Inside the FBI’s quiet ‘ransomware summit’
In March, officials in sparsely populated Jackson County, Georgia, made a painful decision. Rather than rebuild their networks from scratch, they paid $400,000 to hackers to get the county’s data back.
The six-figure amount — eclipsed by a nearly $600,000 payment made by a Florida city in June — is symptomatic of a much larger problem. Across the U.S., poorly secured businesses, local governments, and schools have lost millions of dollars to attackers who can cheaply buy access to ransomware-as-a-service kits on underground forums.
The problem is by some measures growing more acute: Over 100 public-sector ransomware attacks have been reported in 2019 alone, double the amount in 2018.
To help stem the tide of file-locking attacks, the FBI quietly convened the country’s top ransomware experts in an unprecedented, closed-door conference in September. The briefings, which occurred over two days, were a recognition by law enforcement officials that their ability to better investigate and prosecute ransomware cases hinges on the private sector sharing more data with them.
The goal of the FBI’s 2019 “Ransomware Summit” was for corporate executives to “help us fill in some of the gaps in the intel” on ransomware threats, said Herb Stapleton, section chief in the FBI’s cyber division. Those gaps, he said, stem from the fact that “there are probably thousands of attacks every year that aren’t reported to the FBI.”
Who was there
The conference, held at Carnegie Mellon University in Pittsburgh, saw organizations from computing giant IBM to consulting firm Kroll share what they’ve learned from tracking attackers and helping victims recover from ransomware. Cyber insurance companies were in the room, and a Silicon Valley startup that specializes in tracing cryptocurrency even made an appearance. One attendee estimated that the companies represented at the conference were involved in responding to more than half of enterprise ransomware attacks.
The contents of the presentations were labeled “TLP Amber,” a designation that restricts parties from sharing sensitive information beyond their organizations or clients.
Law enforcement officials asked the private executives to look for ways to anonymize victim data in order to share more of it with federal officials, according to Stapleton.
“Whatever data point that we can collect that can be used to round out that picture to lead us one step closer to attribution … so that we can impose some kind of consequence, that’s important,” he said.
Corporate executives asked the FBI for a list of types of information they could provide the bureau to aid future ransomware investigations, according to Stapleton. The executives, in turn, got an update from top federal officials on the front lines of the threat. A Justice Department attorney talked about prosecuting ransomware-related crimes, and an FBI special agent detailed the bureau’s ransomware investigations, according to a conference agenda obtained by CyberScoop.
That latter briefing would have been different had it taken place before the 2016-18 SamSam ransomware outbreak, which prompted the FBI to change the way it handles ransomware investigations. Rather than probe every individual infection across the country, the FBI groups investigations by ransomware variants.
And yet even with that consolidation — and at an agency that spends hundreds of millions of dollars annually on combating cyberthreats (the bureau declined to give ransomware-specific figures) — resources get stretched thin.
“Some of these private-sector entities have a lot broader reach than the FBI does,” Stapleton said. “They have clients who are already concerned with these types of things and there’s an opportunity [via the conference] for a unified message about instituting proper back-up protocols for your data.”
Ryuk, Texas attacks dissected
The conference was facilitated by the National Cyber-Forensics and Training Alliance, a nonprofit that describes its “sole purpose” as creating a “trusted environment” for law enforcement to trade information with the private sector to fight cybercrime.
Participants were able to view the fight against ransomware from different angles. For the FBI, which advises victims not to pay the ransom, that meant hearing from Coveware, a firm that negotiates with attackers.
When the victim has no other way of recovering their data, “our methods are the methods of last resort,” said Coveware CEO Bill Siegel, who shared some negotiation techniques with conference attendees.
Siegel praised quiet forums like the one at Carnegie Mellon for fostering personal connections between federal officials and private ransomware specialists that can “greatly augment investigations [and] recovery.”
Attendees also shared tips on defending against rampant strains of ransomware like Ryuk, which has netted criminals millions of dollars. They studied the spread of a ransomware infection that hit 23 local governments in Texas in August in order to prevent that from happening again.
The briefings, Stapleton said, were the start of a more thorough dialogue with the private sector on how to solve the most pressing challenges in ransomware.
There will be a simple way to measure progress.
“We’re hoping to put fewer people, fewer businesses in that position where they have to make that difficult choice on whether or not to pay the ransom,” Stapleton said.