Ransomware attacks have become headline news in the mainstream media, and a hot topic not only on this blog but in government circles. And with good reason as the United States suffered a staggering 421.5 million ransomware attempts last year alone, a 98% increase from 2020. This figure comes from United States Senate Committee on Homeland Security and Governmental Affairs new staff report titled “America’s Data Held Hostage: Case Studies in Ransomware Attacks on American Companies.” It details three companies’ experiences responding to attacks by Russia-based ransomware group REvil. The companies varied in size and industry but their previously established incident response plans in place helped mitigate the damage from the attacks. However, the companies reported receiving little assistance from the Federal Government, highlighting the need for change at the federal level to better combat future attacks.

The report provides a comprehensive overview of ransomware’s state of play but its three case studies on anonymous companies’ reactions to ransomware attacks provides the freshest insight. The companies ranged from a Fortune 500 company with over 100,000 employees to a technology firm with approximately 50 employees. Each had an incident response plan and various cybersecurity measures in place that helped mitigate the effects but to different levels of success. Offline backups were uniformly hailed as one of the best defense measures each had in place to keep their company running while addressing the attacks but they all acknowledged at the attacks’ conclusions that they needed to address gaps in their plans and security that the attacks uncovered.

One of the companies did not need the government’s help responding to the ransomware attack but the two others reported little help from the government despite seeking its assistance. Not surprisingly, the FBI continues to focus its efforts on its core law enforcement mission by identifying the bad actors and bringing them to justice, rather than proactively protecting and assisting victim companies. The Committee made seven recommendations in its report based on its investigation, three of which called for reform in the government:

  1. The Cybersecurity and Infrastructure Security Agency (“CISA”) should share the incident reports it receives with the FBI to strengthen the FBI’s ability to investigate ransomware attacks and both of their abilities to assist ransomware victims.
  2. The FBI should help ransomware victims protect their data and mitigate damage from attacks to build its relationship with the private sector that will in turn provide the FBI with the information necessary to hold bad actors responsible.
  3. Government agencies, including the FBI and CISA, should implement the Cyber Incident Reporting for Critical Infrastructure Act as soon as they can. It was passed on March 15 and requires “critical infrastructure” entities to report cyber incidents, including ransomware attacks, to CISA. The bill allows CISA 24 months to create proposed rules, including “clear description[s] of the types of entities that constitute covered entities,” and then another 18 months after publication to create a final rule. Earlier implementation would enhance the government’s ability to combat and prevent cyberattacks.

The remaining four recommendations concern measures companies can take to improve their cybersecurity, such as maintaining up-to-date cyber best practices, implementing “zero trust networking” that assumes an organization’s network has been breached, preparing a cyber incident response plan and keeping it up to date, and maintaining offline backups and encrypted data.

This report provides a potent reminder for companies to take account of their cybersecurity measures and identifies steps to take in the event of an attack. We will continue to monitor and report on the Cyber Incident Reporting for Critical Infrastructure Act.