit vulnerabilities.
      Simply locking the front door might be enough to get the criminal to decide to pass by instead of expending the effort.

      1. Wayne

        I’m retired from IT, but I like to keep abreast and I now work in a university library. I did an annual survey yesterday. The university-wide IT recently added a Microsoft Authenticator to email access, but nothing for logins except long passphrases. I commented that they’re really lacking in their annual training if they’re not having a module in training people how to recognize phishing attempts. They have accounts compromised every year and send out email alerts about it every year but do nothing to train, apparently nothing has yet resulted in a serious takeover.

        There’s always the constant problem of IT being viewed as a Cost Center and a drain on profitability.

  10. Jay

    The Internet wasn’t designed for security, nor were most OSs or apps. People interested in the general topic of computer security for businesses and government agencies might want to read a few of these books: by Richard A. Clarke: Warnings; Cyber War; and The Fifth Domain. By Nicole Perlroth, This Is How They Tell Me The World Ends. Clarke explains how underdeveloped and underfunded the security defense part is, both by government and the private sector, and how resistant most businesses are to cutting profits to prevent the problem. He also explains how a cadre of competent security professionals might be grown. Perlroth wrote about the Zero Day exploits industry, how it is used, and a lot more. These books provide context for Brian’s article and the comments above.

  11. Incredulous

    The Department of Treasury has a backlog of millions of tax returns from LAST YEAR. How does anyone seriously think they are up to the task of processing anything real time?

    1. JamminJ

      The IRS is only a part of the Department of Treasury.

      The Secret Service was once part of the Treasury too.

  12. JamminJ

    The IRS is only a part of the Department of Treasury.

    The Secret Service was once part of the Treasury too.

  13. JamminJ


    Seems there is a vuln in the comment section of KOS, attempted exploit by “Huntington”.
    Improper input sanitation allowing unicode vertical text characters with unlimited height. On mobile devices, it renders within the html boundaries of the comment box. On desktop, it overflows to obscure previous comments.

    Brian, you’ll have to fix. In the meantime, browser userscripts/dev console can remove.

  14. Troy

    Interesting. I thought it was just my browser but see it again, JamminJ.

  15. Mike

    There is a problem I’ve observed. The compliance requirements for handling of PHI/PII under HIPAA and Hi-Tech, as well as requirements for FDIC member banks are simply not enforced, full stop. As a result, providers and banks do not put priority or spending towards keeping their systems up to par. I have dealt with dozens of med providers and banks who were running unsupported OS’s and software. Never, in my entire career, have I seen either be held actually accountable by the govt for failing to keep to “requirements”. Meanwhile, Microsoft’s license audits are extensive and I’ve repeatedly seen businesses forced to upgrade stolen copies of Windows and Server, why is HIPAA and FDIC so broken? These owners must be forced to comply or they never will. Any banker will gladly sell you a photo of a vault, if it means they don’t actually have to buy one.

    1. JamminJ

      I’m not sure about the medical industry, but banking / finance is intensely regulated.
      The FDIC is not the regulating authority here.
      GLBA/SOX are more pertinent. The FED has very detailed audit programs.
      There’s a lot of coordination between a bank’s compliance department and regulators.

      In my opinion, it’s not enough to achieve even decent security, but compliance with audit is always taught to cyber security professionals as the bare minimum.

      1. Mike

        Here’s been my experience with the banking regulators. The bank receives a checklist from whichever regulatory body they’re responsible to. This form has a hundred or more basic questions like, are your systems supported by their manufacturers? Do you use firewalls and are your mobile assets encrypted? The form threatens perjury to whomever may lie on it. This gets handed off to the IT guy, who lies instead of throwing their job or boss under the bus. Then its returned to the fed. If there’s any reply, the fed will pick 1 or 2 elements to drill into, but thats it. The larger problem, is i work for an MSP that gets hired for projects, including server and windows fleet upgrades. I’ve repeatedly seen banks, mostly local or regional banks, running versions of windows server, softwares and hardwares that were abandoned by the OEM several audits ago, as well as laptops not encrypted. I just work one still on vmware 5.5 last month. So either every IT guy has chosen to lie for years, or they admit the systems are outdated and nothing happens. The medical industry is way worse, the enforcement does not exist.

