Senators Carper, Johnson Seek Information on Threat of ‘Ransomware’ to Our Nation’s Cyber Defenses and to the American Public

WASHINGTON – In response to the recent growth of cyber-attacks using a type of malicious computer virus known as “ransomware,” Homeland Security and Governmental Affairs Committee Ranking Member Tom Carper (D-Del.) and Chairman Ron Johnson (R-Wis.) sent letters to Attorney General Loretta Lynch and Department of Homeland Security Secretary Jeh Johnson asking for more information about efforts to address the growing threat posed by this new tool used by online criminals.

Ransomware attacks are targeted at a wide range of victims, including individual consumers. After infiltrating a person’s computer, the ransomware virus encrypts a user’s files until a ransom is paid, usually through difficult-to-track online payment methods.  Infected users face the difficult choice of paying the ransom or losing their files forever. State and local government networks have also been targeted by ransomware attacks.

“Cyber-attacks remains one of our nation’s biggest security challenges. As the frequency and severity of cyber-attacks continues to increase, Congress has a responsibility to continue to strengthen our nation’s cybersecurity and encouraging Americans to protect themselves online,” the Senators said. “Only by staying a step ahead of the threat can we ensure the security of our citizens. While much attention is paid to what must be done to bolster the cyber defenses at federal agencies and large businesses, all of us is vulnerable to online scams and emerging dangers like the malicious computer virus known as ‘ransomware.’”

The text of both letters are below and pdfs can be found here and here.

Dear Madam Attorney General:

The threat posed by cyber-attacks remains one of our nation’s biggest security challenges. As the frequency and severity of cyber-attacks continues to increase, Congress has a responsibility to continue to strengthen our nation’s cybersecurity. To address this evolving 21st century threat with a 21st century response, we must equip the federal government with the authorities and resources it needs. Only by staying a step ahead of the threat can we ensure the security of our citizens.

While much must be done to bolster the cyber defenses of our federal agencies, a far larger group, including individual consumers, faces a growing threat from a malicious computer virus known as “ransomware.” After infiltrating a person’s computer, the virus encrypts a user’s files until a ransom is paid, usually in the form of Bitcoin or other difficult-to-track crypto currency. Infected users face the difficult choice of paying the ransom or losing their files forever. The Department of Justice (DOJ) and the Federal Bureau of Investigation (FBI) estimate that in less than eight months more than 234,000 computers were infected with a specific type of ransomware named “CryptoLocker.” While only about 1.3 percent of victims paid the ransom, the virus has enabled the extortion of approximately $27 million from infected users in two months.

In June 2014, the DOJ, with the assistance of the Department of Homeland Security’s (DHS) National Cybersecurity and Communications Integration Center, scored a major victory against ransomware when it announced that U.S. and foreign law enforcement officials successfully disrupted a large network of CryptoLocker-infected computers and seized CryptoLocker’s command-and-control servers. Possession of these servers allowed the development of a decryption tool that enabled CryptoLocker victims to unlock their infected machines.

However, within a month of this disruption, the FBI’s Internet Crime Complaint Center, a partnership between the FBI and the National White Collar Crime Center, identified a copycat virus named “CryptoWall.” Between April 2014 and June 2015, the IC3 received 992 CryptoWall-related complaints, with victims reporting losses totaling over $18 million.

 To understand more about the DOJ’s efforts to address the growing threat of ransomware, we ask that you please provide the following information and materials:

  1. Since 2005, how many victims of ransomware-related crimes have reported complaints to the Internet Crime Complaint Center? What is the total amount of losses reported from ransomware victims? In addition to the Center’s complaint website, does DOJ or FBI use additional resources to track number of ransomware victims?
  1. Soon after its disruption, CryptoLocker was quickly replaced by similar ransomware programs, like CryptoWall and CryptoDefense. As of December 1, 2015, how many active ransomware-type viruses is the DOJ or FBI tracking?
  1. Both DOJ and DHS, including the United States Computer Emergency Readiness Team (US-CERT) and the United States Secret Service, distribute cyber vulnerability and threat information to individuals, industry, and other stakeholders. How does the FBI share data about ransomware and other cyber threats with DHS? Please describe any joint efforts between DOJ, FBI, and DHS to disseminate cyber threat information.
  1. Does the FBI coordinate with the Federal Trade Commission (FTC) to educate the public about how to mitigate the threat of ransomware? If so, please describe any joint efforts with the FTC.
  1. In testimony before the Senate Committee on Banking, Housing, and Urban Affairs last year, officials from the FBI indicated that that agency’s techniques must evolve to keep pace with increasingly sophisticated botnets. What techniques is DOJ using now to combat botnets, how are those becoming less effective, and what new techniques is DOJ considering to improve its ability to combat botnets in the future?
  1. Despite the successful disruption of CryptoLocker in May 2014, the ransomware scheme’s architect, Evgeniy Mikhaylovich Bogachev, remains at large in Russia. Please describe the challenges of capturing and bringing to justice suspected criminals operating internationally, including in the Russian Federation and other nations.
  1. The disruption of CryptoLocker required coordination between DOJ, DHS, and over a dozen international law enforcement and government entities. How can this coordination be improved? Describe the impediments, if any, to further international law enforcement coordination.
  1. Recent news reports suggest ransomware attackers are also targeting public safety and law enforcement agencies. Have federal, state, or local governments sought DOJ or FBI’s help to remove ransomware from their computers? If so, please describe the nature of any assistance sought, whether agencies have paid ransoms to remove ransomware, and whether DOJ or the FBI was able to decrypt the computer systems.
  1. Do DOJ or its agencies operate or utilize any technology that is or can be leveraged to identify ransomware or ransomware attackers’ command and control servers outside of DOJ? For example, do DOJ or its agencies operate any signature based detection, stateful packet inspection, or deep packet inspection technologies across one or more networks outside of DOJ? If so please describe those technologies, their capabilities and limitations, and their current and planned applications.

