Despite the fact that many business organizations have been targeted by ransomware attacks lately, a new report shows that government agencies targeted numerous times this year have paid no ransoms at all.
At the same time, the FBI has issued new guidance and an alert warning of the growing risks posed by ransomware.
The Department of Homeland Security revealed that between June and December, about 29 federal agencies were targeted with ransomware.
The Delaware Democrat Tom Carper, who serves as the ranking member of the Senate Homeland Security and Governmental Affairs Committee, had requested information about the government’s ransomware defenses as part of the panel’s oversight of government IT security.
Not all of the incidents resulted in ransomware infections. Of those that did, most affected end-user workstations. For these cases, DHS reports that, “the system was removed from the network and replaced with a new, clean system with minimal impact to the user and agency.”
Also, DHS informed Carper that it “is not aware of any instances in which federal agencies paid a malicious actor to remove ransomware from a government computer.”
According to Carper, the response from DHS, as well as one from the Justice Department, “are a first step toward understanding the problem so we can make informed policy decisions about these unique threats.”
Apart from the federal agencies, state and local governments are also being targeted. The Multistate Information and Analysis Center told DHS that MS-ISAC’s associated Computer Emergency Response Team identified and addressed 40 incidents related to ransomware-associated activity on state, local, tribal and territorial governments’ systems. DHS did not characterize the success or failure of those ransomware attack attempts, however, it stated that MS-ISAC did not request special assistance to address this incidents from NCCIC in 2015.
The ransomware attacks on government agencies comes at a time of an increase in reported ransomware attacks across many U.S. business sectors and around the world.
The Healthcare sector has been hit really hard. Only this week, the Washington, D.C.-area, 10-hospital system MedStar Health shuttered many of its systems to avoid the spread of apparent ransomware. Some other recent ransomware attacks have targeted hospitals in California, Kentucky and Ontario.
According to assistant Attorney General Peter Kadzik, the FBI’s Internet Crime Complaint Center received 7,694 ransomware complaints in 2015, with losses from these attacks costing victims an estimated $57.6 million.
Carper noted that testimony before the Senate, which suggested the government’s anti-malware defenses, needs to evolve in order to keep pace with increasingly sophisticated botnets used to disseminate viruses, including ransomware. The senator asked DHS what techniques it uses to combat botnets.
“To protect federal agencies against ransomware-type botnets, NCCIC leverages the Einstein 3 Accelerated system,” DHS answered, referencing the latest rendition of the intrusion detection and protection system operated by NCCIC.
In addition, DHS stated that some of the ransomware incidents at government agencies last year were detected by Einstein, although it did not provide a specific number. According to the agency, it is Einstein 3A that could prevent malicious behaviors, but did not furnish any examples of the system preventing infections.
The Government Accountability Office report issued this year, reveals that Einstein comes up short because it relies on known signatures – patterns of malicious data – to identify intrusions rather than a more complex anomaly-based approach, which compares network activity to predefined “normal behavior” to identify deviations and identify previously unknown threats. In case the ransomware signature is unknown, Einstein won’t detect it.
“It doesn’t do a very good job in identifying deviations from normal network traffic,” stated Gregory Wilshusen, the GAO director of information security issues who co-authored the audit of the Department of Homeland Security’s National Computer Protection System.
DHS confirms Wilshusen’s analysis that Einstein relies on known signatures.
“The techniques that adversaries use to deliver the malware, the techniques they use to communicate with and control infected systems, the Internet infrastructure used in that command and control activity, and the low-level behavior of the malware on a victim system are all similar across most families of malware,” DHS explained.
“Therefore, Einstein capabilities are equally effective at detecting and blocking ransomware attack as with any other type of known malware.”
Carper asked the Justice Department to describe the challenges it faces in attempting to capture Evgeniy Mikhaylovich Bogachev, architect of the CryptoLocker ransomware Trojan who’s reportedly at large in Russia.
“Many of the most sophisticated cybercriminal actors are located in jurisdictions that do not cooperate directly with the United States,” Kadzik wrote Carper, with the remainder of his answer about hunting down Bogachev redacted from the report that Carper released.
According Kadzik the actors behind ransomware are “very business oriented [who] want to make it known that, if victims pay the ransom, they will follow through and provide the private key needed to decrypt the files.” Most ransomware variants include the option for victims to decrypt one file for free “to show that the actors do in fact have the ability to restore victims’ files.”
Kadzik also says that victims often pay the ransom in order to receive the key for decrypting their locked files.