Analysis
Attacks and Vulnerabilities
Critical infrastructure
Malware, Phishing & Ransomware
News
Regulation, Standards and Compliance
Reports
Risk & Compliance
Threat Landscape
Vulnerabilities

Homeland Security Committee report flags lack of data on ransomware attacks, cryptocurrency payments

May 26, 2022
Homeland Security Committee report flags lack of data on ransomware attacks, cryptocurrency payments

A report released this week by the Senate Homeland Security and Governmental Affairs Committee provided details on the role that cryptocurrencies continue to play in emboldening and incentivizing cybercriminals to commit ransomware attacks that pose an increasing national security threat. It also found that the federal government lacks sufficient data and information on ransomware attacks and their use of cryptocurrency.

The key findings of the report conducted by U.S. Senator Gary Peters, a Democrat from Michigan and chairman of the Senate Homeland Security and Governmental Affairs Committee, revealed that the federal government lacks comprehensive data on ransomware attacks and the use of cryptocurrency in ransom payments. It also found that current reporting of ransomware attacks and ransom payments made in cryptocurrency is fragmented across multiple federal agencies. 

The report also detected a lack of reliable and comprehensive data on ransomware attacks and cryptocurrency payments limits available tools to guard against national security threats, and currently available data on ransomware attacks and cryptocurrency payments limits both private sector and federal government efforts to assist cybercrime victims. Over a ten-month investigation, the Committee staff conducted interviews with federal law enforcement and regulatory agencies, and private companies that assist ransomware victims with ransom demands. 

Ransomware attacks have targeted hospitals, school systems, local, state, and federal government agencies, as well as other critical infrastructure, including the water and energy sectors. “In 2021, ransomware attacks impacted at least 2,323 local governments, schools, and healthcare providers in the United States,” the Peters report said. Many of these attacks generated significant losses and damages for victims. 

A three-year comparison of the number of complaints of ransomware submitted to the Federal Bureau of Investigation (FBI) between 2018 and 2020, demonstrates a 65.7 percent increase in victim count and a staggering 705 percent increase in adjusted losses, the report said. In 2021, the agency received 3,729 ransomware complaints with adjusted losses of more than $49.2 million, it added.

The World Economic Forum has said that ransomware attacks increased by 435 percent in 2020 and ‘are outpacing societies’ ability to effectively prevent or respond to them.’ Many of these attacks generated significant losses and damages for victims. 

“A three-year comparison of the number of complaints of ransomware submitted to the Federal Bureau of Investigation (FBI) between 2018 and 2020, demonstrates a 65.7 percent increase in victim count and a staggering 705 percent increase in adjusted losses,” according to the Peters report. “In 2021, the agency received 3,729 ransomware complaints with adjusted losses of more than $49.2 million. However, even these figures likely drastically underestimate the actual number of attacks and ransom payments made by victims and related losses. In fact, the FBI acknowledges that its data is ‘artificially low,’” it added.

Further evidence of this under-reporting is that the government data is significantly lower than several private sector estimates. “In interviews with Committee staff, federal officials and private sector companies each acknowledged the need for more compliance and data (e.g., reporting of incidents and ransom payments). When more data is collected, the federal government will be in a better position to assist existing and potential cybercrime victims with prevention, detection, mitigation, and recovery. Such information also facilitates more efficient investigation and prosecution of illicit actors,” the Peters report added.

“As Russia’s invasion of Ukraine continues and Russia seeks to find ways around the international finance system, the need to address these shortfalls grows,” the Peters report said. “Approximately 74 percent of global ransomware revenue in 2021 went to entities either likely located in Russia or controlled by the Russian government. Further, CISA and other federal agencies have warned that Russia’s invasion of Ukraine could lead to additional malicious cyber activity, including ransomware attacks, in the United States. Therefore, as the report finds, prioritizing the collection of data on ransomware attacks and cryptocurrency payments is critical to addressing increased national security threats,” it added. 

To address the current lack of information regarding the breadth and depth of the ransomware threat, Senators Peters and Rob Portman, a Republican from Ohio, introduced the Cyber Incident Reporting Act of 2021, which passed the Senate as part of the Strengthening American Cybersecurity Act of 2022, the report said.

The incident reporting provisions later became law as the Cyber Incident Reporting for Critical Infrastructure Act of 2022 in the Consolidated Appropriations Act of 2022 in March. The new reporting mandates in the law will begin to address this problem. Nevertheless, as indicated by the findings in the report, the Administration and Congress must remain vigilant against this growing threat, it added. 

