Published by The Lawfare Institute
in Cooperation With
The Biden administration has declared cybersecurity a top priority and, in the wake of the attack against Colonial Pipeline, has reiterated its resolve to battle ransomware. The Department of Justice, for its part, has launched a ransomware task force charged with developing a strategy to target the entire criminal ecosystem around ransomware. Yet, when Attorney General Merrick Garland appeared before the House Appropriations Committee earlier this month to highlight the key priorities in the department’s 2022 budget request, cyber did not make the list.
To fight ransomware, the Justice Department should follow the playbook that it used against organized crime in the 1960s and terrorists after 9/11. The department needs a “troop surge” of cyber prosecutors and agents to conduct long-term, proactive investigations into ransomware gangs and the organizations that enable them.
None of this is meant to diminish the need for policy changes or to increase investment in defensive cybersecurity. The recent executive order addressing information sharing, breach notification and supply chain security is a step in the right direction. Policymakers should also consider proposals that discourage ransomware payments by helping victims rebuild their systems and by limiting the distribution of stolen data that was the subject of a ransom demand. But a surge of resources for proactive investigations into organized cybercrime is the lowest-hanging fruit on the tree of possible policy responses to ransomware. It should be picked immediately.
Ransomware Gangs Depend on a Highly Organized and Highly Specialized Cybercrime Ecosystem
In the popular imagination, hacking is committed by lone wolves with exceptional computer skills. But in reality, the vast majority of hackers do not have the technical sophistication to create the malicious tools that are essential to their trade. Hacking has exploded in recent years because criminals have specialized and subspecialized so that each one can concentrate on facilitating just a single phase of a successful data breach. This is known as cybercrime-as-a-service and it is a massive business. As summarized by the Cambridge Cybercrime Centre, cybercrime economies have a “‘core and periphery’ social structure, whereby a very small community of highly skilled actors develop exploits and vulnerabilities into tools, which are then sold to and used by much larger communities of lower-skilled actors, often known as ‘script kiddies.’”
This specialization is critical to the success of ransomware gangs. To commit a successful ransomware attack, one needs three main things: access to compromised networks (ideally of an organization with deep pockets and a high dependency on computers), malware that can remotely and securely encrypt the victim’s data, and a means to receive and launder the resulting ransom payments. Unfortunately, there are cybercriminals who specialize in providing each of these services, and the widespread availability of such services is the main reason for the recent explosion in ransomware attacks. Each of these services has subspecialities and cybercrime forums that serve as a marketplace for buyers and sellers.
Hackers and Botnets
Some cybercriminals specialize in gaining unauthorized access to computer systems. These criminals may gain remote access to a large number of computers (called a “botnet,” short for “robot network”) that can be controlled from a single command-and-control server. Or a hacker might gain access to one particularly valuable computer system, such as that of a large corporation. Rather than directly monetize access to these hacked computers themselves (which takes time and requires a different set of skills and tools), these hackers often sell or rent their unauthorized access to other criminals. While botnet operators offer their services to many different cybercriminals, ransomware gangs have become their most enthusiastic clients. The best example of this is the Emotet botnet, whose infrastructure was largely dismantled by the Justice Department earlier this year. According to the department, Emotet malware infected more than 1.6 million computers worldwide. Once it infected a victim computer, Emotet could deliver additional malware, such as ransomware or trojans that go after financial information. Emotet’s biggest clients reportedly included ransomware groups such as Ryuk and the data-stealing trojan TrickBot.
Once a ransomware attacker gains access to a compromised computer, the attacker needs to deploy specialized malware that will encrypt the victim’s essential data in a manner that even the best codebreakers can’t break. Developing and continually updating such malware requires highly skilled cryptographers. Typically, these ransomware developers do not use their own products. Rather, they deploy a Ransomware-as-a-Service (RaaS) model, in which the individuals who conduct the ransomware attacks, known as “affiliates,” rent usage of a particular ransomware strain from its creators or administrators, in exchange for a cut of the money from each successful attack. The RaaS model largely eliminated the technical knowledge needed to conduct a ransomware attack, leading to a staggering increase in such attacks. In 2020, two-thirds of the ransomware attacks analyzed by the cybersecurity firm Group-IB were perpetrated by cybercriminals using a RaaS model. NetWalker, which was recently the target of a Justice Department enforcement action, uses a RaaS model, as does DarkSide, which was responsible for the attack on Colonial Pipeline. Although many commentators did not take DarkSide seriously when it issued a corporate-sounding apology for the Colonial Pipeline attack (promising to “introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future”), DarkSide’s mea culpa was indicative of a larger truth: It uses a franchise model and has little control over the targets chosen by its “partners.”
