DOJ to give ransomware attacks same level of priority as terrorism

WASHINGTON—Following a slew of cyberattacks that have crippled the nation’s critical infrastructure, the U.S. Department of Justice (DOJ) issued a memo to U.S. attorneys’ offices on June 3, 2021, to elevate ransomware attack investigations to the same level of priority as terrorism.

The memo, issued by Deputy Attorney General Lisa Monaco, directs U.S. prosecutors to report information on all ransomware investigations they are working on to the recently formed Ransomware and Digital Extortion Task Force in Washington.

This guidance comes in the wake of arguably the largest cyberattack against U.S. critical infrastructure in the country’s history, when Colonial Pipeline suffered a devastating ransomware attack on May 6 at the hands of cybercriminal group DarkSide. The cyberattack shut off the country’s largest fuel pipeline - delivery of an estimated 45 percent of fuel consumed on the East Coast - for nearly one week before resuming fuel delivery on May 12.

Just last week, another devastating ransomware attack crippled the world’s largest meat supplier, JBS USA, affecting servers supporting its North American and Australian IT systems. The cyberattack, which the FBI announced was orchestrated by Russian-based hacker group REvil, forced JBS to suspend operations at all U.S. plants until resuming operations on June 2. 

The DOJ memo specifically refers to the Colonial Pipeline cyberattack as an example of the "growing threat that ransomware and digital extortion pose to the nation."

"To ensure we can make necessary connections across national and global cases and investigations, and to allow us to develop a comprehensive picture of the national and economic security threats we face, we must enhance and centralize our internal tracking," the directive said.

In addition to ransomware and digital extortion, the guidance applies to all investigations and cases that involve “a subject or target under investigation primarily for the unlawful operation of infrastructure frequently used in ransomware and digital extortion schemes, including but not limited to:

• Counter anti-virus services;
• Illicit online forums or marketplaces that advertise or sell ransomware, digital extortion tools, or hacking tools and network access credentials (i.e. vectors by which ransomware may infect a network, including Remote Desktop Protocol credentials or shells);
• Cryptocurrency (or digital currency) exchanges, mixers or tethers;
• Bulletproof hosting services;
• Botnets; and
• Online money laundering services.