Ransomware attacks have become mainstream media headlines and a hot topic not only on this blog but also in government circles. And for good reason, the United States suffered 421.5 million ransomware attempts last year alone, a 98% increase from 2020. This figure comes from the new report by the staff of the United States Senate Committee on Security Home Affairs and Government Affairs titled “US Data Held Hostage: Case Studies of Ransomware Attacks on US Businesses.” It details the experiences of three companies responding to attacks by Russian ransomware group REvil. The companies varied in size and industry, but their previously established incident response plans helped mitigate the damage caused by the attacks. However, the companies said they received little assistance from the federal government, underscoring the need for change at the federal level to better combat future attacks.
The report provides a comprehensive overview of the state of ransomware, but its three case studies of anonymous business responses to ransomware attacks provide the most up-to-date information. Companies ranged from a Fortune 500 company with over 100,000 employees to a technology company with around 50 employees. Each had an incident response plan and various cybersecurity measures in place that helped to mitigate the effects, but with varying levels of success. Offline backups were uniformly hailed as one of the best defenses everyone had in place to keep their business running while dealing with attacks, but they all recognized during attack findings that they had to fill gaps in their plans and security uncovered by the attacks.
One of the companies did not need government assistance to respond to the ransomware attack, but the other two reported little assistance from the government despite seeking its help. Unsurprisingly, the FBI continues to focus its efforts on its primary law enforcement mission of identifying bad actors and bringing them to justice, rather than proactively protecting and assisting corporate victims. The Committee made seven recommendations in its report based on its investigation, three of which called for government reform:
- The Cybersecurity and Infrastructure Security Agency (“CISA”) should share incident reports it receives with the FBI to enhance the FBI’s ability to investigate ransomware attacks and their ability to assist ransomware victims.
- The FBI should help ransomware victims protect their data and mitigate the damage caused by the attacks to establish its relationship with the private sector which, in turn, will provide the FBI with the information needed to hold bad actors accountable.
- Government agencies, including the FBI and CISA, should implement the Cyber Incident Reporting Act for Critical Infrastructure as soon as possible. It was passed on March 15 and requires “critical infrastructure” entities to report cyber incidents, including ransomware attacks, to CISA. The bill gives CISA 24 months to create proposed rules, including “a clear description[s] Types of Entities that Constitute Covered Entities,” and then another 18 months after publication to create a final rule. Earlier implementation would strengthen the government’s ability to combat and prevent cyberattacks.
The remaining four recommendations relate to steps companies can take to improve their cybersecurity, such as keeping cybersecurity best practices current, implementing a “zero trust network” which assumes that the network of an organization has been hacked, preparing a cyber incident response plan and keeping it up to date and maintaining offline backups and encrypted data.
This report reminds companies to consider their cybersecurity measures and identifies the steps to take in the event of an attack. We will continue to monitor and report on the Cyber Incident Reporting Act for Critical Infrastructure.