The Peters report revealed that multiple agencies interviewed by Committee staff found that cryptocurrency, typically Bitcoin, has become a near-universal form of ransom payment in ransomware attacks, in part, because cryptocurrency enables criminals to extort huge sums of money from victims across diverse sectors with incredible speed. The payment structure’s decentralized nature, as well as irregular regulatory compliance by some entities within the space and new anonymizing techniques, contribute to the challenges law enforcement faces when seeking to arrest criminal actors, particularly foreign-based actors. 

“High-profile attacks, such as Colonial Pipeline, demonstrate ransomware attackers’ threat to national security,” the Peters report said. “The FBI’s recovery of over half of the ransom paid by Colonial Pipeline, however, shows that with access to the right information, law enforcement can leverage cryptocurrency’s unique features as well as other investigative techniques to track down cyber criminals and recover stolen funds,” it added. 

Unfortunately, data reporting and collection on ransomware attacks and payments is fragmented and incomplete, the report identified. Two federal agencies claim to host the government’s one-stop location for reporting ransomware attacks – the Cybersecurity and Infrastructure Agency (CISA) StopRansomware.gov website and the FBI’s IC3.gov. These two websites are separate and, while the agencies state that they share data with each other, in discussions with Committee staff, ransomware incident response firms questioned the effectiveness of such communication channels’ impact on assisting victims of an attack, it added. 

The Peters report laid down a set of four recommendations that the Administration should swiftly implement to control the prevailing threat landscape, including requiring critical infrastructure to report cyber-attacks and ransom payments. The CISA should work towards completing the required rulemaking as soon as possible to implement the requirements in the Cyber Incident Reporting for Critical Infrastructure Act of 2022 signed into law as part of the Consolidated Appropriations Act of 2022, which mandates incident reporting of substantial cyber-attacks and ransomware payments against critical infrastructure. 

Furthermore, federal agencies should implement the requirement in the law to share all cyber incident reports with CISA to enable a consolidated view of incidents from across different sectors and reported under different regulatory regimes, the Peters report said.

The federal government should standardize existing federal data on ransomware incidents and ransom payments to facilitate comprehensive analysis, the report said. Agencies should standardize how data from existing reporting requirements for ransomware incidents and ransom payments is organized and formatted across federal government agencies to enable more comprehensive information sharing and analysis. 

The Peters report also called upon the U.S. Congress to establish additional public-private initiatives to investigate the ransomware economy. The federal government should promote public-private partnerships to research the ransomware economy, in particular, the interrelationships between cybercriminals who conduct or facilitate ransomware attacks and the financial structures facilitated by cryptocurrencies that sustain cybercriminals’ illicit activities, including privacy coins. These partnerships should also examine ransomware infrastructure to help design and promote effective countermeasures.

Congress should support information sharing regarding ransomware attacks and payments including crowdsourcing initiatives. Congress and relevant agencies should consider ways to support partners within the private, nonprofit, and academic sectors seeking to expand the collection and organization of information on ransomware attacks including by examining federal funding options and sharing anonymized data regarding ransomware attacks and payments. Additionally, government agencies should collaborate with partners to identify viable crowdsourcing initiatives to pool information regarding ransomware attacks and extortion payments. 

Peters’ investigation determined that more information and oversight are needed to address the cybersecurity threat posed by ransomware attacks – but to also address the challenges law enforcement faces in enforcing anti-money laundering laws and holding cybercriminals accountable in order to deter and prevent future attacks.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

MITRE confirms breach on NERVE network, suspected foreign nation-state actor involved
MITRE confirms breach on NERVE network, suspected foreign nation-state actor involved
Radiflow helps customers achieve NIS2 compliance, spurring growth in Europe
Radiflow, Exclusive Networks partner to elevate OT cybersecurity
MITRE plans to enhance cybersecurity in 2024 with ICS sub-techniques and multi-domain integration
MITRE plans to enhance cybersecurity in 2024 with ICS sub-techniques and multi-domain integration
New bill introduced to set up Water Risk and Resilience Organization to secure water systems from cyber threats
New bill introduced to set up Water Risk and Resilience Organization to secure water systems from cyber threats
CISA, FBI, Europol, and NCSC-NL issue joint cybersecurity advisory on Akira ransomware threats
CISA, FBI, Europol, and NCSC-NL issue joint cybersecurity advisory on Akira ransomware threats
Mandiant exposes APT44, Russia's Sandworm cyber sabotage unit, targeting global critical infrastructure
Mandiant exposes APT44, Russia’s Sandworm cyber sabotage unit, targeting global critical infrastructure
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Armis
Armis acquires Silk Security for $150 million to enhance AI-driven cybersecurity capabilities
Nozomi discovers five vulnerabilities in AMI MegaRAC SP-X BMC, exposing OT, IOT devices to RCE attacks
Nozomi secures US$1.25 million US Air Force contract to boost DoD critical infrastructure security
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape