October 11, 2022 By C.J. Haughey 6 min read

As ransomware-related payments surged toward $600 million in the first half of 2021, the U.S. government knew it needed to do more to fight back against cyber criminals.

For many years, the Treasury’s Office of Foreign Assets Control (OFAC) had a Specially Designated Nationals and Blocked Persons List (SDN List for people or organizations acting against the national security, foreign policy and sanctions policy objectives of the United States).

But since 2021, the U.S. Department of Justice (DOJ) has upped the ante to tackle the growing problem. After all, most of the attacks were on government bodies, educational institutions and health care organizations.

This post will explore how the DOJ has been cracking down and reflect on how the tighter stance has impacted ransomware groups.

What is the U.S. government doing to stop ransomware attacks?

In September 2021, OFAC announced its intent to take a stronger stance against sanctioned ransomware groups. The updated advisory makes it clear the U.S. government:

  • Discourages all private organizations and citizens from paying extortion demands to ransomware groups
  • Asserts that paying the ransom may advance the group’s illicit goals — with more funding, hackers could target national security objectives
  • Warns companies may face civil penalties for paying ransoms.

In May 2022, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) formed the Joint Ransomware Task Force (JRTF) to tackle the growing threat of ransomware gangs. The DOJ also announced two international initiatives:

  • A National Cryptocurrency Enforcement Team to support federal authorities in bringing down virtual currency exchanges and similar services used for money laundering during ransomware attacks and other illegal activities.
  • A Civil Cyber Fraud Initiative where federal authorities pursue organizations suspected of connections to cybersecurity fraud.

So, how has the landscape changed in the wake of the tougher stance from the U.S. government?

6 examples of U.S. sanctions and action against ransomware gangs

Here are six high-profile incidences where the government took action against known ransomware organizations since 2021:

May 2021: The FBI recoups half the ransom from the Colonial Pipeline hack

After DarkSide extorted Colonial Pipeline for $4.4 million in cryptocurrency, the FBI followed the digital money for 19 days. Special agents kept a close eye on a publicly visible bitcoin ledger, waiting until the opportune moment to get a warrant and successfully recover $2.3 million.

June 2021: The last member of the Gozi Troika arrested

The Gozi virus infected over one million devices before three European men were formally charged in a U.S. federal court in 2013. While two members spent time in custody, the Romanian national Mihai Ionut Paunescu was spared extradition. He was finally arrested in Colombia and extradited to the U.S., where he could face more than 30 years in prison.

November 2021: U.S. government lands blow on REvil

One of the most notorious ransomware groups is the Ransomware-as-a-Service” operation, REvil. Since February 2021, seven suspects linked to REvil and the affiliated GandCrab have been apprehended, including the two most recent arrests in the wake of the attack on tech firm Kaseya.

Sanctions included the seizure of $6.1 million in funds linked to alleged ransom payments. A Ukrainian national, Yaroslav Vasinskyi, connected with over 2,500 attacks, stands accused. Russian national Yevgeniy Polyanin was also arrested for involvement in at least 3,000 ransomware attacks.

April 2022: The disruption of Russia’s leading cybersecurity threat

The DOJ announced an operation focusing on combating the threat posed by Russia’s foremost cyberattack capability, Sandworm. The hacker used a botnet called Cyclops Blink to infect thousands of computers worldwide. The operation eliminated the threat — reducing the impact to just 1% of appliances.

May 2022: Ransom seized from North Korean hackers

The FBI seized $500,000 in cryptocurrency that was paid as ransom to North Korean hackers. A state-sponsored group known as Maui targeted health care providers in Colorado and Kansas. During the seizure, authorities discovered a previously unidentified ransomware strain, aiding future efforts to thwart malicious cyber activity and illicit financial gain.

September 2022: Reducing Iran’s threat

OFAC added ten individuals and two entities to the SDN list — all of which are connected to an Iranian ransomware group affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC). U.S. officials allege the group is responsible for various malicious cyber-enabled activities against the U.S. and Middle Eastern governments.

How is the government response impacting ransomware payments?

Coveware’s report for Q2 2022 indicates sanctions are having some effect. While there was an 8% increase in the average ransom payment from Q1 2022, several outliers contributed to the average $228,125 ransom payment.

A more accurate reflection of the impact is clear when you consider the median ransom payment fell to $36,360 — a dramatic 51% decrease from Q1 2022. This drop marks two consecutive quarters where the median ransom payment was lower, which could signal the start of a downward trend.

Another promising sign is that the average downtime from ransomware attacks was 24 days in Q2 2022, which is an 8% decrease compared to the previous quarter.

However, the war is far from over.

The harsh truth: Ransomware is going nowhere

Despite increased efforts, attacks continue. It seems as if any time authorities cut off one head from a prominent hacking group, another two appear.

