How the U.S. Department of Justice Can Improve Its Approach to Combat Ransomware Attacks

Earlier this month, the U.S. Department of Justice’s Office of the Inspector General released a report on how the Department could improve its approach to combat ransomware attacks.

The report included an audit and evaluated the Department’s strategy to respond and counter ransomware attacks during a two-and-a-half-year period from April 2021 through September 2023. The report’s focus on this period is notable, as 2023 saw total ransom payouts jump to their highest levels at $1.1 billion, according to a February 2024 report from Chainalysis.  

The growing threat comes from both nation-state adversaries, such as the Volt Typhoon attacks from China, and from cyber criminals, who are escalating ransomware attacks, with a 74 percent increase in the number of reports in 2023.

SecurityScorecard has also seen these ransomware spikes in several critical industries, such as aviation. Our Cyber Risk Landscape of the Global Aviation Industry Report found that ransomware was the top cyber threat across 250 leading global aerospace and aviation companies, including 100 top commercial passenger airlines.

Ransomware also continues to terrorize the U.S. healthcare system. After the Change Healthcare ransomware attacks, SecurityScorecard investigated the most critical risks faced by the 500 largest U.S. healthcare companies, which found that the supplier ecosystem was a highly desirable target for ransomware groups. The 2023 FBI IC3 report also ranked healthcare and public health as the most impacted critical infrastructure sector of 2023. I anticipate this trend continuing when 2024 data is available.

With this alarming backdrop, the Inspector General’s Report reviewed the DOJ Computer Division’s Crime and Intellectual Property Section and the FBI’s efforts. It made significant and timely recommendations for the Department to develop improved metrics to track progress and the impact to address ransomware threats. Given the national security imperative, the Department focused on the following targets:

• Increasing the percentage of reported ransomware incidents where cases are opened, added to existing cases, or resolved, or action is taken within 72 hours to 65 percent; and,
• Increasing the number of seizures or forfeitures in ransomware matters by 10 percent.

However, the Inspector General noted that there was no published action plan or progress on this goal, which was required for the past two years.

As the global leader in supply chain risk detection and response, SecurityScorecard has long advocated for more robust metrics, indicators, and key performance indicators that track with cyber hygiene and resilience.

That is why we support the IG Report’s call for stronger metrics for the next two years to track disruptions, such as the number of disruptions and measures accounting for providing decryptor keys to victims. There must be more precision beyond arrests and indictments.

As the famed management consultant Peter Drucker once said, “You can’t manage what you can’t measure.” More robust metrics and better interdepartmental coordination may help improve the Department’s chances of success. Closer-tracked data against ransomware actors could provide more insight into methods to disrupt bad actors better.  

As the White House convenes the Fourth Summit of the International Counter Ransomware Initiative this week with almost 70 member nations, we encourage member nations to partner closely to leverage the private sector’s capabilities, threat intelligence, and data to identify and mitigate ransomware attacks. We also encourage member nations to work with industry to identify meaningful metrics, standards, and KPIs to help governments improve its cybersecurity posture and build deeper supply chain resilience.