        1. JamminJ

          Geez… sorry to hear that.
          I have more direct experience. Not local or regional, so maybe it’s like most things… small scale gets overlooked by regulators.

          LFI’s get significant scrutiny. There are several delineating thresholds, something like $50bn in assets would be a different tier compared to $500mil, for instance.

          In person FED exams, large internal audit teams, Chief Compliance Officers held accountable, the Chief Risk Officer is involved too. This “lying” you speak of, would only fly for so long, and isn’t worth the MRAs, MRIAs, fines, and possibly losing the authority to operate as a financial institution.
          Careers are easily destroyed at this level.

          If the bank is very small, maybe they get away with stuff like that. But in the pro league… the bureaucracy really does prevent such nonsense.

          1. Mike

            I was wondering if there’s a break-off point between the large institutions, who have entire security departments and annual red team budgets and the smaller regional banks who tend to be staffed with a single IT department, or single person that handles everything. The small operations do indeed get left behind for such scrutiny. Unfortunately, there’s no way on the green earth that most of my customers in this category could afford a security department or lifecycling out hardware when its warranty ends.

            1. JamminJ

              Most cyber security functions can be outsourced. A SOC can be contracted out to something like Dell secureworks. Incident response can be hired out as well to many firms. Even annual pen test requirements are often required to be outsourced even by the big Banks (for independence).

              Of course, not having your own resources in house just means outsourcing the risks as well… But there can be a lot of cost savings for small, regional banks.

  16. Jimbo

    The Department of Treasury has a backlog of millions of tax returns from LAST YEAR. How does anyone seriously think they are up to the task of processing anything real time? Last years tax returns? Federal Individual Tax Returns and Income Tax Payments are Due by May 17, so what if millions of returns haven’t been processed, they haven’t been submitted and aren’t due and can be extended. Then add in the millions of corporate and non profits that are not yet due…

    -Create a federal “cyber response and recovery fund” to help state and local governments or critical infrastructure companies respond to ransomware attacks. – this is extremely bad idea, it just encourages the state and local governments to keep paying, it’s not their money. Just like the city and state budgets for law suites it encourages the government to do bad things like killing people.

    Why not automatic jail time for anyone that pays in any way, under any circumstances. Make the disincentive greater than the threat and the payments will stop.

    1. JamminJ

      The IRS is only a part of the Department of Treasury. The Secret Service was once part of the Treasury too.

      This a very large department of the federal government. One of the oldest too. You cannot judge the capability of something not yet created, based on your own grievance with a completely separate division like the IRS.

      “cyber response and recovery fund” does NOT mean paying the ransom with that money.

      What is “automatic jail time”? Like without due process in court? Or like mandatory sentencing? Because that fails every time.
      Read the article. The task force will not recommend making it illegal to pay ransoms.

      1. Mike

        I agree that direct punitive treatment of payers wont solve the issue, for all the reasons you mentioned. This is like sports doping, where paying the ransom is the mandatory cost of continuity. There’s also a similar, unwinnable arms race between the perpetrators and the those trying to stop them. We must find a way through legislation to flip the cost/benefit ratio, to make not paying the most desirable decision to the victim. Sports doping was curbed by changing the rules to say, we’re keeping your blood samples for years, if we find dope in it 15 years down the road, now you can have your entire career retroactively disqualified. This flips the benefit ratio, there’s no incentive to dope because the benefits will inevitably be erased. We need to game theory the victims incentive structure or the cycle will never stop.

        1. JamminJ

          Good analogy Mike.
          In sports, they get medals. In business, they also have reputation.

