In an internal memorandum issued this week, Acting Deputy Attorney General John Carlin said ransomware poses not just an economic threat to businesses but “jeopardizes the safety and health of Americans.”
By identifying ransomware as a priority, the task force will increase training and dedicate more resources to the issue, seek to improve intelligence sharing across the department, and work to identify “links between criminal actors and nation-states,” according to the memorandum.
“By any measure, 2020 was the worst year ever when it comes to ransomware and related extortion events,” Mr. Carlin, who previously ran the Justice Department’s national-security division during the Obama administration, told The Wall Street Journal. “And if we don’t break the back of this cycle, a problem that’s already bad is going to get worse.”
Ransomware attacks, in which hackers cripple a software system until they receive a bounty, surged last year during the pandemic, along with financial demands, according to security experts and U.S. officials. The attacks have been around for decades but have flourished as society has become more dependent on technology.
Mr. Carlin said criminal hackers continue to demand ever greater sums of money from victims and reinvest those profits in cyber tools that enable more and better attacks.
The memo calls for developing a strategy that targets the entire criminal ecosystem around ransomware, including prosecutions, disruptions of ongoing attacks and curbs on services that support the attacks, such as online forums that advertise the sale of ransomware or hosting services that facilitate ransomware campaigns.
The task force will consist of the Justice Department’s criminal, national security and civil divisions, the Federal Bureau of Investigation and the Executive Office of U.S. Attorneys, which supports the 93 top federal prosecutors across the country. It will also work to boost collaboration with the private sector, international partners and other federal agencies such as the Treasury and Homeland Security departments.
Mr. Carlin is overseeing the task force, which he created as one of his last acts as acting deputy attorney general. Lisa Monaco was confirmed by the Senate to the role of deputy attorney general Tuesday, and Mr. Carlin is expected to stay in the department as principal associate deputy attorney general.
Ransomware attacks pose a significant national security and public safety concern, officials and experts said. In October, for example, a wave of ransomware attacks—which landed during the start of a rise in coronavirus hospitalizations—disrupted operations and patient care at several hospitals.
“The problem has gotten worse, and it is an economic problem as much as it’s a cybersecurity problem,” said Bill Siegel, the chief executive of Coveware Inc., a security firm that helps businesses deal with ransomware.
Authorities have struggled to find a balance between helping individual victims of ransomware and discouraging companies from paying ransoms to perpetrators. Mr. Carlin said the task force would study and make recommendations on how to address that tension. Some former officials have said Congress should look at making it illegal for businesses to pay ransoms, akin to prohibitions on terrorism financing.
Mr. Carlin said the task force also will strive to find more “innovative uses of legal authorities…to protect victims before they are victimized.” Last week, the Justice Department revealed that the FBI had entered computer networks still vulnerable from a recent Microsoft Exchange Server attack that researchers have linked to China to remove malicious code. Mr. Carlin said that maneuver was motivated by concerns that criminal groups could hit those networks with ransomware.
Estimates on annual damages of ransomware attacks vary widely, but security companies generally agree the average size of ransoms has ballooned in recent years and that the overall toll on the economy is in the billions of dollars.
Mr. Carlin, who before returning to the Justice Depart focused on cybersecurity as a partner at the Morrison & Foerster law firm, said he has personally seen ransomware payments over $20 million.
“It wasn’t a hard calculation for the company because they could say it would easily be hundreds of millions in damages for them if they didn’t pay,” Mr. Carlin said. “In almost every case where they paid, they knew the amount of damage was 10, 20 times what they were paying.”