December 21, 2022
Justice Department’s Evolving Efforts on Ransomware
Ransomware attacks, such as the one carried out by the
DOJ’s Comprehensive Cyber Review
cybercrime group DarkSide against Colonial Pipeline in
In April 2021, DOJ announced it was launching a four-
May 2021 that disrupted pipeline operations, have
month strategic review to evaluate how it responds to cyber
highlighted federal law enforcement efforts to counter
threats, in part because of growing ransomware concerns.
cybercriminals and their use of malicious technology.
DOJ’s
Comprehensive Cyber Review report, released in
Ransomware Conceptualized
July 2022, notes that “a central goal of the Comprehensive
Cyber Review [was] to identify concrete and actionable
Ransomware is malware that targets systems and data for
ways the Department can draw on its full range of criminal,
the purpose of extortion. It is used against individuals,
civil, national security, and administrative authorities and
businesses, and government networks, locking users out of
resources to confront the multidimensional cyber
their systems or data and demanding a ransom payment to
challenge.” With specific mention of ransomware, the
supposedly regain access to or prevent exposure of the
review recommended that DOJ comprehensively evaluate
system’s content. There is no guarantee users will get their
its various sources of information to identify priority
data back, even if they pay, or that their data or systems will
criminal targets—such as prolific cybercriminals using
not have been otherwise compromised. Reportedly,
multiple ransomware variants to carry out their attacks.
cybercriminals have increasingly used a Ransomware-as-a-
Service (RaaS) model wherein certain criminals develop the
The review also noted that today’s cyber threats cannot be
malware and then sell or lease the tool to others to carry out
conceptualized as distinct criminal threats or national
ransomware campaigns. Both the developer and attacker
security threats; rather, they are blended in nature. It
then receive portions of the criminal proceeds.
delineates that cybercriminals, including those linked to
Cyber Incident Response
transnational criminal organizations in Russia and Eastern
Europe, profit from levying ransomware and digital
Federal law enforcement has the principal role in
extortion attacks against U.S. businesses and organizations.
investigating and attributing cyber incidents to specific
These attacks have “increased in scale, prevalence, and
perpetrators, and this responsibility has been established
consequence,” and attacks that target critical infrastructure
within the broader framework of federal cyber incident
networks including pipelines, schools, food supply,
response. The 2016 Presidential Policy Directive/PPD-41
hospitals, and emergency services have implications for
on U.S. Cyber Incident Coordination outlined how the
national security.
government responds to
significant cyber incidents—those
that are “likely to result in demonstrable harm to the
Evolving DOJ Actions on Ransomware
national security interests, foreign relations, or economy of
As the threats posed by cybercriminals using ransomware
the United States or to the public confidence, civil liberties,
or public health and safety of the American people.”
develop (at the time of the
Comprehensive Cyber Review,
DOJ noted it was investigating over 100 different
ransomware variants) and the amount of money paid by
Responding to cyber incidents involves (1) threat response,
victims increases (a study by Sophos estimates that the
(2) asset response, and (3) intelligence support. The
average payment was over $812,000, and average recovery
Department of Justice (DOJ), through the Federal Bureau of
costs were $1.4 million in 2021), DOJ has acknowledged
Investigation (FBI) and National Cyber Investigative Joint
that consequences extend beyond ransomware payments
Task Force (NCIJTF), leads the nation’s threat response to
and remediation costs, and include associated “mayhem”
significant cyber incidents. Asset response and intelligence
(e.g., challenges to patient care during attacks against
support responsibilities are led by other federal agencies.
hospitals’ systems). DOJ has taken a number of actions
Specifically,
threat response is conceptualized in PPD-41 to
intended to bolster investigations, enhance law enforcement
mean:
information sharing, and increase public awareness.
conducting appropriate law enforcement and
Investigations
national security investigative activity at the
Augmenting cyber investigations is among DOJ’s top
affected entity's site; collecting evidence and
priorities, because cyber threats, including ransomware
gathering
intelligence;
providing
attribution;
attacks, pose risks to national security. For instance, in
linking related incidents; identifying additional
April 2021, DOJ created a Ransomware and Digital
affected entities; identifying threat pursuit and
Extortion Task Force comprised of the FBI, Executive
disruption opportunities; developing and executing
Office for the United States Attorneys (EOUSA), and
courses of action to mitigate the immediate threat;
representatives from their Criminal, Civil, and National
and facilitating information sharing and operational
Security Divisions. The task force’s efforts include
coordination with asset response.
increasing training and resources; enhancing intelligence
https://crsreports.congress.gov
Justice Department’s Evolving Efforts on Ransomware
and information sharing; using all investigative leads,
to help educate the public about preventing and responding
including human intelligence and links between criminals
to ransomware attacks. NCIJTF and the FBI’s Internet
and nation states; and improving DOJ coordination on
Crime Complaint Center (IC3), among others, have
cases—all to disrupt, investigate, and prosecute
published materials on the threats posed by ransomware,
ransomware cases. DOJ notes that this task force helped
where to report it, and how to respond. Victims are
seize the proceeds ($2.3 million in bitcoin) from the 2021
encouraged to report ransomware incidents to their local
DarkSide ransomware attack on the Colonial Pipeline.
