IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

RSA 2020: How the FBI Thinks About, Responds to Ransomware 

At this year's RSA cybersecurity conference, one session looked at the ways in which the Bureau is attempting to work together with private industry to track and prosecute hackers who spread the malware.

RSA - Lucas Ropek II
SAN FRANCISCO — One of the more frequently discussed cyberthreats this week at RSA 2020 has been one state and local governments know all too well: ransomware. 

As hackers have wreaked havoc on cities and states across the country — the FBI has often played an important post-incident role, coming in to conduct digital forensics and help communities understand the scope and nature of the attacks. 

But the FBI is also proactively on the hunt for would-be cybercriminals, an endeavor that occasionally leads to prosecutions but which faces many challenges along the way. 

Joel DeCapua, an FBI special agent with a background in digital forensics and network intrusion investigations, discussed the Bureau's work at the conference's Emerging Threats seminar this week, explaining some of the ways federal authorities look for and apprehend hackers.

The decentralized nature of the FBI leaves it up to 26 separate field offices across the country to investigate regional cybercrimes. Most field offices have at least five to six officers working on cyberoperations at one time. Larger ones, like in San Francisco, can have as many as 50. 

Currently, the Bureau has 49 open investigations regarding ransomware, each of which is looking into a different “brand” of the malware, DeCapua said.

Officers are frequently charged with the task of looking into illicit online marketplaces, which are the forum where criminals hire and coordinate hacking teams, hawk malware and engage in other illegal activities.

“This is someone who’s built ransomware and he’s looking for affiliates to install it. He’s willing to pay them a cut of any kind of proceeds [that] they get,” said DeCapua, showing the audience screenshots of websites where the malware is pedaled as a service.

These websites also serve as places where stolen identity credentials and hacked systems can be bought and sold. Access to already hacked servers can be purchased in bulk on these sites, with hackers spending thousands of dollars in the hopes that one will lead to a big prize — a gateway into a large company or government server that can be extorted for big money.

Once they’ve found and breached a network, hackers move quickly, seeking to advance their privileges within it to do the most damage possible, DeCapua said.

To investigate suspected criminals, the Bureau utilizes a number of legal tools to expedite investigations. These tactics include remote searches, which, under a DOJ ruling, allows federal authorities to hack into computers in any jurisdiction if they have a search warrant, as well as Electronic Communications Privacy Act search warrants, which allow them to subpoena individual consumer records from providers and other organizations.

"Basically we're just able to go to providers and get additional information from them," DeCapua said, describing some of the techniques. 

This is in going with the FBI’s long term goal, which has been to foster greater collaboration and information sharing between itself and the private sector as a method of tracking down criminals. At a summit in January, the Bureau expressed the need to foster tighter relationships with providers and vendors as a means of securing additional information for cyberinvestigations. 

"Hopefully you guys have relationships with all the people who sit in our field offices," DeCapua said to the audience. "We're supposed to go out and form relationships with security researchers and companies." 

These occasionally do lead to success stories, DeCapua shared, pointing to the capture and prosecution of Scan4You author Ruslans Bondars, a hacker who ran an online counter antivirus service that allowed malware users to test whether their software could be detected by antivirus protections or not. Bondars was sentenced to 14 years in prison last September.  

Lucas Ropek is a former staff writer for Government Technology.