Senate Homeland Committee ransomware report analyzes attacks, highlights need for coordinated response

The U.S. Senate Committee on Homeland Security & Governmental Affairs (HSGAC) released a ransomware report that documents the experiences of three victims targeted by the Russia-based ransomware group REvil. It details ‘the experiences of those companies during the incident response,’ and seeks to provide information that companies and agencies can use to prepare for and respond to ransomware attacks.

The report details how difficult it is for all organizations to account for all vulnerabilities and defend against sophisticated cyber adversaries. It further demonstrates the need for enhanced visibility into cyberattacks against the U.S. to effectively respond and warn potential victims. In addition, the report has background information on Russian cyber aggression, including attacks against Ukraine. 

The REvil ransomware group monetized access to victim networks and sold that access to other REvil affiliates, according to the ransomware report, titled ‘America’s Data Held Hostage: Case Studies in Ransomware Attacks on American Companies.’ It also found that before encrypting victim organization networks, REvil used double extortion methods to steal sensitive data from victims and then publish the data on REvil’s public blog. In addition, it added that REvil harassed victim company employees via email and telephone to coerce the companies into paying ransoms.

Ahead of ​​its “unlawful and unprovoked invasion of Ukraine, Russia executed several coordinated cyberattack campaigns against Ukraine and other eastern European countries,” the ransomware report said. “Both Ukraine and the United States have warned that U.S. agencies and critical infrastructure could be Russia’s next target in retaliation for our unwavering support of Ukraine,” it added.

Released on Thursday, the Senate Committee report states that ransomware is on the rise, as the U.S. suffered the most ransomware attempts at 421.5 million, a 98 percent increase from 2020. “Americans have become all too familiar with the real-world impact of high-profile ransomware attacks like those on Colonial Pipeline, America’s largest fuel pipeline, and JBS, the world’s largest beef producer,” it added.

“The three companies have little in common in terms of business model, purpose, or number of employees,” the report said. “Entity A is a global multi-sector Fortune 500 company with roughly 100,000 employees. Entity B is a global manufacturing company with several thousand employees. Entity C is a technology firm with only 50 employees. Nevertheless, all three were targeted by the same ransomware group. This underscores the broad threat ransomware presents and the proactive steps all organizations must take to implement cyber best practices,” it added.

The ransomware report also found that organizations, regardless of size and sophistication, are susceptible to ransomware attacks. It also revealed that ransomware groups often use phishing attacks to gain initial access to victim networks. In previous ransomware attacks, multi-factor authentication, zero trust principles, and network segmentation helped prevent attackers from gaining or increasing access to sensitive data in a victim’s networks. 

The Senate Committee report further revealed that maintaining offline backups and an appropriate incident response plan helped victims resume critical operations quickly without paying a ransom when attackers did get in. The laws and regulations at the time discouraged victims from sharing information with other potential victims that could prevent future ransomware attacks. 

In two cases reviewed in the ransomware report, the FBI ‘prioritized its investigative and prosecutorial efforts’ to disrupt attacker operations over the victims’ need to protect data and mitigate damage. Additionally, until recently, there was no federal agency charged with collecting and tracking reports of cyber incidents to prevent and mitigate future attacks.

As ransomware criminals improved their techniques to increase the pressure on victims to pay the ransom, the report identified that these techniques evolved, with several recent trends having emerged. The newer techniques include stealing and threatening to release sensitive victim data in double extortion attacks targeting high-value organizations and data, rebranding to evade law enforcement, and using ransomware services-for-hire affiliate structures. 

“Ransomware attacks, like the one on Colonial Pipeline or JBS Foods, are a painful reminder that these incidents have real-world consequences,” U.S. Senator Rob Portman, a Republican from Ohio and Ranking Member of the Senate Homeland Security and Governmental Affairs Committee, said in a media statement. “This report shows that all organizations, no matter the size or financial resources, can fall victim to sophisticated cyber adversaries. It also shows how organizations can take proactive steps to secure their networks against the most damaging impacts of ransomware attacks. 

The ransomware report advised that the Cybersecurity and Infrastructure Security Agency (CISA) should immediately share all incident reports received under the ‘Cyber Incident Reporting for Critical Infrastructure Act’ with the Federal Bureau of Investigation (FBI). It also recommended that the FBI should ensure it considers ransomware victim priorities like protecting data and mitigating damage. 

Organizations must work towards increasing costs for attackers by eliminating low-hanging fruit, the Portman ransomware report suggested. It also sought to implement a defensive posture that assumes the organization has been breached and adopt a cyber incident response plan before an attack occurs. It also advocated maintaining offline backups and encrypting sensitive data when stored and in transit. 

The Portman ransomware report concluded that to help address ransomware threats and facilitate information sharing, the CISA and the National Cyber Director should work with other appropriate agencies to implement recently enacted legislation requiring critical infrastructure owners and operators to report cyber incidents and ransomware payments to CISA. 

“Implementing this legislation will enhance the Federal Government’s visibility into cyberattacks taking place across the United States and enable a coordinated response against the hostile nation-states and criminal organizations responsible,” it added.

The Senate Committee report comes simultaneously as the FBI’s Internet Crime Complaint Center (IC3) report, which revealed that close to 650 organizations were targeted by ransomware across the critical infrastructure sector in 2021. The IC3 report further anticipates an increase in critical infrastructure victimization this year.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.