The text of the letter to DHS is below: 

 Dear Mr. Secretary:

The threat posed by cyber-attacks remains one of our nation’s biggest security challenges. As the frequency and severity of cyber-attacks continues to increase, Congress has a responsibility to continue to strengthen our nation’s cybersecurity. To address this evolving 21st century threat with a 21st century response, we must equip the federal government with the authorities and resources it needs. Only by staying a step ahead of the threat can we ensure the security of our citizens.

  While much must be done to bolster the cyber defenses of our federal agencies, a far larger group, including individual consumers, faces a growing threat from a malicious computer virus known as “ransomware.” After infiltrating a person’s computer, the virus encrypts a user’s files until a ransom is paid, usually in the form of Bitcoin or other difficult-to-track crypto currency. Infected users face the difficult choice of paying the ransom or losing their files forever. The Department of Justice (DOJ) and the Federal Bureau of Investigation (FBI) estimate that in less than eight months more than 234,000 computers were infected with a specific type of ransomware named “CryptoLocker.” While only about 1.3 percent of victims paid the ransom, the virus has enabled the extortion of approximately $27 million from infected users in two months.

In June 2014, the U.S. Department of Justice (DOJ), with the assistance of other law enforcement agencies and the Department of Homeland Security’s (DHS) National Cybersecurity and Communications Integration Center, scored a major victory against ransomware when it announced that U.S. and foreign law enforcement officials successfully disrupted a large network of CryptoLocker-infected computers and seized CryptoLocker’s command-and-control servers. Possession of these servers allowed the development of a decryption tool that enabled victims to unlock their infected machines.

However, within a month of this disruption, the FBI’s Internet Crime Complaint Center, a partnership between the FBI and the National White Collar Crime Center, identified a copycat virus named “CryptoWall.” Between April 2014 and June 2015, the IC3 received 992 CryptoWall-related complaints, with victims reporting losses totaling over $18 million.

 To understand more about the DHS’s efforts to address the growing threat of ransomware, we ask that you please provide the following information and materials:

  1. Since 2005, how many victims of ransomware-related crimes have reported to DHS? Does DHS track the total amount of losses reported from ransomware victims?
  1. Soon after its disruption, CryptoLocker was quickly replaced by similar ransomware programs, like CryptoWall and CryptoDefense. As of December 1, 2015, how many active ransomware-type viruses is DHS tracking?
  1. DHS, including the United States Computer Emergency Readiness Team (US-CERT) and the United States Secret Service, distributes cyber vulnerability and threat information to individuals, industry, and other stakeholders. Please describe any joint efforts between DHS, DOJ, and FBI to disseminate cyber threat information.
  1. Does DHS coordinate with the Federal Trade Commission (FTC) to educate the public about how to mitigate the threat of ransomware? If so, please describe any joint efforts with the FTC.
  1. In testimony before the Senate Committee on Banking, Housing, and Urban Affairs last year, officials from the FBI indicated that agencies’ techniques must evolve to keep pace with increasingly sophisticated botnets that can be used to disseminate viruses like ransomware. What techniques is DHS using now to combat botnets, how are those becoming less effective, and what new techniques is DHS considering to improve its ability to combat botnets in the future?
  1. The disruption of CryptoLocker required coordination between DOJ, DHS, and over a dozen international law enforcement and government entities. How can this coordination be improved? Describe the impediments, if any, to further international law enforcement coordination.
  1. Recent news reports suggest ransomware attackers are also targeting public safety and law enforcement agencies. Have state and local governments sought DHS’s help to remove ransomware from their computers? If so, please describe the nature of any assistance sought and whether DHS was able to decrypt the computer systems.
  1. Over the past 12 months, how many instances of ransomware has DHS been made aware of in federal agencies’ computers? In which agencies and on what systems was the ransomware located and what was the result? Is DHS aware of instances in which federal agencies have paid ransoms to remove ransomware?
  1. How are DHS’s EINSTEIN, ALBERT, and Enhanced Cybersecurity Services intrusion detection and prevention systems leveraged to reduce the instances of ransomware on computers at federal agencies, state and local agencies, and critical infrastructure? How can that be improved?