The FBI’s Cynthia Kaiser on how the bureau fights ransomware
When the FBI seized the Hive ransomware group’s digital infrastructure earlier this year, it dealt a major blow to one of the world’s most prolific cybercrime syndicates. It was also the result of meticulous planning and coordination with partners around the world — and a sign of how it plans to go after other hacking operations. The bureau is setting out to get inside these groups’ networks, destroy them from the inside and help victims recover their data.
Cynthia Kaiser, deputy assistant director within the FBI’s Cyber Division, joins CyberScoop’s Safe Mode podcast to talk about the Hive takedown and what else the bureau is doing to fight cybercrime. This transcript of the Safe Mode podcast from June 29 has been edited for length and clarity.
Before we get into sort of the nitty gritty of what you’re doing on the enforcement side around ransomware, I want to sort of step back and get your assessment of just how big of a problem ransomware is today.
Ransomware is obviously a significant threat, and it’s been for the last several years. Now, we know that ransomware actors don’t care who they target. In fact, they’re looking to target entities that have little tolerance for downtime. So that includes hospitals or just critical infrastructure entities. If they think you can’t live without your networks or you can’t operate without your networks, they’re going to go after you. And I think that’s what makes it so insidious and difficult is because they’re just constantly targeting. There’s new variants all the time. There’s new actors, affiliates going between the different variants, which makes it a really difficult ecosystem. As we get into talking about what the FBI is doing about it, it’s that ecosystem concept that we really need to think about. It’s not just a person developing something and then deploying it. It’s a lot of different people working across variants, working across services, cryptocurrency exchanges, marketplaces. And I think that’s that broader effort among all of the criminals that’s really putting a lot of U.S. networks at risk.
So where are these people? Where are they located? Where are these attacks coming from?
They come globally. A lot of them do come from Russia or Russian-speaking countries. And I think that that bears out in a lot of the different enforcement actions that we’ve announced recently.
It just seems like an insurmountable task to fight against this. Are you finding success in battling a lot of these operators and taking them down?
So I think we realized early on that a whack-a-mole approach doesn’t work. Take one ransomware actor down, another one pops up. So what we’re really looking to do is tighten the net around cybercriminals and around the cybercriminal ecosystem. And we do that by targeting those key services that they’re using. And you’ve seen that throughout many of the actions that we’ve done recently. And that includes not just, say, the Hive takedown, which I know we’ve all talked about a lot, but cryptocurrency exchanges like Chipmixer, which was a mixing service that was used by not just ransomware actors, it was used by the [Russian intelligence operatives].
Cryptocurrency mixers, for those who don’t know, explain that really quickly.
I think modern day money laundering. You put something from one of your wallets into a mixer, and it allows it to come out the other side in a more anonymous way.
Those services are something you guys have been looking more closely at in the past few years, right?
Absolutely, and you know there are legitimate purposes for some of that as well, but a lot of nefarious purposes. And so we’ve been looking at that because that’s a way for actors to try to get away from the monitoring that law enforcement or many of our partners can do. And it’s a way for them to really try to cash out those proceeds.
So let’s dig into the Hive takedown that you mentioned. What is Hive, first of all, or what was Hive? So let’s start there. And then I’m really interested in just the process. I know this was not a typical sort of operation, but it is sort of indicative of where you might be going in future operations against ransomware groups.
I think it’s really typical for the work that’s being done across the bureau every day. And what was great here is how public we can be about our successes. So Hive was a prolific ransomware variant that had targeted the hospitals, educational facilities, etc. And they had thousands of victims worldwide. So what we were able to do through our operation … is we were able to go through and do little steps along the way, the really hard technical work, hard investigative work to obtain access to a lot of the back-end information from Hive to be able then to sit there and gather information for months without them knowing anything. And we were able to proactively provide decrypters to … victims, hundreds of victims across the U.S., offer it to over 1,300 victims worldwide. So we were able to proactively go out to victims or even targeted entities who didn’t even know that they were targeted yet and provide them with decrypters so that they didn’t have to pay the ransomware actors.
Wow, that’s amazing. It must have been a very relieving phone call to get for somebody who’s just become a victim of ransomware. That’s often not what happens.
