But despite the heavy toll such incidents have on both the public and private sectors, government officials have only a limited understanding of ransomware attacks and how cryptocurrencies are used to collect payments. according to a new report of the Senate Homeland Security and Government Affairs Committee.
“Cryptocurrencies — which allow criminals to quickly extort huge sums of money, be anonymized, and have not consistently enforced regulatory compliance, especially for attackers abroad — have further enabled cybercriminals to launch disruptive ransomware attacks that threaten our national security system. and economic threat. security,” Michigan Senator Gary Peters, committee chairman, said in a statement. “My report shows that the federal government lacks the information necessary to deter and prevent these attacks, and to hold foreign adversaries and cybercriminals accountable for committing them.”
Part of the problem is in the reporting: the federal government doesn’t have a standardized place for victims to log ransomware attacks, which typically encrypt data until a ransom is paid in cryptocurrency. Both the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have websites where victims can report incidents, and some people report the attacks directly to their local FBI field offices — leaving people unsure where to turn. and cause different agencies to have records of different incidents. Financial regulators, including the Treasury Department’s Financial Crimes Enforcement Network, are also collecting some data on ransomware, particularly around payments, but it’s also far from exhaustive. a new law approved by Congress in March, as part of a broad government funding bill, will soon require operators of “critical infrastructure” to report to CISA within 72 hours of being the victim of a “substantial cyber incident”, and within 24 hours of paying ransom, but the provision has not yet entered into force, pending regulatory decisions from CISA†
Right now, many incidents are likely to go unreported: According to the report, the FBI received 3,729 complaints with losses of more than $49.2 million in 2021, an increase from previous years, but antimalware software vendor Emsisoft estimated 24,770 ransomware incidents. the US back in 2019, with total costs of just under $10 billion. And a report from blockchain data analytics firm Chainalysis estimated at least $692 million worth of cryptocurrency in 2020 paid as ransom alone.
The lack of data hinders officials’ ability to understand who the victim is, who is behind ransomware attacks and what can be done to help victims and stop future attacks, the Senate report said.
“Aggregated and anonymized data from increased incident reporting could help inform policies regarding potential federal assistance for overburdened ransomware victims,” the report reads. “More reporting could also shed light on the specific burdens that small and medium-sized businesses face, such as the inability to access expensive prevention methods and the drastic economic consequences of these attacks.”
The report calls on the Biden administration to swiftly implement regulations around the new law requiring critical infrastructure reports. It also suggested that agencies standardize how they track ransomware attacks and ransom payments. And according to the report, Congress should take action to facilitate the sharing of ransomware information between agencies and with private sector companies and academic researchers who already conduct their own research.
“The continued flow of ransom payments has encouraged illegal actors and contributed to a growing threat to businesses, the public and national security,” the report reads. “The lack of comprehensive data on these attacks prevents the US government from getting a full picture of cyber threats.”