AMERICA’S DATA HELD HOSTAGE: CASE STUDIES IN RANSOMWARE ATTACKS ON AMERICAN COMPANIES

This March 2022 report from the COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS provides insights into 3 actual ransomware incidents that affected US companies. The report contains findings and recommendations that aim to improve government response and coordination to reported cyber-attacks and government assistance to help victims. Here are a few key excerpts from the report:

REvil targeted entities of all sizes and sophistication. The three companies have little in common in terms of business model, purpose, or number of employees. Entity A is a global multi-sector Fortune 500 company with roughly 100,000
employees. Entity B is a global manufacturing company with several thousand employees. Entity C is a technology firm with only 50 employees.

Ransomware criminals often use phishing attacks to gain initial access. Cybercriminals gained access to Entity A’s networks by compromising a known vulnerability on a legacy server of one of its vendors. Attackers then impersonated
that vendor, and sent an unsuspecting Entity A employee an email attachment corrupted with ransomware. [This is a classic supply chain attack method that is very effective]

Findings of Fact
(1) All organizations, regardless of size and sophistication, are susceptible to ransomware attacks.
(2) Ransomware groups often use phishing attacks to gain initial access to victim networks.
(3) In past ransomware attacks, multifactor authentication, zero trust principles, and network segmentation helped prevent attackers from gaining or increasing access to sensitive data in a victim’s networks.
(4) Maintaining offline backups and a well-defined incident response plan helped victims resume critical operations quickly without paying a ransom, when attackers did get in.

Recommendations
(1) CISA should immediately share all incident reports received under the Cyber Incident Reporting for Critical Infrastructure Act with the FBI. The FBI and CISA should also strengthen their partnership to assist ransomware victims. Close coordination between these two entities will best position the FBI to investigate those responsible for ransomware attacks while also allowing CISA to provide the technical assistance victims need to recover.
(2) FBI should ensure it considers ransomware victim priorities like protecting data and mitigating damage. This will preserve FBI’s constructive working relationship with the private sector and provide it with the information necessary to hold attackers accountable.
(3) CISA and the National Cyber Director should work quickly with other appropriate agencies like FBI to implement recently enacted legislation requiring critical infrastructure owners and operators to report cyber incidents and ransomware payments to CISA. This legislation will enhance the Federal Government’s ability to combat cyberattacks, mount a coordinated defense, hold perpetrators accountable, and prevent and mitigate future attacks through the
sharing of timely and actionable threat information.
(4) Increase costs for attackers by eliminating low hanging fruit. Organizations can increase the difficulty for ransomware criminals by patching vulnerabilities, implementing multi-factor authentication, maintaining accurate device and software inventories, and instituting complex password requirements. Adhering to these cyber best practices will increase the likelihood that attackers move on to less prepared targets.