It was great for people to be able to get that value from the FBI. And I think it really demonstrated the value that the FBI brings into these engagements. It’s not just Hive that has decryption capability. Or we know of the private sector companies that have those decrypters and we can play matchmaker. The key element for anyone who’s been victimized by these groups is to be able to get their networks back, not have to pay that ransom, and know that they’re going to be able to kind of see the other side, keep their business going, not suffer those ill effects on the business even if you pay your ransom or you are able to get from your backups. You still have a lot of negative effects from those attacks. And we were able to head those off. And it’s a great conversation to have with everybody. Because normally people might be coming to us and saying, “Hey, something’s hit me, or hey, I’ve been attacked.” But we were able to go proactively to people and get ahead of that. And it was also nice to have data. So, because we had access and understood all of the victims that were being targeted, we were also able to compare that to what was actually being reported to the FBI.
That’s quite different, right?
It is. And we always know there’s underreporting, but we can’t really quantify that. But in this case, we could. We saw that about 20% of those victims had reported or did report to the FBI. And so that gives us a better understanding of what that scale might be. And it also gives us an understanding of how we need to more closely engage with target entities, potential victims, or just the private sector at large to ensure that we’re able to get a better, more comprehensive view of the ecosystem.
Why aren’t people reporting to the FBI when they’ve become victims of ransomware?
I think part of that is they’re not sure what they are getting when they come. Some of them might be scared. When your business is under attack, you’re worried you might have to shutter your business. Maybe that’s just not the first thing they’re thinking about. We want to try to shift that narrative. One part of that is telling people we have other capabilities. It’s not just decrypters, but we know that malicious actors come back and try to reinfect victims that they’ve done before. So, when you call the FBI, we’re able to say, hey, this is this group, this is how they might come try to reinfect you, or they might try to have moved laterally and go here. And we’re able to provide some of that context, especially even some of the classified context that we have, to try to help prevent reinfection. We need to get that message out more about the societal benefit to reporting. You know, we can’t help others if we don’t hear from you and we can’t help you if we don’t hear from others. So being able to understand that you might be the first one to experience an attack, but you’re not going to be the last. And the quicker we can get that all out there, the safer everybody is.
What we’ve been reporting on is how ransomware operators are becoming more aggressive. We’ve seen news about hospital attacks and groups just leaking the information to entice people to pay the ransom. Is that something that you’re seeing as well?
Absolutely. I think, you know, the terms we’ll end up seeing are double extortion or triple extortion. That effectively means they may threaten to leak information or they will leak information if you don’t pay the ransom. And then that kind of triple element is we actually see ransomware actors threatening business owners, customers, and up near harassment levels to get that payout from these entities. And I think that’s why that front end of ensuring there’s cyber hygiene across the network, that you’re able to defend across the network, but also you’re able to know who to contact immediately when an attack happens so that there’s not downtime and we don’t necessarily give these nefarious actors the space to conduct these horrible activities.
So with the Hive investigation, you don’t expect to see arrests made, do you? Or people sitting in court or going to jail as a result of this? And does that even matter?
No. 1, people actually might be surprised to know how many people we put behind bars that do result from several criminal investigations, but that’s not the point. If we think an arrest is both doable and effective, of course we’re going to pursue it. And we’re not going to care if it’s a U.S. arrest, a Ukrainian arrest. It doesn’t matter where it happens. It matters that we get actors off the streets. But broader than that, taking away their infrastructure, taking away their money. taking away the way in which they cash out that money is more effective. And it’s more effective when it’s not just the FBI doing it. When our international partners are involved, when our intelligence community and U.S. government partners are involved, that’s where we have the maximum benefit against actors. And that’s the point. The point is to restrict them. The point is, if they’re collecting all this money, but they can’t cash it out and use it, they’re effectively stuffing it under a mattress. And we want to restrict their ability. to use that so that they stop attacking the future.
So the FBI has its own hackers, right? I mean, the people who are in the weeds, digging into the investigation, sort of going on the offense against the bad guys. Is that something you have enough of within the Bureau?
We need more technically talented individuals to join the FBI. So that means computer scientists, data analysts, just technically trained agents or analysts, because what we are effectively doing is developing tools. So like you saw with our Operation Medusa, developing technical tools, and that was against the Russian intelligence service, we’re developing tools to be able to very selectively remove malware from networks, from closed back doors, and get the adversary off U.S. networks. And to be able to do that takes a lot of work, a lot of technically talented folks. We also need technically talented folks to be able to deploy to sites through our cyber reaction teams, gather information, and help point out how to remediate. And there is a wide gap, just like in the private sector, just like throughout a lot of the US government. in getting some of those great technically talented folks on board. And it’s something we’re working on every day.
I do want to talk about that Medusa operation you just mentioned. That was also a really fascinating one, sort of read a bit like a spy thriller. Walk us through that.