FBI field office, NCIJTF, IC3, or the Cybersecurity and
Infrastructure Security Agency (CISA) at the Department of
The National Cryptocurrency Enforcement Team (NCET)
Homeland Security. Federal law enforcement discourages
was created in October 2021 to investigate and prosecute
the payment of ransom. DOJ specifically notes that doing
criminals who misuse cryptocurrency, including crimes
so “may embolden adversaries to target additional
committed by cryptocurrency exchanges, mixing and
organizations, encourage other criminal actors to engage in
tumbling services, and money laundering services. DOJ
the distribution of ransomware and/or fund illicit activities.”
specifically notes that the NCET will assist in recovering
assets, such as cryptocurrencies, paid to ransomware
Congressional Considerations
groups.
As Congress conducts oversight and debates legislation on
DOJ’s efforts to respond to cyber incidents, and specifically
In addition to establishing new tools and task forces to
threats posed by ransomware, policymakers may consider
respond to ransomware threats, DOJ has acknowledged
how these efforts could be affected by resource constraints,
that, because of the transnational nature of cybercrime, such
evolving technology, and the often transnational nature of
as ransomware attacks, fostering international partnerships
cybercrime.
is a priority. For instance, the FBI’s international operations
division and legal attaché offices liaise with foreign law
Resources
enforcement partners on cases. DOJ also established the
DOJ specifically identified ransomware as a threat in its
International Virtual Currency Initiative to work with
FY2023 congressional budget submission, where it
international partners to counter illicit activity involving
requested addition resources to bolster cybersecurity and
digital assets, including tracing virtual currencies gleaned
counter cybercrime. Policymakers may debate whether law
from ransomware schemes.
enforcement’s workforce and monetary resources, as well
as DOJ’s new initiatives to investigate ransomware are
Information Sharing
commensurate with the threat. Policymakers may also
In June 2021, Deputy Attorney General Lisa O. Monaco
examine how DOJ evaluates various national security
issued a memorandum to federal prosecutors requiring that
threats facing the country to determine resource allocations
they notify the Computer Crime and Intellectual Property
to counter cybercrimes such as ransomware relative to other
Section (CCIPS) and the National Security and Cyber
threats such as those posed by terrorist organizations.
Crime Coordinator for the EOUSA of any significant
developments in existing ransomware or digital extortion
Evolving Technology
cases. They must also notify CCIPS and the EOUSA of all
As technology evolves, some contend that law
new instances of ransomware or digital extortion attacks in
enforcement's investigative capabilities may not be able to
their districts and file an Urgent Report in the instance of
keep pace; some specifically cite strong, end-to-end (or
new attacks or those affecting ongoing cases. Essentially,
what law enforcement has sometimes called “warrant-
federal prosecutors are now to report ransomware incidents
proof”) encryption, which can prevent access to certain
in the same way they report critical national security
communications and information. Congress may continue
threats. The memorandum also reinforced CCIPS as the
to examine this tension between the privacy of electronic
coordinating entity for ransomware and digital extortion
communications and law enforcement’s ability to
cases. In this role, CCIPS coordinates with EOUSA and
investigate cybercrime in the context of ransomware
relevant DOJ components and identifies instances when
investigations.
potential ransomware cases are related to other open
investigations.
Transnational Nature of Cybercrime
Because cybercriminals, including those engaging in
In addition to information sharing on cases, DOJ provides
ransomware, can operate anywhere in the world, networks
training to state, local, tribal, and territorial law
of these criminals—and digital evidence of their activity—
enforcement agencies to enhance cyber capacity, for
may exist in various countries. This may lead to
instance, through the Law Enforcement Cyber Center and
investigative challenges in gathering evidence, working
the National White Collar Crime Center. This includes
with international law enforcement, and holding
training on emerging and specialized topics such as
perpetrators accountable in the United States. Policymakers
ransomware.
may examine how these challenges could affect DOJ
investigations of criminals engaging in ransomware and
Public Awareness
RaaS.
DOJ leads several public awareness activities on
ransomware. For instance, the NCIJTF organized an
Kristin Finklea, Specialist in Domestic Security
interagency group of subject matter experts from over 15
government agencies to develop public awareness materials
IF12294
https://crsreports.congress.gov
Justice Department’s Evolving Efforts on Ransomware
Disclaimer This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to
congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress.
Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has
been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the
United States Government, are not subject to copyright protection in the United States. Any CRS Report may be
reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include
copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you
wish to copy or otherwise use copyrighted material.
https://crsreports.congress.gov | IF12294 · VERSION 1 · NEW