DOJ Retrieves Millions from Colonial Pipeline Ransomware Payment and Arrests A Ransomware Hacker, While the White House Urges Corporate Executives and Business Leaders to Protect Against Ransomware Threat

On June 7, 2021, the U.S. Department of Justice (DOJ) announced that it seized 63.7 bitcoins, valued at approximately $2.3 million, from the proceeds of the ransomware payment of 75 bitcoins made by Colonial Pipeline to the Darkside ransomware group who targeted the pipeline company. The seizure was conducted pursuant to a court-issued warrant as part of DOJ’s recently launched Ransomware and Digital Extortion Task Force, which was established to investigate, disrupt and prosecute ransomware and digital extortion activity. A few days earlier, DOJ announced the arrest of a hacker who was part of a transnational cybercrime organization responsible for creating and deploying a ransomware suite of malware known as Trickbot. The recent successes demonstrate the potential benefits of early notification to, and cooperation with, law enforcement for the victims of cyberattacks.

DOJ’s recent seizure and arrest follow a memorandum issued by the White House last week to corporate executives and business leaders urging them to take immediate steps to protect their organizations from ransomware attacks. The White House memorandum, combined with the recent DOJ actions and announcement of new internal coordination rules to treat ransomware cases in a similar manner to terrorism cases, underscores the Biden administration’s urgent focus on ransomware attacks.

The White House memorandum serves as a call to action to private-sector entities to do their part to prepare for and respond to the ransomware threats. It reflects the Biden administration’s broad focus on the private sector – not just critical infrastructure companies like Colonial Pipeline and companies that provide key goods. The memorandum emphasizes the “critical responsibility” that the private sector bears to protect against cyberattacks. Among other things, it emphasizes that the “private sector also has a critical responsibility to protect against these threats” and that “the most important takeaway from the recent spate of ransomware attacks on U.S., Irish, German and other organizations around the world is that companies that view ransomware as a threat to their core business operations rather than a simple risk of data theft will react and recover more effectively.” The memorandum calls on companies to “immediately convene their leadership teams to discuss the ransomware threat and review corporate security posture and business continuity plans to ensure you have the ability to continue or quickly restore operations.”

Specifically, the memorandum outlines the following six recommended best practices that companies should undertake:

• Implement the five best practices from President Biden’s Executive Order on Improving the Nation's Cybersecurity.  These include multifactor authentication, endpoint detection and response, encryption, and a skilled, empowered security team. Although the executive order applies only to the U.S. government and federal contractors, the administration has sought to promote it as a model for the private sector to adopt voluntarily.
• Backup your data, system images, and configurations, regularly test them, and keep the backups offline.  Since ransomware gangs know to target backup systems, maintaining backups offline is important to ensure that your organization has usable data from which to restore systems if your network data becomes encrypted with ransomware.
• Update and patch your systems promptly, and maintain the security of firmware, applications, and operating systems, in a timely manner.
• Test your incident response plans, such as through tabletop exercises.  Ask core questions to identify gaps and improve the incident response plans before you are faced with a real incident.
• Check your security team’s work.  Use a third party to test the security of your systems and defenses, such as through penetration testing.
• Segment your networks.  It is vitally important that your corporate business functions and manufacturing and production operations are separate and that you carefully filter and limit Internet access to operational networks.  In addition, identify links between these networks and develop workarounds or manual controls to ensure industrial control system (ICS) networks can be isolated and continue operating if your corporate network is compromised.

DOJ’s intensified efforts to combat ransomware and pursue hackers combined with this latest outreach by the Biden administration to the private sector to combat ransomware demonstrates both that the administration recognizes that partnering with companies is critical to deter and disrupt hackers, and also that it views the private sector as having a “distinct and key responsibility” to strengthen the nation’s collective resilience when faced with cyberattacks. We expect to see additional announcements in the coming weeks aimed at incentivizing the private sector to act on that responsibility.