It’s official, the US is now considering ransomware attacks equivalent to terrorism when it comes to investigative priority. Not surprising given the rise in successful attacks against critical targets supporting infrastructure in the United States. Personally, I think it has taken too long to get to this point given the severity of the economic impact these attacks have had even before the Colonial Pipeline event.
The TL;DR of this announcement is that more coordination is expected between federal agencies and regional offices when these types of events occur. There is also the expectation that all of these events will be monitored, reviewed, and acted upon by a central task force recently created by the federal government.
While certainly a step in the right direction, I think we need to be even more blunt in sending a message to the nation states and criminals who desire to carry these attacks out. The message needs to be clear that if you attack US infrastructure, there will be direct and severe consequences. It is not enough to sanction a government agency or an individual, that is largely a symbolic gesture with little impact in reality. The only persuasive response to these attacks is cripple the attackers’ ability to carry them out again and remove their ill gotten gains from any ransom taken from victims.
While not explicitly acknowledged that these steps are being taken, it appears that something is starting to happen. Just today the FBI announced they recovered $2.3 million in Bitcoin from the Darkside ransomware group. This suggests that US federal agencies such as the FBI, NSA, and CIA are likely collaborating and working to actively deny these attackers access to any economic benefit from their illicit activities. I can only hope that these efforts are maintained going forward and we continue to see more stories about ransomware groups going dark because their line of work no longer pays.