The Department of Justice (DOJ) actively wages a war on cybercrime by targeting criminals and using the law to make them pay for their actions. The DOJ does this by following up on reports of cybercrime and proactively monitoring attack surfaces to learn more about criminal activity.
Using these two general approaches, the DOJ is able to:
- Protect people and businesses
- Deter criminals from launching attacks that inflict considerable damages
- The DOJ Takes Down Ransomware Attacker Maksim Berezan
- Is Ransomware a Federal Crime?
- How the American Law Deals with Cybercrime
- What the FBI and DOJ Are Doing in the Fight Against Ransomware
- More Examples of DOJ Action Against Ransomware
- Leveraging the Long Legal Arm of the DOJ
The DOJ Takes Down Ransomware Attacker Maksim Berezan
The DOJ performs deep investigations of both digital and physical assets to pull ransomware attackers out of the shadows, and the case of Maksim Berezan is a prime example. Mr. Berezan received a 66-month prison sentence in March 2022 for his years-long role in the facilitation of computer hacking, ransomware attacks, and theft of financial information. His participation in ransomware-related attacks resulted in losses of more than $53 million, and he was ordered to pay back over $36 million.
One of the more interesting aspects of the Maksim Berezan case, however, is how the DOJ ended up uncovering his long list of offenses, proving them, and then bringing him to justice, as you’ll see below.
The Berezan story is a quintessential example of what Asst. Attorney General Kenneth A. Polite Jr. referred to when he said, “Many of the world’s ransomware players began as fraudsters engaged in other types of online crimes, and this case demonstrates that their crimes will catch up to them.”
How the DOJ Nabbed Maksim Berezan
The DOJ, in partnership with the FBI, had been investigating an online criminal forum known as DirectConnection. Its members consist of Russian-speaking cybercriminals, who had been sharing attack methodologies and information since 2015.
Cashouts and Drops
Berezan had been using the forum to arrange what are known as “cashout jobs.” A cashout job involves stealing credit card information and using it to either make fraudulent purchases or withdrawals from someone’s bank account without their authorization.
The cashout is the first step in the theft. The next step is what’s referred to as a “drop.” This is a location or person that receives and forwards the goods or funds obtained through the cashout. Because criminals conceal the details of their drops and use them to create a degree of separation between each person involved in the theft, it’s harder for law enforcement officials, credit card companies, and banks to stop or detect the fraud.
Authorities Catch Up with Berezan
In the case of Berezan, subterfuge and secrecy weren’t enough. The DOJ and its partners uncovered evidence of his activity and forwarded it to Latvian authorities, who then went to his house and discovered his stash:
- A black Porsche Cayenne
- A red Porsche Carrera 911
- A Ducati motorcycle
- $200,000 in fiat currency
- $1.7 million in bitcoin
As it turns out, the investigation, which was already a success, was just the beginning.
From Luxury Vehicles and Jewelry to Ransomware Money
The next step was extraditing Berezan to the United States—which happened in December 2020. In addition to Berezan himself, authorities also forwarded the electronic devices discovered during the search of his Latvian residence.
It was at this point that they found out where he got the money to buy his Porsches, the Ducati, and jewelry. He had participated in at least 13 ransomware attacks, seven of which had been against U.S. victims. Around $11 million had been funneled directly into his cryptocurrency wallet.
The U.S. government’s approach to ransomware criminals like Maksim Berezan is well-summed up by Special Agent-in-Charge Matthew Stohler of the U.S. Secret Service: “While we have long been in the business of protecting money, from the earliest days of coins and paper, to plastic, and today’s more accessible and commonplace digital currencies, we also remain in parallel footprint to the evolution of criminal behavior into cyberspace.”
Is Ransomware a Federal Crime?
Yes, the actions perpetrated by ransomware criminals are punishable according to federal law. While there is no specific law called “The Ransomware Protection Act” or something similar, what cybercriminals do during a ransomware attack falls under specific federal regulations.
For example, the Computer Fraud and Abuse Act (CFAA) directly addresses violations stemming from a ransomware assault. Laws against people who aid and abet ransomware attackers also exist.
