WASHINGTON, DC – Today, U.S. Senator Rob Portman (R-OH), the Ranking Member of the Senate Homeland Security and Governmental Affairs Committee, published a new report entitled America’s Data Held Hostage: Case Studies in Ransomware Attacks on American Companies. The report documents the experiences of three victims targeted by the REvil ransomware gang and shows how difficult it is for all organizations to account for all vulnerabilities and defend against sophisticated cyber adversaries. It also demonstrates the need for enhanced visibility into cyberattacks against the United States to effectively respond and warn potential victims. In addition, the report has background information on Russian cyber aggression, including attacks against Ukraine.
The entities profiled in the report are from different business sectors and vary significantly in size, revenue, and IT resources. Despite these differences, all three fell victim to REvil. This underscores the broad threat ransomware presents and the proactive steps all organizations must take to implement cyber best practices.
“Ransomware attacks, like the one on Colonial Pipeline or JBS Foods, are a painful reminder that these incidents have real-world consequences,” said Senator Portman. “This report shows that all organizations, no matter the size or financial resources, can fall victim to sophisticated cyber adversaries. It also shows how organizations can take proactive steps to secure their networks against the most damaging impacts of ransomware attacks. The Biden administration should work quickly to implement my recently enacted bipartisan Cyber Incident Reporting Act. This law will help prevent future cyberattacks by facilitating increased information sharing and enhance the federal government’s cyber defense and investigative capabilities.”
The report’s key findings include:
- All organizations, regardless of size and sophistication, are susceptible to ransomware attacks.
- Ransomware gangs often use phishing attacks to gain initial access to victim networks.
- In past ransomware attacks, multifactor authentication, zero trust principles, and network segmentation helped prevent attackers from gaining access to more sensitive data in a victim’s networks.
- Maintaining offline backups and a well-defined incident response plan helped victims resume critical operations quickly without paying a ransom, when attackers did get in.
- The laws and regulations at the time discouraged victims from sharing information with other potential victims that could prevent future ransomware attacks.
- In two cases reviewed in the report, the Federal Bureau of Investigation prioritized its investigative and prosecutorial efforts to disrupt attacker operations over victims’ need to protect data and mitigate damage.
- Until recently, there was no Federal agency charged with collecting and tracking reports of cyber incidents to prevent and mitigate future attacks.
- REvil monetized access to victim networks and sold that access to other REvil affiliates.
- Before encrypting victim organization networks, REvil used double extortion methods to first steal sensitive data from victims and then publish that data on REvil’s public blog.
- REvil harassed victim company employees via email and telephone in an attempt to coerce ransom payments.
The report makes the following recommendations:
- CISA should immediately share all incident reports received under the Cyber Incident Reporting for Critical Infrastructure Act with the FBI. The FBI and CISA should also strengthen their partnership to assist ransomware victims. Close coordination between these two entities will best position the FBI to investigate those responsible for ransomware attacks while also allowing CISA to provide the technical assistance victims need to recover.
- FBI should ensure it considers ransomware victim priorities like protecting data and mitigating damage. This will preserve FBI’s constructive working relationship with the private sector and provide it with the information necessary to hold attackers accountable.
- CISA and the National Cyber Director should work quickly with other appropriate agencies like FBI to implement recently enacted legislation requiring critical infrastructure owners and operators to report cyber incidents and ransomware payments to CISA. This legislation will enhance the Federal Government’s ability to combat cyberattacks, mount a coordinated defense, hold perpetrators accountable, and prevent and mitigate future attacks through the sharing of timely and actionable threat information.
- Increase costs for attackers by eliminating low-hanging fruit. Organizations can increase the difficulty for ransomware criminals by patching vulnerabilities, implementing multi-factor authentication, maintaining accurate device and software inventories, and instituting complex password requirements. Adhering to these cyber best practices will increase the likelihood that attackers move on to less prepared targets.
- Organizations should implement a defensive posture that assumes the organization has been breached. Sophisticated cyber adversaries with near-unlimited resources can compromise most networks if given enough time. Employing zero-trust networking (continuous authentication and monitoring) with need-to-know access privileges will give organizations critical time to detect attackers and cut off their access before they exfiltrate or encrypt sensitive data. Flat networks and enterprise-wide shared drives give users more access than they need, allowing hackers to do more damage if they compromise one of those accounts.
- Have a cyber incident response plan in place before an attack occurs. When a cyber incident inevitably takes place, organizations should know in advance who needs to be notified and when. Incident response plans should detail explicit processes for notifying the government and retaining an incident response provider. Entities should also determine which systems are most critical to their operations and how long those systems can be offline before business operations suffer significant impacts. For critical infrastructure owners and operators, organizations should go a step further to determine how long systems can be offline before there are regional or national effects.
- Maintain offline backups and encrypt sensitive data when stored and in transit. These two solutions can help mitigate the otherwise debilitating impact of ransomware attacks. With offline backups, organizations can reconstitute impacted systems without having to pay a ransom for the decryption key. Encrypting sensitive data addresses the second half of double extortion attacks because the data is unreadable. Together, offline backups and encryption of sensitive data are the most effective ways to mitigate the damage and cost associated with a successful ransomware attack.