Once a ransomware gang ensnares a victim that is willing to pay, it needs an untraceable way to receive payment. Criminals almost always demand ransom payments in cryptocurrency—typically Bitcoin or Ether—because it can be transferred without a third-party intermediary, such as a bank, that might assist law enforcement in tracing the funds or identifying the perpetrator. It is no coincidence that ransomware attacks have soared with the advent of cryptocurrency. But cryptocurrencies have a vulnerability as well. They typically rely on public ledgers, which means that law enforcement can trace the transfer of cryptocurrency from one crypto wallet to the next. The Justice Department can seize cryptocurrency that constitutes the proceeds of crime, and the Treasury Department’s Office of Foreign Assets Control (OFAC) has begun freezing cryptocurrency by publishing digital currency addresses that are associated with ransomware. Ransomware gangs therefore need a way to convert their ransom payments from cryptocurrency to fiat currency. This is normally done through the use of cryptocurrency exchanges or “mixers.” These services are essential to the ransomware business model.
But how do you find hackers willing to rent out their botnets, malware developers to write encryption code and money launderers to exchange tainted cryptocurrency for clean fiat currency? And even if you found someone on the internet offering such services, how would you know the individual wasn’t a scammer or, worse, an undercover FBI agent? To solve this problem, criminals have created online cybercrime forums with strict rules meant to facilitate trust between cybercriminals. Perhaps the most notorious of these forums was Direct Connection, whose leader, Aleksei Burkov, was recently extradited to the Eastern District of Virginia and sentenced to nine years in prison.
From 2009 to 2015, Direct Connection was the most exclusive criminal forum on the web, accepting only those who had developed a reputation for fair-dealing in the online criminal underworld. Just to be put up for a vote, prospective Direct Connection members needed three existing members to “vouch” for them and to provide $5,000 in insurance in case the applicant reneged on a deal while conducting business on the forum. Direct Connection was used to advertise illicit goods, such as personal identifying information and malicious software, as well as criminal services, such as money laundering, hacking and renting botnets. Direct Connection offered escrow services to facilitate criminal deals and even had a formal dispute resolution process by which members could file “lawsuits” against one another for failing to deliver on promises made on the forum.
Cybercrime forums like Direct Connection are an essential part of the ecosystem that allows ransomware, and cybercrime more generally, to flourish because, without a trusted way to bring buyers and sellers together, the hyper-specialization among cybercriminals would not be possible. Indeed, it appears that DarkSide, like other RaaS groups, uses online hacking forums to recruit affiliate partners who can break into victims’ networks.
Aside from the specialities mentioned above, there are a number of other important subspecialties within each of the categories that are also critical to the cybercrime and ransomware ecosystem. For instance, most hackers do not build their botnets alone; rather, they often gain access to victim computers using exploits (tools to exploit vulnerabilities in a computer system) or stolen credentials that they purchase from other cybercriminals. Hackers also need access to untraceable servers from which to launch their intrusions. To serve this need, cybercriminals known as “bulletproof hosters” offer server space for rent, often from jurisdictions that are not friendly to the United States, and promise not to respond to legal process. Similarly, malware developers frequently implement features into their malware toolkits that were developed by other cybercriminals. These can include “crypters,” which disguise malware so that it is not detected by antivirus software, and “scanners,” which test malware payloads to determine if they will be detected by antivirus software.
In 2018, the owners of the world’s largest counter-antivirus scanner, known as Scan4you, were prosecuted in the Eastern District of Virginia, with the help of the Justice Department’s Computer Crime and Intellectual Property Section (CCIPS). Scan4you offered an application programming interface (API) that was integrated into some of the world’s most prolific malware toolkits, such as the Citadel banking trojan that infected more than 33 million computers worldwide. In addition, malware used in the 2013 breach of Target stores was tested through Scan4you just 10 minutes before the attack. Citadel’s developers had boasted to potential customers on cybercrime forums that “[y]ou can have your files automatically checked [through Scan4you] once a day, and if one of your files is being detected by more than three antiviruses then you will quickly receive a notification to your Jabber so you can immediately replace the exe.” One of Citadel’s developers testified at trial that this periodic check function allowed Citadel’s users to test their files through Scan4you every day so that, as soon as Citadel was detected by antivirus companies, the hackers could recrypt and reinfect the victim computers before losing access to their bots.
