US military officially confirms action against ransomware groups

security
(Image credit: Shutterstock / binarydesign)

Tackling ransomware operators in the US is no longer just a job for the police, but the military and national intelligence officers and spies, government officials have revealed. 

Speaking to the New York Times, US General Paul M. Nakasone, the head of Cyber Command and the director of the National Security Agency explained that nine months ago the US government considered ransomware threats a job for law enforcement agencies.

However, as ransomware groups started targeting crucial national infrastructure (think Colonial Pipeline, JBS, and the likes), it became clear that the destructive power could undermine national security. As a result, the military took over.

Disrupting the disruptors

This new approach means taking a more aggressive, better-coordinated approach, that includes pooled resources from the Cyber Command, the National Security Agency (NSA) and many others.

The US military took actual steps against ransomware operators, General Nakasone confirmed, without going into further detail about what exactly was done, simply stating that, “Before, during and since, with a number of elements of our government, we have taken actions and we have imposed costs. That’s an important piece that we should always be mindful of.”

The New York Times did remind that in September, a country allied to the US managed to disrupt an attack from the Russian REvil ransomware group. The move prompted REvil to shut down its entire operation, at least temporarily. It also said the first known operation against a ransomware group came just before the 2020 presidential election, when it was suspected that the TrickBot group tried to fiddle with the voting. 

In his interview, held at the Reagan National Defense Forum, a gathering of national security officials, General Nakasone did confirm that the US government still has a lot to learn, and is still a long way from being effective in this battle, but added that the country was “on an upward trajectory.” 

Ever since ransomware operators drew the attention of governments, many went into hiding, shutting their operations entirely. Others, on the other hand, publicly stated they would not attack government agencies, non-profits, or hospitals. 

Every ransomware attack generally starts with a compromised endpoint. An unsuspecting employee would share login credentials with the attackers, who would then map out the network, and carefully offload sensitive data, before deploying the ransomware. 

Companies are advised to train their employees on the dangers of phishing and ransomware, deploy cybersecurity solutions such as malware removal tools, or firewalls, switch to zero-trust, and enforce multi-factor authentication.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.