A new report prepared by the top Republican on a Senate Homeland Security panel says any organization is at risk of ransomware attacks and that federal agencies need to be more coordinated in responding to these incidents to better help the victims, gain broader visibility into the attack landscape, and ensure a cohesive response to the attackers.
The report outlines case studies of ransomware attacks committed by the Russian-based REvil group against three U.S. companies ranging from a large Fortune 500 company, a medium-size global manufacturing company, and a small business.
In the cases of the large and medium-sized companies, the victims reported the incidents to the FBI but did not interact with either the Department of Homeland Security or its Cybersecurity and Infrastructure Security Agency, says the report, which was done by the committee staff of Rob Portman (Ohio), the ranking member on the Homeland Security and Governmental Affairs Committee.
The large business, Entity A, told Portman’s staff that the FBI was focused on its investigating who committed the attack but was “unhelpful” with how the company should respond and secure its network.
“For example, the FBI offered their hostage negotiator who appeared to have little expertise in responding to ransomware attacks,” says the 51-page report that was released on Thursday.
The report says that for Entity B, the manufacturing company, the FBI also didn’t have a “’playbook’” to help with the response, although the bureau did provide contacts to help the company respond.
Recommendations in the report include that the FBI should be mindful of ransomware victims’ need to protect their data and minimize damage, which would help with their relationship with the victim. It also says that once CISA receives notice of a cybersecurity incident it should share that information with the FBI.
“Close coordination between these two entities will best position the FBI to investigate those responsible for ransomware attacks while also allowing CISA to provide the technical assistance victims need to recover,” the report says.
To avoid potential retaliation, the companies are kept anonymous in the report and the exact timelines of the attacks were not disclosed, although an aide to the Homeland Security and Governmental Affairs Committee told reporters during a background briefing on Tuesday that the incidents “aren’t super old” and occurred within the last five years.
“As it stands today, I think the coordination between CISA and the FBI has improved and gotten better,” the aide said.
After realizing it had been attacked, the small company, which appears to be a federal contractor, notified its customers of the incident, who in turn notified the FBI, the report says. In the end, the company decided to conduct its own response but found its contracting agencies helpful, the report says.
However, the report says, “Entity C found the Federal Government’s response teams were caught off guard by the idea that a group or entity would launch attacks like this on such a large scale in such a small time frame.”
Another recommendation of the report is for CISA and the White House National Cyber Director to work with the FBI and other agencies to quickly implement a new law requiring critical infrastructure entities to report cyber incidents and ransomware to CISA.
“This legislation will enhance the Federal Government’s ability to combat cyberattacks, mount a coordinated defense, hold perpetrators accountable, and prevent and mitigate future attacks through the sharing of timely and actionable threat information,” the report says.
A key finding of the investigation is that in all three cases the companies had incident response plans in place that helped limit the damage to their networks and data. Having these plans meant a relatively quick restart to routine business operations and not having to pay ransoms.
“This proactive measure allowed each entity to take remedial action, onboard third-party experts, and in the case of Entity B cut off the attacker’s access before they encrypted its networks with ransomware,” the report says.