Since 2005 the Department of Justice has received nearly 8,000 complaints of hijacked computer systems totaling more than $57 million in ransom and other related costs, the department said in a response to questions from chairman and ranking member of the Senate Homeland Security and Governmental Affairs Committee.
The Justice Department said in a March 4 letter to Sen. Tom Carper (D-Del.), the ranking member on the committee, that in the past 11 year its Internet Crime Complaint Center has had 7,694 ransomware complaints totaling $57.6 million, with ransom fees usually between $200 and $10,000.
Beyond the quantifiable costs, “victims sometimes will put a price on the data that was encrypted due to its perceived importance, making it difficult to determine the actual cost to victims associated with a ransomware incident,” Peter Kadzik, assistant attorney general, said in the letter.
Ransomware is malware used by cyber criminals to essentially lock out the users of a network until they agree to pay a fee to unlock their computers. The Department of Homeland Security, responding to the same letter from Carper and Committee Chairman Ron Johnson (R-Wis.), said between June 2015 and Jan. 2016 its National Cybersecurity and Communications Integration Center received 337 ransomware-related reports, with 321 related to networks of 29 federal agencies.
DHS said that in cases where federal computer systems were confirmed to be infected with ransomware, most were in end-user workstations and “In all cases, the system was removed fro the network and replaced with a new, clean system with minimal impact to the user and agency.”
DHS in its response, which is dated January 2016 and is unsigned, said that due to recent system upgrades it currently doesn’t have data on ransomware attacks before June 2015 and does not track financial costs related to the malware.
The DHS and DoJ letters were released by Carper on Wednesday.
On Monday MedStar Health Inc.’s computer systems supporting its chain of hospitals and other care facilities in the mid-Atlantic region were essentially shut down due to what the Washington Post reports may be a ransomware attack, although the healthcare provider has denied that. MedStar on Wednesday morning said that some of its computer systems are coming back online.
In their Dec. 3, 2015 letters to DHS and the DoJ, Carper and Johnson said that “While much must be done to bolster the cyber defenses of our federal agencies, a far larger group, including individual consumers, faces a growing threat from a malicious compute virus knows as ‘ransomware.’” They point out that “Infected users face the difficult choice of paying ransom or losing their files forever.”
Carper and Johnson said that the FBI estimated that in less than eight months a ransomware named CryptoLocker infected more than 234,000 computers.
DHS also said in its response to the senators that its EINSTEIN cyber threat intrusion detection and prevention system can detect types of malware such as ransomware if the threat indicators are known.
The DoJ’s Kadzik said that tabulating an exact number of ransomware victims is difficult because some may not report the crime at all and other might report it to their local police department.