          One of the things this task force is recommending is to make reporting mandatory.
          It won’t work to make it illegal to pay ransom, but if businesses had a serious hit to their reputation if they pay a ransom… That could have the effect on incentives like you mentioned.

          You can see the attackers cost benefit analysis trending over time.
          When ransomware first started becoming an epidemic, it was very hit and miss whether or not the criminals would fulfill their end of the bargain if the company paid the ransom. But in recent years, a new generation of ransomware platform services has evolved. Cyber criminals are going through great lengths to provide customer support and guarantees for ransom payers.
          Another thing that has evolved is the switch from pure encrypting data and denial of service… Is the data breach threat of release to the public.

          Companies are more afraid of a blow to their public reputation due to a breach, than merely losing the data and having to rebuild or restore.

          But laws requiring notification of data loss is not uniform, varies by industry, and can be circumvented by classifying data differently.

          So I agree with you and the task force, that any and all breaches, big or small, and regardless of data type (NPPI, PHA, PII, etc.) It should be legally required to disclose to a central federal authority, with the default that it will be publicly disclosed in a timely manner.

  17. Swedish Fish

    Look at all these fucking god damn DOJ Ransomeware experts in the comment section

  18. Gabriel grey

    I would love to join that doj taskforce I guarantee you they will learn the difference between the two

  19. shjdcbc

    None of that is true. There is a *big* difference between the trojan that was just disclosed for macOS and the endless bugs in Windows that make it vulnerable just connecting it to the Internet. And Windows hasn’t been the “most common” system in a long time; Linux via Android phones dwarfs it. Regardless, Windows has always been *disproportionately* affected by insecurity. Even with an 80-90% market share, they weren’t sitting at 80-90% of the most damaging exploits, but 99.999%. It is baffling why anybody who isn’t a shill would be defending them. Astroturfing doesn’t fix actual problems.

  20. JamminJ

    Until Brian fixes the server code with some input sanitation…. here is a client side fix using jquery:
    $(‘section.comment-content’).children(‘p’).each(function() {
    var fix = $(this)[0].innerHTML.replace(/[^\x00-\x7F]/g, “”);

    1. JamminJ

      This is a bit more concise and won’t remove characters like quotes.

      $(‘section.comment-content’).children(‘p’).each(function() {
      $(this).html( $(this)[0].innerHTML.replace(/[^\x00-\x7F\u2018-\u201d]/g, “?”) );

    2. JamminJ

      This isn’t XSS or SQLi so likely overlooked by wordpress publisho since this isn’t really a security bug.
      Rather, it’s a UX problem, an annoyance that apparently has piqued the interest of kiddies who frequent this site.

      Cyberchef is a nice tool for learning this sort of thing.

      return input.normalize(“NFD”).replace(/[\u0300-\u036f]/g, “”);
      //reference: https://stackoverflow.com/questions/990904/remove-accents-diacritics-in-a-string-in-javascript/37511463

      My previous code, is for anyone running client userscript code with jquery… but Krebsonsecurity ultimately needs to do better input sanitation server side.
      Since this isn’t XSS or SQLi input sanitation… you don’t necessarily need to be so strict with allowing only the small set of characters, like I’m doing. Rather, like Cyberchef, it can specifically remove the “diacritics”, the accent marks.
      Diacritics are unicode characters between \u0300 and \u036f

      These diacritics are not well handled by the wordpress system and seem to have no limits on heights, leading to an overflow and obscuring other comments. I guess that’s the intent of the trolls.

      So either wait for a wordpress fix, or add some simple one-liner javascript to the server to eliminate the bug.

  21. PHP

    Isn’t this easy ?
    Just make fake transaction, use tax payer money to mine, and then commit the false transactions taking money from the crooks. Would also kill Bitcoin once and for all.

    I read you need about half the mining capacity to control the system completely.

