Global Alliance Against Ransomware: United States and Allies' Strategies to Counter Criminal Actors

Line of Effort 6: Counter Criminal and Ransomware Actors

For many countries, the greatest risk to their digital security and economies is online scams, criminal hacking, and other financial crimes. Ransomware in particular has emerged in recent years as a clear threat to national security, public safety, and economic prosperity. Operating from safe havens like the PRC, DPRK, Iran, Russia, and certain other countries, ransomware operators have disrupted government services, hospitals, schools, pipeline operations, and civil society entities. With some states using ransomware actors as proxies or turning a blind eye to their activities and the significant impact of their cyberattacks on critical infrastructure, it is increasingly clear that ransomware activity can threaten international peace and security. Digital solidarity is clearly expressed through the Department of State’s efforts to leverage its diplomatic capabilities to support the whole-of-government fight against ransomware and other forms of cybercrime, including by building partner capacity; developing coalitions to prevent, disrupt, and punish criminal behavior; and fostering cooperation with the private sector.

The Departments of State, Homeland Security, and Justice will continue to participate in the U.S. Joint Ransomware Task Force and to partner with private industry and international allies to disrupt online criminal infrastructure and resources, take down botnets, and seize cryptocurrency garnered from ransomware campaigns. For example, the U.S. Transnational and High-Tech Crime Global Law Enforcement Network (GLEN) program—a long-standing partnership between the Departments of State and Justice—is a global law enforcement capacity-building network of DOJ International Computer Hacking and Intellectual Property (ICHIP) regional advisors, computer forensic analysts, and federal law enforcement agents. Twelve ICHIP attorney advisors are located around the world. The ICHIP advisor based in The Hague facilitated cooperation among the United States, France, Germany, the Netherlands, the United Kingdom, Romania, and Latvia in the largest ever takedown of the botnet and malware known as Qakbot in August 2023. The network also delivers training and technical assistance to foreign law enforcement partners, prosecutors, and judicial authorities to combat intellectual property theft and cybercrime activity, as well as to assist in the collection and use of electronic evidence to combat all types of crime. The program improves U.S. security by reducing the use of foreign computing infrastructure for malicious activities targeting U.S. networks and by showing that no malicious actor can evade the rule of law.

The GLEN has stood up five regional cryptocurrency working groups around the globe, which are dedicated to information sharing and capacity building to address criminal misuse of cryptocurrency, including in ransomware. Additional priorities for capacity building include Internet fraud and combating the growing scourge of online child sexual exploitation and abuse.

The Department of State will continue to use its diplomatic engagements and capacity building to broaden and strengthen participation in the International Counter Ransomware Initiative (CRI). The CRI is a unique and geographically diverse coalition of nearly 60 countries, plus multilateral institutions such as the European Union, Interpol, and Organization of American States, committed to building collective resilience to ransomware, cooperating to disrupt ransomware and pursue the actors responsible, countering the illicit finance that underpins the ransomware ecosystem, and working with the private sector to defend against ransomware attacks. As a complement to the CRI, the Department of State, in coordination with the U.S. Joint Ransomware Task Force, will continue to develop bilateral and multilateral efforts designed to discourage states from sponsoring ransomware or permitting their territories to be used as safe havens by cyber criminals.

The work of the CRI supports the implementation of the framework for responsible state behavior in cyberspace, including the voluntary norm that “states should respond to appropriate requests for assistance by another state whose critical infrastructures are subject to malicious ICT acts,” in addition to “appropriate requests to mitigate malicious ICT activity aimed at the critical infrastructure of another State emanating from their territory, taking into account due regard for sovereignty.” [5]