So I really appreciate that question because I think FBI’s leadership on Operation Medusa really exemplifies for everybody out there just how the FBI is approaching these threats, which is first the range of authorities the FBI’s can bring to the table to disrupt harmful activity, the range of partners we work with from the intelligence community to DOD to private industry to global law enforcement, and then third our willingness to disrupt malicious activity through a variety of actions that include but go well beyond as we talked about. arrests and indictments. So backing up, on May 8, the FBI led a multi-agency joint cyber operation to globally disrupt Snake, the most sophisticated cyberespionage tool designed by the Russian Federal Security Service, known as the FSB more colloquially. And the FSB had used this tool for long-term intelligence collection for sensitive targets across the world, including government networks, research facilities, and journalists. So our first step is the FBI developed technical capabilities and deployed those capabilities in collaboration with U.S. and international partners that ultimately mitigated the malware by disrupting its critical functions, rendering it inoperable in the U.S. and abroad. So then the next day, the FBI, along with many of our U.S. and Five Eye partners, published a joint cybersecurity advisory. If listeners haven’t read it, they should. I mean, it really is a phenomenal piece of cyberthreat intelligence because it not only goes into incredible detail about the malware itself and how to mitigate, but it also lays out all of our evidence.
So yeah, fascinating read, definitely worth looking at, and super important for people to figure out now that that’s been exposed, how to protect themselves against these vulnerabilities, patch systems, and that sort of thing. What was the timeline like from when that started to when you, to when the public found out about it?
Years. Well, we’re monitoring malware, getting a better sense of what it’s doing, what it can do. This malware was very selectively deployed, not necessarily a broad sweeping campaign. And so it takes a long time to obtain the right artifacts, technical artifacts, to get the right samples, to find it at the right time, to then do the technical evaluations to be able to figure out ways to mitigate it. Then [we have to] coordinate with our partners so that we’re not just eradicating a few instances in the U.S., but it’s going rampant globally. We wanna create these operations to be the most effective they can be, and that did take a lot of time. But I think a lot of that really is that technical back end, really hard work, that overall was just a phenomenal effort among a really great group of people.
So you’re in the thick of this every day looking at threats, many that we’re not even aware of yet, unless you want to tell us today what the next operation is. But from your point of view, are you positive that some of the things you’re doing are going to make positive change or are we just fighting against this tidal wave of threats and just keeping your head above water? How are things improving?
I think like most of your listeners, the FBI sees a constant stream of cyberthreats that highlight the time, money, and talent that our adversaries are putting into making us less safe. And with that, I feel positive that we’re developing good partnerships that are going to enable us to be better in the future. I think our private sector partnerships have never been stronger. Our relationships across the U.S. government have never been stronger. And the types of operations that we’ve been able to do really, I’d say since 2020, are phenomenal examples of operations that have real impacts. Now they’re not enough. We need to do more of them. And we’re working on doing more of them, not just us, but enabling any partner to do more of them. Part of that’s in international capacity building. working with our partners, ensuring they’re capable of combating cyberthreats because cyber has no borders. And part of that is ensuring that we’re sharing to the maximum extent we can with all our partners information that maybe we would have kept to ourselves before. But now we’re out there and we’re open. And I feel like the right framework is in place and the right use cases for a lot of these great operations are now available for us to expand that effectiveness. So I feel hopeful in the trajectory we’re going, but also, I don’t want to sugarcoat how dire some of these cyberthreats that we’re facing are, how much it can feel like, especially to U.S. businesses. I think the only thing I can give businesses in thinking about that is we still see cyber actors using the same methods to get onto networks. They’re guessing simple passwords, they’re going in through common vulnerabilities. And so there’s a lot of really simple cyber hygiene steps that enable our network owners across the U.S. to counteract this wave of threats. And I think my ideal world is a world in which [threat] actors have to spend millions of dollars and years making tools that then they try to target us selectively with. That means when we take those down that we have a huge impact. And it means that we’re really gumming up the works of their cyber operations machine.
You must get a lot of questions, especially from people who don’t exist in the world of cybersecurity. What’s the one piece of advice you give to people to make sure that they can be more secure?
Patch. I think that there’s great services in place where you can have patch services so that it’s automatic. You don’t necessarily have to remember every Tuesday to go in, but enabling some of those services, ensuring that you’re patching common vulnerabilities, that’s really one of the key ways we see adversaries targeting us.
Well, Cynthia, we could talk about this all day long, but I’m sure you’ve got other things to do. Thanks so much for joining us.
Thank you. I really enjoyed it.