Organizations of all sizes are susceptible to ransomware attacks, and the best set of defenses against those kinds of destructive cyberattacks rely on implementing multifactor authentication, network segmentation, and other zero trust security principles, Sen. Rob Portman, R-Ohio, said in a new report released today.
Sen. Portman, who released the report in his capacity as ranking member of the Senate Homeland Security and Governmental Affairs Committee, detailed some of the attack traits gleaned from an investigation into three unnamed companies hit by Russian-linked ransomware group REvil.
The senator also used the report as a rallying cry for the implementation of mandatory cyberattack reporting requirements for critical infrastructure entities that are a part of the recently approved Fiscal Year 2022 omnibus appropriations bill.
The report emphasizes that ransomware attacks are rising fast, with one cybersecurity firm estimating 623 million ransomware attack attempts in 2021, with the United States being the victim of 421 million of those.
“Ransomware attacks, like the one on Colonial Pipeline or JBS Foods, are a painful reminder that these incidents have real-world consequences,” Sen. Portman said. “This report shows that all organizations, no matter the size or financial resources, can fall victim to sophisticated cyber adversaries. It also shows how organizations can take proactive steps to secure their networks against the most damaging impacts of ransomware attacks.”
REvil is the ransomware group that has been publicly linked to the 2021 ransomware attacks on software supply chain company Kaseya, and JBS Foods USA. After briefly disappearing in July 2021, the group was reportedly knocked offline by a multi-government effort in October.
The Portman report does not name which three organizations were studied, for fear of potentially making them victims of further attacks. But on a background call with reporters, the lead investigator for the report said the companies range from a Fortune 500 company to a small company with around 50 employees. All three attacks happened within the last five years.
“Over the last year, REvil’s kind of prominence in this space and the number of attacks that they’ve perpetuated was one of the reasons we wanted to kind of explore their impact on American companies,” the investigator said. “But also, these three entities we’ve selected – everything from a very large company to a small, 50-employee company – kind of paints the picture that this is a problem for everyone regardless of size and sophistication. So we wanted to have that broad representation there.”
The investigator acknowledged that while the study of just three victimized organizations does not make for a representative sample, it nonetheless provides “a couple illustrative studies.”
One such “illustrative” nugget noted that in each of the three attacks, the victims reported the attacks to the Federal government. While one organization said it did not need government assistance, the other two reported that the FBI prioritized investigation of REvil in its response, rather than mitigating damage and protecting victim data. As a result, the report recommends that the FBI ensures that it considers victims’ priorities when they respond.
The report also found that at the time of the attacks, current laws and regulations discouraged information sharing between victims and potential victims. Sen. Portman emphasizes the potential impact that the critical infrastructure mandatory incident reporting legislation included in the FY 2022 omnibus appropriations bill could have in this regard.
“The Biden administration should work quickly to implement my recently enacted bipartisan Cyber Incident Reporting Act,” Sen. Portman said in the release. “This law will help prevent future cyberattacks by facilitating increased information sharing and enhance the federal government’s cyber defense and investigative capabilities.”
The report’s investigator emphasized the impact the study should have from a visibility aspect, and the report recommends that the Cybersecurity and Infrastructure Security Agency (CISA) work with the FBI, National Cyber Director, and any other relevant agencies to quickly implement the law for the critical infrastructure sector and that CISA should share any reports received under the law with the FBI.
“It certainly would be interesting to get more information from other companies about their experiences, which is where the Cyber Incident Reporting for critical infrastructure act comes into play,” the investigator said. “That will provide a whole-of-government, whole-of-nation picture into cyberattacks that are occurring on critical infrastructure on a daily basis.”
“These adversaries – when REvil attacks or when foreign government attacks us – they’re coordinated,” the investigator added. “They’re hitting five or six different targets in the United States; that’s a coordinated attack. They know all the companies or organizations they’re hitting. But until we get this … new legislation implemented, there is no coordinated defense because only those companies know that they’re being attacked, potentially, until they notify the government.”