A new Senate report finds the government is unprepared to stop ransomware attacks

Yet, despite the heavy toll such incidents have on both the public and private sectors, government officials have only a limited understanding of ransomware attacks and how cryptocurrencies are being used to collect payment, according to a new report from the Senate Homeland Security and Governmental Affairs Committee.

“Cryptocurrencies—which allow criminals to quickly extort huge sums of money, can be anonymized, and do not have consistently enforced compliance with regulations, especially for foreign-based attackers—have further enabled cybercriminals to commit disruptive ransomware attacks that threaten our national and economic security,” said Michigan Senator Gary Peters, the committee’s chair, in a statement. “My report shows that the federal government lacks the necessary information to deter and prevent these attacks, and to hold foreign adversaries and cybercriminals accountable for perpetrating them.”

Part of the issue is in reporting: The federal government doesn’t have a standardized place for victims to log ransomware attacks, which typically encrypt data until a ransom is paid in cryptocurrency. Both the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have websites where victims can report incidents, and some people report the attacks directly to their local FBI field offices—all of which can leave people unsure of where to turn and lead to different agencies having records of different incidents. Financial regulators, including the Treasury Department’s Financial Crimes Enforcement Network, also gather some data on ransomware, particularly around payments, but it’s also far from comprehensive. A new law passed by Congress in March, as part of a broad government funding bill, will soon require operators of “critical infrastructure” to report to CISA within 72 hours when they’ve been the victims of a “substantial cyber incident,” and within 24 hours of paying a ransom, but the provision hasn’t yet gone into effect, pending regulatory decisions by CISA.

As of now, many incidents likely go unreported: According to the report, the FBI received 3,729 complaints in 2021 with losses of more than $49.2 million, up from previous years, but anti-malware software provider Emsisoft estimated 24,770 ransomware incidents in the U.S. back in 2019, with total costs just under $10 billion. And a report from blockchain data analytics company Chainalysis estimated at least $692 million in cryptocurrency paid in ransom alone in 2020.

The lack of data hampers officials’ ability to understand who’s being victimized, who’s behind ransomware attacks, and what can be done to aid victims and stop future attacks, according to the Senate report.

“Aggregated and anonymized data from increased incident reporting could help inform policies regarding potential federal assistance for excessively burdened ransomware victims,” the report reads. “Increased reporting may also shed light on the specific burdens faced by small- and medium-size businesses, such as inability to access high cost prevention methods and the drastic economic consequences of these attacks.”

The report calls on the Biden administration to quickly implement regulations around the new law requiring reports around critical infrastructure. It also suggested that agencies standardize how they track ransomware attacks and ransoms paid. And, according to the report, Congress should take action to facilitate sharing ransomware info between agencies and with private sector companies and academic researchers that are already doing their own research.

“The continuing flow of ransom payments has encouraged illicit actors and contributed to a growing threat to businesses, the public, and to national security,” the report reads. “The lack of comprehensive data on these attacks prevents the U.S. government from developing a full picture of cyber threats.”