In an ongoing effort to stem the tide of ransomware, the FBI in March announced the Virtual Assets Unit (VAU). The VAU will focus on stopping ransomware criminals that demand large amounts of cryptocurrency from their victims. The FBI’s Virtual Asset Exploitation Team (VAXU), which specializes in cryptocurrencies, will support the VAU.
“Ransomware and digital extortion, like many other crimes fueled by cryptocurrency, only work if the bad guys get paid, which means we have to bust their business model,” said U.S. Deputy Attorney General Lisa Monaco in a statement. “The currency might be virtual, but the message to companies is concrete: If you report to us, we can follow the money and not only help you but hopefully prevent the next victim.”
It’s no surprise the FBI would want to up its ransomware game. Cryptocurrency-based crime hit an all-time high in 2021 when malicious actors raked in $14 billion, according to blockchain research firm Chainalysis. Some of the recent high-profile ransomware cases have demanded cryptocurrency:
- In May 2021, Colonial Pipeline paid nearly $5 million in Bitcoin to ransomware attackers;
- in June 2021, meat supplier JBS paid about $11 million in Bitcoin after a ransomware attack; and
- in July 2021, the ransomware gang REvil attacked at least 200 U.S. companies, demanding a total of about $70 million in the form of cryptocurrency.
By demanding cryptocurrency, ransomware attackers make it difficult to trace ransom payments to recipients. The cryptocurrency often doesn’t flow straight from a ransomware victim to the criminal, explained Megan Stifel, chief strategy officer for the Institute for Security and Technology (IST). Instead, the cryptocurrency travels through a multistep process involving different financial entities, many of which are not yet part of standardized, regulated financial payments markets.
Cryptocurrency use is on the rise not only among cybercriminals but by legitimate companies. A growing number of public companies hold Bitcoin on their balance sheets. And cryptocurrency owners care about protecting their digital assets: More than half of cryptocurrency owners support additional U.S. regulation to fight cryptocurrency-based ransomware demands, according to a Harris Poll.
FBI Ransomware Effort Seeks Public-Private Partnership
So far, there isn’t much publicly known about the FBI’s Virtual Assets Unit. Here’s what we do know: The FBI has stated that the VAU will combine cryptocurrency experts, blockchain analysis, and virtual asset seizure under one umbrella. The unit will train and help its own agents and members of FBI investigative teams obtain evidence from crimes that involve virtual assets.
In addition, the unit will become part of the National Cryptocurrency Enforcement Team (NCET), a division of the U.S. Justice Department created in 2021 to investigate the criminal use of digital assets. NCET mainly pays attention to technologies, such as virtual cryptocurrency exchanges, that enable the use of cryptocurrency in criminal activities.
With its focus on investigation and training, the FBI has begun to carve a unique place in government efforts to fight ransomware. Other government entities in the ransomware fight include Cybersecurity and Infrastructure Security Agency, the U.S. Cyber Command, National Security Agency, and the National Institute of Standards and Technology, which is working on standards and technical approaches to address ransomware. The VAU also dovetails with the recently passed Strengthening American Cybersecurity Act of 2022, which calls for a Joint Ransomware Task Force to coordinate a nationwide campaign against ransomware attacks.
Part of the current FBI ransomware effort is to improve public-private partnerships. In a speech at last year’s International Conference of Cyber Security, FBI director Christopher Wray said, “We’re working to build an atmosphere of trust and collaboration, the kind that only comes from sitting across the table from someone you know and really hashing things out.”
That effort features the FBI-led National Cyber Investigative Joint Task Force, which works with 30 intelligence and law enforcement agencies to combat cyber threats, and the National Cyber-Forensics and Training Alliance and National Defense Cyber Alliance.
The input and collaboration of private companies will be key to the success of this initiative as well, said Michael Daniel, president and CEO of the Cyber Threat Alliance, a nonprofit that fosters information-sharing among cybersecurity organizations.
Daniel said the support of private companies is important in two ways: to inform priorities and insight in both directions and to synchronize activities.
Jon Brandt, director of professional practices and innovation at ISACA (Information Systems Audit and Control Association), thinks the FBI ransomware unit may be a bit premature. To date, the government doesn’t regulate cryptocurrency, although that may be changing soon, Brandt said. He added that the stated purpose of stopping cryptocurrency crimes is a bit broad.
“Is this unit just going to help companies recover payments they were advised against making in the first place?” Brandt said. “Nobody really knows much yet.”
Others, however, believe there is no time like the present for the Virtual Assets Unit. IST’s Stifel, for example, said there is real benefit in putting the world on notice and getting threat actors to take the U.S. seriously. “The U.S. needs to be declarative and repetitive in stating that ransomware is a national security risk and that it will, together with partners, work to leverage all of its tools to reduce the risk,” Stifel explained. “That involves not only disrupting the payment but also looking at dismantling the ransomware-as-a-service [trend].”
Victims of cryptocurrency schemes and intermediaries like exchanges rarely opt to work with the FBI. If the FBI ransomware initiative persuades private companies to join the effort, it will have made a significant difference, Stifel said. “You don’t benefit from these resources unless you are working with the FBI,” she said. Not only will the FBI refrain from blaming the victim, but it will work to understand the incident and how it occurred. The agency might even help victims recoup payments.
“Private resources aren’t in the same position as the government, which can work through legal processes like obtaining information from exchanges,” Stifel added. “Exchanges may be more willing to cooperate with the FBI than they would with a private company.”
Stifel encouraged private companies to contact their local FBI offices even before they fall victim to a ransomware attack. “Starting a conversation to say, ‘I’m in your office’s jurisdiction, this is my business, and I wanted to explore if there is any information you can share,’ is a good idea,” she said.
Brandt added that it’s important for IT professionals to prepare for ransomware attacks in every way they can. That means not only proactively bolstering security around assets but also recognizing that even “secure” technologies like blockchain aren’t infallible.
“If nothing else, [the ransomware threat is an impetus for] companies to put their best foot forward to protect data, encrypt backups, and practice good risk management,” Brandt said.