Such tools help cybercriminals stay one step ahead of network defenders. Indeed, Kaspersky has listed the need to purchase an “antivirus check service,” as well as credentials for hacked servers, as some of the main operating costs associated with running a ransomware gang. Chainalysis added buying exploits and renting server space from bulletproof hosters to that list.
An Effective Ransomware Strategy Must Prioritize the Investigation and Prosecution of the Key Members of This Criminal Ecosystem
While organization and specialization are strengths of cybercriminals, they are also weaknesses. That means there are organizations that can be infiltrated and exploited. If the Justice Department is serious about combating ransomware, it needs to conduct affirmative, long-term investigations into every prominent cybercrime-as-a-service organization. That sounds like a tall order, and it is, but it is not as tall as you may think. A relatively small number of sophisticated and well-connected cybercriminals play an outsized role in this ecosystem. Chainalysis found that fewer than 10 major strains of ransomware were responsible for the vast majority of ransomware attacks committed over the past six years. And cybersecurity researchers believe that some of the biggest strains may have the same creators and administrators, who publicly shut down operations before releasing a highly similar strain under a new name. The market for laundering ransomware payments is similarly condensed: Just five cryptocurrency exchanges receive 82 percent of all ransomware funds. Similarly, just 199 deposit addresses received 80 percent of all funds sent by ransomware addresses in 2020. An even smaller group of 25 addresses accounted for 46 percent.
A strategy that focuses on the most sophisticated actors means prioritizing bringing cases against those who create the tools used in ransomware attacks even over cases against the attackers themselves. My Eastern District of Virginia colleagues and I employed this approach, and were criticized for doing so. For instance, when we brought charges against the developer of a widely used remote access trojan, he and others objected that he was being held accountable for the crimes of others. But the developer ultimately pleaded guilty to aiding and abetting computer intrusions and admitted that he intended his products to be used for hacking. And evidence at sentencing showed that the developer’s malware was used in more than 100,000 actual and attempted intrusions, and that he also sold licensing software that was used to distribute other types of malware, including ransomware. The fact that this prolific malware developer did not himself hack computers was far from exculpatory. Just as the major players in the drug trade don’t sell on street corners, the most sophisticated cybercriminals often don’t breach systems themselves.
In addition to taking the most sophisticated criminal actors off the field, cases against cybercrime-as-a-service entities provide evidence against additional criminals. If you nab a major malware developer, you are likely to obtain evidence against hundreds or thousands of the developer’s hacker-clients. If you catch a money launderer who cleans ransomware payments, you will probably find leads on ransomware actors. Success breeds success, provided that you invest the resources needed to exploit that success.
Critics of a prosecution-based approach have argued that indicting Russian hackers is, at best, a waste of resources because Russia does not extradite to the United States and its intelligence officers avoid travel to Western countries. But, like DarkSide, many ransomware gangs, as well as the cybercrime-as-a-service groups that support them, are non-state actors. And the United States has had significant success in working with allies to arrest and extradite Russian non-state hackers when they travel to friendly third countries. The fact is that Russian hackers continue to travel to Western countries despite the known risk of arrest.
For instance, in April 2014, a member of Direct Connection, the Russian-language cybercrime forum discussed above, posted an article on the forum, entitled “Russian Ministry of Foreign Affairs: The growing threat of Russian citizens being detained on the USA demand,” along with “a list of countries that practice extradition.” Nonetheless, 18 months later Direct Connection’s founder, Aleksei Burkov, vacationed in Israel, where he was arrested and ultimately extradited to the United States. Despite a sealing order from the Israeli extradition court, the Russian government widely publicized Burkov’s arrest and his online monikers—a move that had the intended effect of alerting his online co-conspirators of his arrest. Nonetheless, one of Burkov’s co-conspirators, Ruslan Yeliseyev, planned his own vacation to Israel the following year and was likewise arrested and extradited. Like Burkov and Yeliseyev, many Russian-speaking hackers travel abroad to escape the Russian winter and to spend their ill-gotten gains. Others ignore the risk of travel because they have family abroad, frequently in former Soviet republics that are now U.S. allies. Jurijs Martisevs, a Russian co-founder of the counter-antivirus service Scan4you (discussed above), routinely traveled to Latvia to visit family. After a Scan4you co-conspirator was arrested in England in 2015, Martisevs worried that “I frequently travel to Riga and they can grab me right there on the border,” according to a subsequently recovered chatlog. Nonetheless, Martisevs continued to travel to Riga and, in 2017, was arrested at the Russian-Latvian border and extradited to the United States. It is also worth noting that many significant players in organized cybercrime are based in Eastern European countries that do cooperate with the United States.
