Joint Ransomware Task Force
The work of this interagency body represents a significant step forward in the U.S. government’s efforts to address the growing threat of ransomware attacks.
Ransomware incidents continue to affect far too many organizations – shutting down school districts, disabling emergency communications, forcing hospitals to divert patients, causing untold losses to businesses across the country. Countering a threat of this magnitude requires effectively leveraging every available tool – and coordinating each tool to maximize our impact. The Joint Ransomware Task Force (JRTF) is an interagency body established by Congress to achieve this goal.
As designated in Section 106 of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), JRTF serves as the central body for coordinating an ongoing nationwide campaign against ransomware attacks in addition to identifying and pursuing opportunities for international cooperation. JRTF, co-chaired by CISA and the Federal Bureau of Investigation (FBI), coordinates existing interagency ransomware efforts and identifies new initiatives to effectively leverage the unique authorities and capabilities across the U.S. Government and the private sector to address ransomware threats.
JRTF coordinates, deconflicts, and synchronizes efforts across federal; state, local, tribal, territorial (SLTT); and private sector partners and, when applicable, with international partners. JRTF also leverages ransomware-related centers of excellence and relevant organizations to further the national effort to mitigate the ransomware threat.
Authored in coordination with JRTF in May 2023, the guide is a customer centered, one-stop resource with best practices and ways to prevent, protect and/or respond to a ransomware attack.
The task force prioritizes the strategic direction of two lines of effort: mitigation/protection and countering/disruption.
Each participating federal agency leverages its existing authorities and capabilities to support JRTF in achieving these objectives. JRTF's activities include:
- Developing and sharing best practices for preventing and responding to ransomware attacks,
- Conducting joint investigations and operations against ransomware threat actors,
- Providing guidance and resources to organizations that have been victimized by ransomware,
- Prioritizing operations to disrupt specific ransomware actors,
- Identifying a list of highest threat ransomware entities updated on an ongoing basis, and
- Collecting, sharing, and analyzing ransomware trends.
In 2023, JRTF has made important strides in creating a foundation and unifying efforts to advance our shared efforts against ransomware threats, including activities to:
- Standardize and synchronize federal engagement with ransomware victims to offer services and assess any gaps to ensure that victims of ransomware incidents receive the necessary support to restore services and minimize damage.
- Collect data and metrics that will improve the cybersecurity community’s collective understanding of ransomware affecting U.S. organizations and trends associated with actors, victims, and impacts, which will in turn inform U.S. government actions to counter the threat, provide more actionable guidance, and evaluate progress.
- Expand operational collaboration and multi-directional intelligence sharing between JRTF members and non-governmental partners including the private sector and the international community to more effectively prevent, detect, and respond to evolving ransomware campaigns.
- Examine and compile lessons learned from recent ransomware incidents in key sectors to address gaps in coordination, increase effectiveness of information sharing, and improve the federal government’s response and preparedness posture.
- Leverage the intelligence collection capabilities of all partners, process intelligence community analysis, and manage intelligence engagement with international partners to drive the planning and execution of synchronized JRTF operations.
- Organize existing interagency campaigns to disrupt ransomware actors and strengthen national cyber defense against ransomware operations, while also collaborating with relevant partners on new campaigns efforts.
External Partners Working Group
JRTF’s work to unify capabilities and resources across the U.S. government represents a significant step forward in the U.S. government’s efforts to address the growing threat of ransomware attacks. The task force’s External Partners Working Group will continue to accelerate progress and work with partners across the cybersecurity community, with a focus on operational collaboration with organizations from:
- Private sector companies and researchers that have demonstrated expertise on cybercriminal threats or have particular visibility into ransomware threats, ransomware attacks, or the larger cybercrime ecosystem;
- Critical infrastructure sectors including the sector risk management agencies (SRMAs) and information sharing and analysis centers (ISACs); and
- The international community, including peer cybersecurity, intelligence, and law enforcement agencies in partner countries.
JRTF, working closely with partners, will drive measurable progress in reducing the prevalence of damaging ransomware events affecting American organizations.