Following the Colonial Pipeline and JBS cyber-attacks, the US Department of Justice is elevating ransomware attacks to the same priority as terrorism. This week, US Attorney’s offices across the country were instructed to share and coordinate information from ransomware investigations with a recently created task force in Washington. US Attorney’s offices handling ransomware attacks will be expected to share both updated case details and active technical information with the ransomware task force. The list of investigations that require coordination with the task force include cases involving counter anti-virus services, illicit online forums or marketplaces, cryptocurrency exchanges, bulletproof hosting services, botnets and online money laundering services.
Federal agencies and law enforcement have been combating ransomware for a long time. The attacks on the Colonial Pipeline and JBS thrust the criminal organizations into mainstream media. This increased attention has caused the most prominent Darknet forums to ban any support or discussion of ransomware in fear they may be affiliated with the ransomware groups and subject to greater law enforcement scrutiny. To protect against ransomware, organizations should have an incident response plan in place. A detailed plan should include digital forensics response activation and notification procedures for a cyber incident. Regularly patch software and operating systems to the latest available versions. Employ best practices for use of RDP and other remote desktop services by protecting them behind a strong VPN with Multi-Factor Authentication (MFA) and auditing any unusual login events from IP addresses or devices that are different from what the employee account normally uses. Threat actors commonly gain initial access through insecure Internet-facing remote services or phishing. Provide social engineering and phishing training to employees. Urge them not to open suspicious emails, not to click on links or open attachments contained in such emails, and to be cautious before visiting unknown websites. When an attack makes it through the outer layers of defense, it is important to have a Security Operations Center or a managed security monitoring service with expert security analysts on duty, such as the Binary Defense Security Operations Task Force. The Task Force provides a 24/7 monitoring solution of SIEM and endpoint detection systems to detect and defend from intrusions on an organization’s network.