Criminal investigations into cybercrime-as-a-service and ransomware-as-a-service organizations can also serve the Justice Department’s ransomware task force’s goal of uncovering “links between criminal actors and nation-states.” Indeed, perhaps the most public evidence of the symbiotic relationship between Russian intelligence and Russian cybercriminals grew out of the criminal investigation into Scan4you. After the Latvian police arrested Martisevs at the request of the United States, they seized a number of electronic devices from Martisevs and his Latvian co-conspirator, Ruslan Bondars. These devices contained chats between Martisevs and Bondars that revealed that the two had agreed to provide information to the Russian Federal Security Service (FSB) in exchange for the FSB’s promise not to cooperate with an ongoing FBI investigation into Scan4you. The U.S. government can gain a greater understanding of the relationship between Russian intelligence and Russian cybercriminals by thoroughly investigating Russian cybercrime organizations and following the evidence where it leads.
None of this is to suggest that a prosecution-based strategy is a substitute for dealing with the core problem of the Russian government’s protection of, or at least indifference to, ransomware gangs and the criminal ecosystem upon which they rely. But investigations and prosecutions that reveal the extent to which such groups operate from Russia and receive direct or indirect support from the Russian government can aid diplomatic efforts to pressure the Russians and help justify sanctions. At the very least, exposing any connection these groups may have with the Russian government can help the United States win the increasingly frequent diplomatic tug-of-wars that arise when the U.S. attempts to extradite Russian nationals from third countries and Russia responds with its own bad-faith extradition requests.
Finally, even when the United States is unable to arrest the leaders of a cybercrime-as-a-service group, federal law enforcement can use authorities to strike a blow against the cybercrime ecosystem by dismantling the group’s infrastructure. This was the approach the department took with the massive Emotet botnet in an operation it announced in January. In that case, the FBI worked with European law enforcement who gained access to Emotet command-and-control servers located overseas and identified the IP addresses of 1.6 million compromised computers. The department’s foreign partners then caused the compromised computers to download a file created by law enforcement, which had the effect of severing the victim computers from Emotet’s servers. While this operation won’t stop Emotet from regrouping eventually, experts estimate that it will take well over a year for Emotet to rebuild a botnet of that size. As of this March, cybersecurity companies have not detected any Emotet activity.
A Serious Prosecution-Based Response Will Require More Prosecutors and Agents With Expertise in Cybercrime
Although policy proposals to counter ransomware often pay lip service to the need for more investigations and prosecutions, few policymakers seem to understand the resources that will be needed to do so effectively. For instance, a ransomware task force composed of representatives of the U.S.’s leading technology and cybersecurity companies recently released an 81- page “comprehensive plan of action.” This plan (which is otherwise fantastic) suggests making “ransomware attacks an investigation and prosecution priority” but does not explicitly advocate for more funding for cybercrime investigators and prosecutors, despite proposing increased investment in other areas.
Such proposals fail to acknowledge that investigating cybercrime is a labor-intensive endeavor. Cybercrime cases are investigated by doggedly tracking down minor leads. This iterative process might entail sending hundreds of subpoenas to banks and internet service providers; writing dozens of search warrants for email, cloud storage and social media accounts; and submitting requests under mutual legal assistance treaties to several countries. By relentlessly pulling these threads, investigators eventually find enough circumstantial evidence to identify the culprit. Additionally, since making arrests of foreign-based cybercriminals often requires patience and luck, it can take several sealed indictments for every one successful arrest and extradition.
Once a cybercriminal is identified, that does not end the matter. Most cybercrime-as-a-service products are not inherently malicious. “Malware” is so named based not on any technical specifications, but on a judgment that it was intended to be used for illegal purposes. We call some providers of leased infrastructure “bulletproof hosters” based on a judgment that they intentionally cater to criminals. And so on. Once arrested, the same cybercriminals who went to great lengths to hide their true identities often turn around and argue that they never intended for their products to be misused by hackers. The smart ones even include disclaimers to that effect in their communications with customers in anticipation of the day they may face an American jury. These intent-based defenses can be overcome, but that requires additional investigation and ultimately access to the criminals’ private communications.