There is currently no law against paying a ransom if your company gets attacked, but if you know the money is going to a terrorist organization, you could be prosecuted under federal law. Therefore, it’s important that you understand where the attack is coming from, including the organizations attackers may represent, before deciding how to deal with a ransomware situation.
How the American Law Deals with Cybercrime
As mentioned above, the primary tool federal law enforcement officials wield in the fight against cybercrime is the Computer Fraud and Abuse Act (CFAA). This law protects federal computers, bank computers, and any computer connected to the internet. It specifically addresses malicious cyber activity, including:
- Trespassing to someone else’s computer or network
- Issuing threats over the internet
- Damaging a computer or network
- Using a computer to commit fraud
The CFAA also specifies common tools hackers use, such as worms, viruses, Trojan horses, and denial-of-service (DoS) attacks, to name a few.
What the FBI and DOJ Are Doing in the Fight Against Ransomware
The online resource StopRansomware.gov is another one of several weapons the Federal Bureau of Investigation (FBI) and the DOJ use to apprehend cyberattackers. On this site is a button at the bottom that visitors can click to report an incident. You can then choose which agency to report the attack to the FBI, Cybersecurity and Infrastructure Security Agency (CISA), or the Secret Service.
In addition to making it easy to report attacks, the website has information on what ransomware is, what to do in case of an attack, and a catalog of known vulnerabilities. The site also includes info about:
- How to protect your networks
- Services you can use to protect your systems
- What to do if an attack interrupts essential services that impact the health and safety of the public
- How to prepare for a ransomware attack
The site also offers free CISA scanning and testing and the Cybersecurity Evaluation Tool (CSET). The no-cost CISA scanning service covers:
- Vulnerability scanning to identify vulnerable assets and systems
- Remote penetration testing that imitates the techniques attackers use to access your network
- Phishing campaign assessments to test how vulnerable your organization is to phishing attacks
- Web application scanning to determine website weaknesses that hackers could leverage
The DOJ takes legal action on behalf of ransomware victims, and StopRansomware.gov conveniently provides the first step you can take: go to the website and report the incident. This gets the ball rolling. The DOJ begins an investigation and uses the information you provide to go after the attackers—whether or not the attack has ended.
Reporting a cybercrime increases the chances of both stopping the attack and getting your money back if you’ve already paid a ransom. This is what happened in the Colonial Pipeline incident—the DOJ retrieved $2.3 million, about half the ransom money the hackers collected.
More Examples of DOJ Action Against Ransomware
Online criminals are using various forms of subterfuge to their advantage, and the fight is no longer just for cybersecurity professionals, IT teams, and government entities like the DOJ. As FortiGuard Labs’ Derek Manky puts it, “This is personal.”
To this end, cybersecurity companies such as Kaspersky, Trend Micro, McAfee, Fortinet, and Barracuda Networks have all taken up digital arms against attackers, bolstering the effectiveness of their products through continuous research and proactively monitoring the threat landscape.
While the successes of cybersecurity providers often go unpublished, significant victories by the DOJ have earned public recognition. For example:
- The DOJ arrested two conspirators for allegedly laundering $4.5 billion in stolen cryptocurrency. By the time the arrest announcement was made, the department already recovered $3.6 billion. According to the DOJ, the arrests demonstrated that “cryptocurrency is not a safe haven for criminals.”
- The DOJ charged two Chinese nationals—hackers who belonged to the cyber espionage group known as APT10—in connection with an attack designed to steal proprietary business data. The DOJ claimed the attack was directed by the Chinese government. In addition to businesses, the hackers went after members of the U.S. military, taking sensitive information from the U.S. Navy, including social security numbers, salary information, dates of birth, phone numbers, and email addresses.
When a cybercriminal goes after an individual, business, network, or system in the United States, the DOJ can go after them, including those who support them. This could result in criminal penalties that range from prison time to financial damages.
Leveraging the Long Legal Arm of the DOJ
The DOJ’s counterattack on cybercriminals is supported by legislation, such as the CFAA, as well as other federal statutes. For organizations and individuals looking to protect themselves, a good starting point would be making use of the tools available on StopRansomware.gov.