The Lazarus Group rises

The Lazarus Group is a North Korean state-sponsored hacking entity best known for the WannaCry attack that infected 300,000 computers worldwide in May 2017.

In February 2021, the DOJ indicted three North Korean (DPRK) military personnel for criminal conspiracies and cyberattacks that generated $1.3 billion. However, despite the sanctions, the Lazarus Group remains active. The group is driving a new cyber-espionage campaign that aims to steal data from energy providers across the U.S., Canada and Japan.

REvil reborn

After the indictment of Polyanin and Vasinskyi, reports from Russia indicated REvil now ceased to exist.

But in May 2022, a ransomware gang initiated a distributed denial of service (DDoS) campaign against a customer of the cloud networking provider Akamai. As the attackers demanded payment in Bitcoin, news emerged that the supposedly defunct REvil claimed responsibility.

The Secureworks Counter Threat Unit (CTU) analyzed code samples found online and confirmed that the developer has access to REvil’s source code.

The tough choice for ransomware victims

The Treasury’s sanctions list is meant to thwart companies from paying sanctioned ransomware gangs, as the prospect of federal fines alongside a ransom payment could be too much for some companies to bear.

Norsk Hydro is one example of a company that refused to pay the ransom. The manufacturer chose to shut down its system and then totally rebuild it. Productivity slowed, and people worked double shifts, but they won.

“My experience has shown that 50-75% of organizations will negotiate and work with ransomware gangs,” explains Jonathan Couch, COO, ShadowDragon. “The remaining 25-50% rely on either network architecture and backups to recover without having to pay.”

However, depending on the industry and the severity of the attack, paying may sometimes be the only obvious answer.

When REvil took down the systems of the world’s biggest meat supplier, JBS Holdings, JBS CEO Andre Nogueira saw payment as the only way to regain control. The company informed law enforcement of its decision before paying the ransom of $11 million in Bitcoin.

Michael Lieberman, assistant director of OFAC’s enforcement division, explains that “a person subject to OFAC jurisdiction can be held civilly liable” for taking matters into their own hands.

So, as JBS engaged — and then paid — a sanctioned group, could it be penalized? For a large enterprise that is so integral to the world’s food supply, it seems improbable that the U.S. government will impose federal fines after the enterprise forked out $11M.

But what about smaller companies that don’t hold as much sway with the global economy or the U.S. government? Without guidance, there is a risk of paying threat actors on the sanctioned list. If you do that, there are no assurances that the government won’t add a fine on top of your ransom payment.

Final thoughts: Incentives may be the way

The government response shows some early promise, as median ransom payments are falling. But ransomware gangs are still coming back for more.

In truth, the sanctions offer no magic bullet. Ransomware is a $14 billion industry in 2022. It could grow exponentially in the years ahead as anonymous cyber criminals use ever-evolving technology to launch new sophisticated attacks against a backdrop of global crises, from energy concerns to cost-of-living struggles.

ShadowDragon CEO, Daniel Clemens, believes, “As multiple failures occur, there will be an increase in criminal activity. We should prepare for what we want to incentivize to control the outcomes.”

While many victims realize paying doesn’t guarantee they will get their data back or avoid further attacks, other companies are not deterred by the prospect of federal fines. Perhaps governments could offer incentives like tax breaks to encourage more companies to stand firm and collaborate in the efforts to eliminate the common vulnerabilities being exploited.

Read the Ransomware Response Guide to learn how you can protect your critical information and resources.

More from Government

CIRCIA feedback update: Critical infrastructure providers weigh in on NPRM

3 min read - In 2022, the Cyber Incident for Reporting Critical Infrastructure Act (CIRCIA) went into effect. According to Secretary of Homeland Security Alejandro N. Mayorkas, "CIRCIA enhances our ability to spot trends, render assistance to victims of cyber incidents and quickly share information with other potential victims, driving cyber risk reduction across all critical infrastructure sectors."While the law itself is on the books, the reporting requirements for covered entities won't come into force until CISA completes its rulemaking process. As part of…

Important details about CIRCIA ransomware reporting

4 min read - In March 2022, the Biden Administration signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). This landmark legislation tasks the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments.The CIRCIA incident reports are meant to enable CISA to:Rapidly deploy resources and render assistance to victims suffering attacksAnalyze incoming reporting across sectors to spot trendsQuickly share information with network defenders to warn other…

Unpacking the NIST cybersecurity framework 2.0

4 min read - The NIST cybersecurity framework (CSF) helps organizations improve risk management using common language that focuses on business drivers to enhance cybersecurity.NIST CSF 1.0 was released in February 2014, and version 1.1 in April 2018. In February 2024, NIST released its newest CSF iteration: 2.0. The journey to CSF 2.0 began with a request for information (RFI) in February 2022. Over the next two years, NIST engaged the cybersecurity community through analysis, workshops, comments and draft revision to refine existing standards…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today