Why, then, isn’t the Justice Department clamoring to hire more cyber prosecutors and agents? Part of it may be concern about the difficulty in obtaining custody of the perpetrators. But the reluctance may also result from the resource limitations of an organization that is constantly juggling competing priorities. It is the most visible crimes that get the resources. To be sure, a high-profile data breach is visible and will command resources. But those resources tend to go into investigating the perpetrators of that particular hack, not into launching long-term, proactive investigations into all the cybercrime-as-a-service organizations that contribute to global hacking in larger, if less measurable ways. Part of the problem is that each U.S. attorney’s office and each FBI field office has responsibility over a particular territory. Thus, a U.S. attorney will (understandably) be most concerned about catching the perpetrators of a ransomware attack committed against a company in his or her district. But, as noted above, the hackers who commit the ransomware attacks are like street-level drug dealers, not kingpins. And U.S. attorneys have much less incentive to spend scarce resources on long-term investigations into Russian-based cybercrime services with slight connections to their districts and a small chance of producing arrests in the near future. The department does have a centralized computer crimes section, CCIPS, which provides training and assistance to cyber prosecutors and has partnered with U.S. attorney’s offices in many successful cybercrime-as-a-service cases, including the ones discussed in this post. But CCIPS’s approximately 45 attorneys spend much of their time conducting training, providing advice, building relationships with foreign partners and advocating important policy changes. They would be the first to tell you that their investigative resources are limited and that, with more resources, they could conduct and support more successful investigations.
Ransomware policy proposals tend to focus more on changing the laws and policies concerning ransomware than on what it will take to enforce the laws already on the books. The technology industry’s ransomware task force, for instance, recently proposed that governments require cryptocurrency exchanges to comply with Anti-Money Laundering and Combating the Financing of Terrorism laws. But the United States, at least, has already imposed such requirements on cryptocurrency exchanges that do business in the United States, even if they are not physically located here, as the Justice Department reiterated in a Cryptocurrency Enforcement Framework published in 2020. The real challenge is investigating and prosecuting cryptocurrency exchanges that intentionally cater to criminals. And, while the Justice Department has successfully prosecuted such cases, additional enforcement requires additional resources.
We Could Fund a Surge in Proactive Cybercrime Investigations for a Small Percentage of the Nation’s Overall Cybersecurity Budget
Federal prosecutors typically make between $90,000 and $150,000 per year, depending on their experience and the local cost of living. Even factoring in benefits, the Justice Department could add 10 prosecutors to each of the five U.S. attorney’s offices that have the best track record of successful cyber prosecutions for less than $7.5 million/year. Or the department could create a strike force that does nothing but long-term, proactive investigations into cybercrime-as-a-service organizations (with a particular focus on those that support ransomware). The department already employs this concept in its Organized Crime and Drug Enforcement Task Force (OCDETF) strike forces, which are permanent, prosecutor-led teams that conduct intelligence-driven, multi-jurisdiction investigations into priority targets and their affiliate financial networks. A cyber strike force modeled on this concept could be extremely effective with a yearly budget of $5 million, which would easily pay the salaries of 10 dedicated prosecutors and 20 agents. This would represent a tiny fraction of the money the government spends on cybersecurity. For perspective, the American Rescue Plan Act of 2021 allocated an additional $650 million to the Cybersecurity and Infrastructure Security Agency (CISA) in order to beef up the nation’s cyber defense. The administration has asked for a total of $2.1 billion for CISA in its 2022 discretionary budget request.
In the 1960s, the Justice Department expanded its Organized Crime and Racketeering Section from just a few lawyers to more than 60. These attorneys helped the department shift from prosecuting individual mobsters to conducting long-term investigations into entire criminal organizations. After 9/11, the department adopted a proactive approach to terrorism and established the National Security Division to manage the department-wide effort. The department did not wait for another attack to occur; it launched investigations into terrorist organizations and anyone who dared to support or finance them. Today, no terrorists can seek the support of anyone anywhere without wondering if their co-conspirators are actually undercover FBI agents. That same approach should be used to take on ransomware actors and those who support them. Ransomware gangs might seem ubiquitous. But like mobsters and terrorists, they are a finite group of criminals who depend on aid from a limited number of sources. They can be investigated and prosecuted and the organizations that support them can be dismantled, if we are willing to pay the modest price.