The Senate Committee on Homeland Security and Governmental Affairs (HSGAC) released a ransomware report early Tuesday examining the approaches of three unnamed U.S. companies who were the targets of cyberattacks carried out by the Russia-based ransomware group REvil.
The report follows warnings from several senior government officials — including President Biden himself — that Russian hackers might release a wave of attacks that could impact American companies and critical infrastructure. “Today, my Administration is reiterating those warnings based on evolving intelligence that the Russian Government is exploring options for potential cyberattacks,” President Biden said in a statement Monday.
Government officials have been quick to call on leaders in the private sector to improve incident response plans and harden cyber defenses, but the report by HSGAC points to the systemic flaws in both the private sector and the federal government.
Lead investigator Pat Warren spoke in a press briefing Wednesday to discuss the report, frequently referring to Sen. Rob Portman’s (R-OH) Cyber Incident Reporting Act that he introduced last September. “Until we get Senator Portman’s legislation implemented, there is no coordinated defense because only those companies know that they’re being attacked.”
Instances of ransomware attacks have skyrocketed in recent years, with the U.S. being the biggest target. According to the report, there were 421.5 million ransomware attempts against U.S. organizations in 2021.
Three cyberattacks examined
HSGAC’s case study chose three unnamed companies, all of which were attacked by the ransomware group REvil but varied in size, business model, and industry. “ We don’t want to risk these victims being retaliated against by ransomware criminals. So we didn’t think that it was necessary to reveal their identity,” Warren said, adding that the attacks all occurred in the last five years.
An REvil message to Entity B. Image: HSGAC
“Entity A” was the largest company examined in the report, being a global multi-sector Fortune 500 company with approximately 100,000 employees. “Entity B,” a global manufacturing firm, fell into the mid-range category with a few thousand employees. “Entity C” represented a smaller technology company with around 50 employees.
In each case, REvil successfully infiltrated and encrypted the systems of the companies. All of the firms had prepared incident response plans and had notified the federal government. None of them paid the ransom.
Entities A and B were highly critical of the FBI’s response to the attacks. “Entity A found the FBI to be unhelpful throughout the process,” the report states. “Entity A indicated the FBI prioritized investigating those responsible for the attack over helping Entity A respond and secure its network.”
Furthermore, Entity A said the hostage negotiator had “little expertise” and that they had no interaction with the Department of Homeland Security or its Cybersecurity and Infrastructure Security Agency (CISA). Entity B also reported that they had no interaction with CISA and that, “there was no ‘here’s a playbook’ discussions with the FBI regarding how to best respond.” Entity C chose to handle the incident internally, although they did notify the FBI.
“CISA was not involved with those particular incidents, which is one of the reasons the Cyber Incident Reporting legislation is so important. I think the benefit that CISA can have in that space is helping ransomware victims recover,” Warren said “As it stands today, I think the coordination between CISA and the FBI has improved and gotten better.”
The report concludes by recommending that both the private sector and the federal government learn from the shortcomings displayed in the report — organizations should maintain offline backups and encrypt sensitive data, while CISA and the National Cyber Director should work more cohesively with the FBI.
REvil message to Entity B. Image: HSGAC
The post Senate report examines REvil ransomware attacks on US firms appeared first on The Record by Recorded Future.