To fight ransomware, DOJ wants companies to talk more

Better communication between law enforcement and companies could put a dent in ransomware attacks that have been the scourge of corporate America in recent months, according to a top Justice Department official.

"As long as people are handling that on their own and making payments, we're funding the development of more of these tools and more of these actors," John Carlin, assistant attorney general for national security, said June 28 at the Center for Strategic and International Studies.

Ransomware is a form of malware that often encrypts a computer user's data until hackers are paid off, usually via crypto-currency. The FBI discourages ransomware victims from paying off hackers, but with their proprietary data on the line, companies often cave. Hackers exacted $209 million in ransomware payments in the first three months of 2016, according to the FBI.

A spate of recent ransomware attacks on U.S. hospitals have alarmed policymakers, drawing attention to what is increasingly seen as a serious threat to U.S. companies and infrastructure. And federal agencies are far from immune. There have been 321 incident reports of "ransomware-related activity" affecting 29 different federal networks since June 2015, the Department of Homeland Security said in a report publicized in March.

Carlin used the recent case of an Islamic State-linked hacker named Ardit Ferizi to preach the virtues of closer government-industry cooperation in tackling cyber crime.

Earlier this month, Ferizi pleaded guilty to providing material support for the Islamic State. The Kosovar is accused of breaking into the database of an unnamed company that contained the personal information of U.S. federal employees. Ferizi then allegedly passed that information to an IS terrorist who posted it to social media with an exhortation for IS sympathizers to kill the named Americans.

Ferizi allegedly asked the victim company for about $500 in Bitcoin to relinquish access to the company's server. Carlin praised the company for working with law enforcement rather than keeping the matter to itself. No U.S. company that knew a hacker had ties to the Islamic State would choose to handle such an extortion scheme on their own, he added.

The problem for Carlin and the Justice Department, however, is that the Ferizi case is not the norm. "All across the country today, there are companies [that] do not" work with the U.S. government when they are being extorted via ransomware or some other method, Carlin told reporters. "The more common practice would be just to pay off" the hackers, he said.

Carlin worried about what he called a "blended threat" of criminal hackers like Ferizi teaming up with terror groups or nation-states.

"As the cost of getting caught increases, you're going to see nation-states trying to use proxy groups to commit their activity, and part of that might be trying to take advantage of criminal groups," Carlin said.