'Defunct' DOJ ransomware task force raises questions, concerns
A report from the Office of the Inspector General reviewed the U.S. Department of Justice's efforts against ransomware and found its task force was largely ineffective.
The U.S. Department of Justice in recent years has stepped up its efforts against ransomware, but the apparent failure of the department's task force shows there is still much work to be done.
The Office of the Inspector General (OIG) last month published a report for an audit that delved into the Department of Justice's efforts against ransomware, which includes the Ransomware and Digital Extortion Task Force (RTS) that was created in 2021. In a memo announcing the RTS, Acting Deputy Attorney General John P. Carlin wrote that 2020 was "the worst year to date for ransomware attacks," and that the task force would bring all the department's resources to bear against the threat.
However, the OIG said that didn't happen. While the DOJ's task force was established to direct the department's efforts toward the ongoing threat, the OIG report showed the RTS fell short.
"The Office of the Deputy Attorney General (ODAG) memorandum that established the Ransomware Task Force also contained several strategic areas, including directing the Ransomware Task Force to design and implement a strategy to disrupt and dismantle the ransomware criminal ecosystem, specifying this strategy should include the use of all available criminal, civil, and administrative actions, such as the takedown of servers and seizures of ransomware proceeds," the OIG wrote in the report. "However, according to the ODAG, the Ransomware Task Force convened only two meetings, did not meet regularly to ensure the implementation of its strategic areas, and did not retain records of decisions or directions resulting from these meetings."
Additionally, the OIG noted the RTS is essentially dead. "While the Ransomware Task Force was not formally disbanded, its absence of meetings indicates that it is now defunct for all intents and purposes," the report stated.
Meanwhile, ransomware has continued to worsen in recent years. Several companies, including Corvus Insurance, tracked record-high activity throughout 2023, and the increases have continued into this year.
While the RTS was ineffective, the OIG noted that the FBI and the DOJ's Criminal Division's Computer Crime and Intellectual Property Section led the department's efforts against ransomware. In fact, the report said the FBI's efforts contributed to three "significant disruptions" of ransomware gangs in 2023 and early 2024 -- LockBit, Hive and Alphv/BlackCat -- as well as other takedowns of malware and botnets associated with those gangs.
For example, an international law enforcement effort called "Operation Cronos" was successful in disrupting the LockBit ransomware gang in February. This week, authorities announced the arrests of four alleged LockBit members during the third phase of Operation Cronos. As part of the continued effort, the DOJ unsealed an indictment against Aleksandr Viktorovich Ryzhenkov, a Russian national and alleged member of the cybercrime group Evil Corp.
Despite the takedowns and disruption operations, new ransomware groups continue to emerge, and dismantled gangs rebrand under different names.
Jamie Levy, director of adversary tactics at Huntress, told TechTarget Editorial that while she applauds the efforts of the government takedowns that have occurred over the years, it's clear the effects are only temporary. For example, in February, LockBit restored its servers following phase one of Operation Cronos. In December, the DOJ announced the takedown of the BlackCat ransomware gang, which claimed responsibility for major attacks like one against MGM Resorts. However, CISA published an advisory earlier this year that warned BlackCat was still active and heavily targeting healthcare organizations.
Levy cited last year's Qakbot takedown, which the OIG report highlighted, as another example. The international law enforcement operation led by the DOJ and FBI dismantled the malware that ransomware gangs use to gain initial access to a victim organization.
"For example, we saw in the wake of the Qakbot takedown last year that these threat actors were only momentarily crippled for about a month's time before making a comeback. We also saw other similar threat actors quickly move into the void created by this takedown in order to claim their place in the land run. We can see clear proof of this in our customer data. Therefore, it's apparent that we need to be more creative with our disincentives in order to truly disrupt and annihilate ransomware actors," Levy said. "It's time to start thinking about these ransomware actors as they truly are: opportunistic predators."
Call for clearer metrics
In the report, the OIG stated the DOJ needed to provide clearer metrics to track disruption efforts and demonstrate the effectiveness of the department's actions taken against the threat. Levy echoed those sentiments and said that's the only way to measure the effectiveness of the DOJ's actions.
Jason Baker, threat intelligence consultant at GuidePoint Security, also agreed that a lack of metrics is a substantial problem for the DOJ, as well as visibility. "The most obvious issue we see working with clients and victims of ransomware on a regular basis is the problem with visibility. The FBI has and is always going to have a suboptimal level of visibility into ransomware's genuine impact on U.S.-based private organizations."
Baker attributed part of the visibility challenge to a lack of reporting requirements for most victims. While the U.S. Securities and Exchange Commission recently instituted reporting rules for public companies, the requirements are not there for small to medium-sized businesses and some privately held organizations, he said.
"It's impossible to gauge how effective the government is against the problem. Tackling that, the FBI and the government could convey information sharing as part of a partnership," Baker said.
Baker also addressed the OIG report claims that the RTS rarely held meetings. He said it constitutes a two-part problem. For one, the U.S. government's efforts to curb ransomware attacks are massive and involve a high number of organizations from the DOJ, the Department of Defense, Department of Homeland Security and more, which can make coordinating meetings difficult. In fact, the report noted that the FBI also co-leads another multi-agency effort called the Joint Ransomware Task Force, which was established by Congress in 2022.
Secondly, Baker said the metrics and gauges for success make it difficult to determine whether they are making progress or not. "From what I was able to gauge in the report, it's not really abundantly clear how the metrics for how they define success align with tangible outcomes," Baker said. "It would be a mistake to just say 'only two meetings, therefore bad.' I think the government and the FBI have had a lot of high-profile successes, especially in 2024 and 2023, but how that's communicated, how that's tracked is clearly an area that needs to mature."
Megan Stifel, chief strategy officer at the Institute for Security and Technology, led the implementation for the institute's own Ransomware Task Force. Stifel said they would like to see more information coming out of the DOJ's RTS than the institute has currently seen. "There remain opportunities for improvement there. It's important that the efforts continue and would like to see more coming out."
Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.
