The Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency should more closely coordinate to better assist victims of ransomware attacks, according to a report from Sen.
Close coordination would let the FBI investigate hackers responsible for ransomware attacks while allowing CISA to provide the technical assistance hack victims need to recover, the report said. Ransomware is a form of cyberattack where hackers lock up a victim’s data and demand payment in exchange for restoring access.
Such attacks are on the rise as hackers build a business model around demanding oftentimes expensive ransomware payments.
The report urged the federal government to quickly implement recently enacted legislation that requires owners and operators of critical infrastructure such as water utilities to promptly report cyber incidents and ransomware payments to CISA. The agency, part of the Department of Homeland Security, is set to become a hub for sharing threat data and tracking ransomware. CISA should share cyber incident reports with the FBI, Portman’s report said.
Portman of Ohio, the highest ranking Republican on the Senate Homeland Security and Governmental Affairs Committee, co-sponsored a bipartisan legislative package (S. 3600) that included the cyber incident reporting directive.
“This law will help prevent future cyberattacks by facilitating increased information sharing and enhance the federal government’s cyber defense and investigative capabilities,” Portman said in a statement.
His staff report was based on the experiences of three U.S. companies of varying sizes and sectors that were targeted by hackers from REvil, short for Ransomware-Evil. Several alleged REvil members have been arrested in the wake of their attacks.
The companies’ names and other details like the timing of cyberattacks weren’t included in the report to protect the victims from the risk of retaliation by hackers, according to a committee aide.
Some of the unidentified companies in the report criticized the FBI for prioritizing its investigative work over helping ransomware victims respond to an incident.
The report cited as an example a ransomware attack against software provider Kaseya. REvil, which claimed credit for the attack, had demanded $70 million for a key to unlock impacted networks. The FBI reportedly obtained a decryption key but didn’t share it with victims of the Kaseya attack for several weeks while the agency planned an attempt to disrupt REvil’s criminal activity, according to Portman’s report.
The report calls on the FBI to consider ransomware victims’ priorities in responding to an attack, like protecting data and mitigating damage, to preserve its “constructive working relationship with the private sector” and provide the agency “with the information necessary to hold attackers accountable.”