  22. Mike

    One solution I’ve never seen suggested in polite company. We all agree that the crook who’s running the ransomware is generally unreachable due to political boundaries. Russia and China for example do not help the USA track and prosecute the perps. Either via complicity or their governments outright participation in the crime. Why is the USA not conducting or supporting their own ransomware feeding frenzy on these countries? Screw em, lock up Moscow pd and the chineese social credit db every other week. Then when they accuse the USA of complicity, we’ll just smugly and deny it like they do. With our tech and talent, we could crush their utilities, their profit centers and their governmental infrastructure. Maybe then an agreement over accountability and extradition can be reached with the shoe on the other foot.

    1. JamminJ

      I’ve heard it suggested, politely and not so politely.

      The most reasoned answer has been that it’s asymmetric.
      Basically, an all-out cyber war would ensue, regardless of acknowledgment.

      This would be bad for the United States because we would be disproportionately disadvantaged in this war.
      It’s not like the cold war where mutually assured destruction would be devastating equally.
      Rather, since the US is extremely reliant on free market capitalism, while our opponents are either mostly communist or still have very strong central controls over their economy… They could better survive these types of attacks.

  23. mahhn

    “root causes” = bad people.
    Cure = Thanos.
    but keep on thinking a device or software will fix the human problem, you’ll just have less money.

    1. security vet

      …wasn’t thanos some drug in a dystopian novel that i can’t remember the name of right off?…

      …as i recall it didn’t turn out so well…

      1. security vet

        …never mind – it was Thanatos and the Author was Walker Percy…

  24. Ken

    I can’t imagine Biden solving anything, but a strong deterrent in place such as long prison sentences, this problem will increase, it’s weak penalties not security.

  25. LJean Camp

    Not focusing on further punishing often helpless victims by prohibiting payments is critical. “Increase support for ransomware victims”. that is the best part of the report.

    Research shows that immediately after an incident investment in security increases. Providing timely support and good information to victims will make a significant difference over time.

    Another thing shown to increase investment is information sharing. So the focus on structures and communication to address the challenges reflects what has worked: the London Accords, MANRS. Identification of kill-chain; need for faster takedown of botnets, entire ecrime/spam/hosting infrastructure. Ransomware as part of the larger ecosystem, on RaaS and international implications are strong recommendations.

    Requiring local governments to adopt limited baseline security measures requires local governments that *can* do this. Support first, requirements second. Also, SUPPORT IS NOT A ROLE FOR LE. Do not harm, harass, or punish victims. Nerd victim support not law enforcement.

    Arguably more important, more feasible, more effective than Know Your Customer is Identify Criminal Bits. Victims that pay in cryptocurrency paid in specific identifiable string. There is a fair amount of work on this. Make mining of ransomware bits worth less than other bits, maybe poisoning entire wallets. The work out of Cambridge CS Lab is very applicable here.

    So where does this help come from? Failed to mention the need to Fully Fund Future Defenders. Scholarships are grossly underfunded. 550 applicants with at >3.25 studying #infosec, wanting to work for DoD, US citizens, willing to obtain a clearance then only 68 students have CySP scholarships. All recommended students should be funded. Here at IU we have ~10 good students for every SFS opening.

    So maybe a B-.

  26. illumina23

    >Some have argued that making it illegal to pay a ransom is one way to decrease the number of victims who acquiesce to their tormentors’ demands. But the task force report says we’re nowhere near ready for that yet.

    How about instead: Make it illegal for an insurer to pay a ransom on a client’s behalf, or to sell a policy promising to do so.

  27. Steven Brown

    “-Require cryptocurrency exchanges to follow the same “know your customer” (KYC) and anti-money laundering rules as financial institutions, and aggressively targeting exchanges that do not.”

    That is the key to defeating ransomware. Without the ability to collect ransom anonymously, the criminals would have no opportunity to extort money. There is no rationale by which cryptocurrency should not be subject to the same regulations that pertain to normal currency transactions.

Comments are closed.