The US government lacks comprehensive data on ransomware attacks, including how much is lost in payments, according to a new report by the United States Senate Committee on Homeland Security & Governmental Affairs.
The report presented the findings of a 10-month investigation into the growing threat of ransomware. It cited FBI figures showing that the agency had received 3729 ransomware complaints with adjusted losses of more than $49.2m. However, even these figures “likely drastically underestimate the actual number of attacks and ransom payments made by victims and related losses.”
Following numerous interviews with federal law enforcement and regulatory agencies, in addition to private companies that assist ransomware victims with extortion demands, the report concluded that there is a lack of data on this surging attack vector at the government level. Changing this is vital because “more data is needed to better understand and combat these attacks.” In addition, it noted that this information will assist the investigation and prosecution of ransomware threat actors. The committee also emphasized the significant threat ransomware poses to US national security, as demonstrated by the Colonial Pipeline incident last year.
Yet, “data reporting and collection on ransomware attacks and payments is fragmented and incomplete,” according to the Committee’s report. This is partly due to two separate federal agencies – the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI – hosting different websites that each claim to host the government’s one-stop location for reporting ransomware attacks. While the agencies state they share data with each other, “ransomware incident response firms questioned the effectiveness of such communication channels’ impact on assisting victims of an attack.”
The investigation also highlighted the growing role of cryptocurrencies, particularly Bitcoin, in ransomware attacks, which “has become a near-universal form of ransom payment.” The authors noted that the decentralized nature of these currencies makes it challenging for law enforcement to identify and arrest the perpetrators, particularly foreign-based groups. However, the FBI’s recovery of over half the ransom paid by Colonial Pipeline showed that “with access to the right information, law enforcement can leverage cryptocurrency’s unique features as well as other investigative techniques to track down cyber-criminals and recover stolen funds.”
The committee therefore recommended the prioritization of data collection on ransomware attacks as a crucial means of addressing increased national security threats. This includes swiftly implementing the Cyber Incident Reporting for Critical Infrastructure Act, signed into law this year by President Joe Biden.
Commenting on the findings, Senator Gary Peters, chairman of the Senate Homeland Security and Governmental Affairs Committee, said: “Cryptocurrencies – which allow criminals to quickly extort huge sums of money, can be anonymized, and do not have consistently enforced compliance with regulations, especially for foreign-based attackers – have further enabled cyber-criminals to commit disruptive ransomware attacks that threaten our national and economic security.
“My report shows that the federal government lacks the necessary information to deter and prevent these attacks and hold foreign adversaries and cyber-criminals accountable for perpetrating them. My bill that was recently signed into law to require critical infrastructure to report cyber-attacks and ransomware payments will be a significant step to ensuring our government has better data to understand the scope of this threat, disrupt the incentive virtual currencies provide for cyber-criminals to commit attacks, and help victims quickly recover after breaches.”