Ransomware tools are opening up the field to a growing number of less tech-savvy actors even as many ransomware operations have increased in sophistication, DHS Assistant Secretary for Cyber, Infrastructure, Risk and Resilience Iranga Kahangama told Congress.
“I think it’s appropriate to liken a ransomware organization almost to a modern-day mob or mafia,” Kahangama said June 28 at a Michigan field hearing of the House Homeland Subcommittee on Intelligence and Counterterrorism on combating ransomware. “It’s very large structures. There is something called ransomware as a service, in which you break up a ransomware attack into different parts. There is initial access. There is deploying malware. There’s getting the money. These are kits that you can literally buy online. And as a result, anyone with very basic technical knowledge can become a ransomware operator, unfortunately. And so with this lowest common denominator environment, you have a proliferation of individuals who are seeking to conduct these attacks.”
“And the fact is that they like to do one of these and two of these in very small increments, in order to not go on the radar, to be undercover a little bit,” he added. “And so I think you have ransomware actors growing in terms of their sophistication, but at the same time the tools they have are becoming quite basic. And so you have very low-level people conducting these attacks at a much higher frequency, with a wide availability of these tools. So it’s a growing issue.”
Cybersecurity and Infrastructure Security Agency Deputy Executive Assistant Director for Cybersecurity Matt Hartman told lawmakers that the Cyber Incident Reporting for Critical Infrastructure Act recently passed by Congress is “going to be monumental in terms of the federal government being able to understand what is happening from a ransomware and a broader cybersecurity perspective, and cyber incident perspective, as well as take action as a U.S. government to deter future attacks.”
“With respect to the implementation of the legislation, we are in the process of a very thorough and rigorous rulemaking process,” he said. “We intend to really find the sweet spot between in implementation between defining the types of incidents that need to be reported to the federal government and when, to allow victim organizations to focus on restoring their systems and data, but also in sufficient time providing the information to the federal government so we can limit the impact of a potential campaign and help the broader community.”
DHS intends to finish that rulemaking within 24 months and work with partners at the FBI to “make sure that when CISA receives information about ransomware or other cybersecurity incidents from all sectors, that we are quickly sharing that information back with the FBI, with the Sector Risk Management Agency from any of the 16 sectors, and with appropriate state and local authorities so that we as a community can take action to combat this problem.”
Kahangama, who used to be director for cyber incident response at the National Security Council, started at the Department of Homeland Security in May.
“We want to minimize the risk posed from cyberattacks, and we want to ensure the resilience of critical services that are provided to this country,” Kahangama said.
Ransomware attacks, he stressed, “do not discriminate: They target large and small targets, whether it’s large corporations, small and medium enterprises, hospitals, local governments or schools.” And often, “the cost of cleaning up an attack can be more expensive than paying the ransom itself or to provide mitigating services beforehand.”
DHS is “rapidly increasing our ability to investigate cryptocurrency because it is the preferred payment method for ransomware actors,” he said, with the department “actively getting tools and learning how to track and trace cryptocurrency so that we can better disrupt and potentially claw back some of this money.” One challenge is that ransomware actors “are often in permissive environments that do not cooperate with us, including Russia.”
Asked about lessons learned from recent high-profile ransomware attacks on critical infrastructure such as Colonial Pipeline and JBS Foods, Kahangama emphasized that “no matter how big an organization you are, the smallest cyber vulnerability can be quite damaging.”
“And I think it’s also important to understand the connection between regular systems that you may use for HR or doing paychecks, versus all the operational components,” he added. “I think in both of those instances with Colonial and JBS, we saw very relatively small attacks that targeted like a payroll system, and then out of an abundance of caution, the entire enterprise shut down. So I think we’re all susceptible to the lowest common denominator of cybersecurity that’s provided.”
“The other thing I want to mention is that ransomware attackers are quite vigilant, and they are looking for businesses and services that they know will want to pay.”
Hartman pointed to four things “that every organization, large or small, should consider, and this is as applicable to farmers and schools as it is to the Colonial Pipelines and the JBS Foods”: implementing multi-factor authentication, maintaining offline encrypted backups (and “periodically and regularly test that you are able to recover to these backups, so if your data is encrypted, you are not forced with a decision of whether to pay or not”), developing an incident response plan, and reporting incidents to CISA.
“This is important for two reasons. First, if we do not know, we can’t help,” he said. “Secondarily, if we do not know the tactics that are being used, if we do not know the infrastructure that is being used, we cannot share that information in an anonymized fashion more broadly to protect the community.”
“So, get to know your local cybersecurity advisors from CISA. Get to know your FBI field offices. The real important thing is that you contact one of us. And then on the back end, we will work within the Department of Homeland Security, with our peers at FBI, to make sure that we can provide all of the assistance of the federal government.”
Hartman told lawmakers that “ransomware and the threat of cyberattack are top-of-mind concerns to schools, to hospitals, to businesses large and small, and to so many other organizations — that’s why it is important that we empower organizations and Americans to help us raise the cybersecurity baseline.”
“The administration’s approach to countering ransomware is focused on bolstering resilience,” he said. “Strengthening resilience to withstand ransomware attacks is arguably the most difficult element of our collective efforts.”
Hartman said that “every organization that wants to avoid being the victim of ransomware must continuously invest in the practices that will keep their customers, their systems and their data secured.”
“The question that we need to ask ourselves is, what can we do right now to truly have an impact? I’ll point to two things. First, we must give organizations tools and guidance to increase their security and resilience,” he continued. “This is why CISA works every day to raise awareness, and to promote basic cyber hygiene across tens of thousands of businesses and government agencies throughout our country. Organizations need to raise their cybersecurity standards, and the guidance that CISA provides is meant to provide real-time, actionable information to help them do so. For you, that means regularly update your software, think before you click, avoid suspicious links in phishing emails, use strong passwords, and most importantly, implement multifactor authentication. Adding a second factor for login makes you 99 percent less likely to be hacked.”
“Second, we need to partner with the American people, organizations in both the public and private sectors to identify threats and vulnerabilities, to develop guidance, to conduct outreach and to ensure that everyone has the information that they need to make educated cyber risk management decisions.”
Key to this partnership effort has been CISA’s “growing presence outside of Washington, D.C.,” Hartman said, with cybersecurity advisors “now in nearly every state… to provide boots on the ground help to organizations of all sizes to address the growing threat of cyberattack.”
CISA’s Joint Cyber Defense Collaborative was launched to “drive partnership between the federal government and private-sector companies who possess tremendous visibility into domestic networks, to help us identify emerging threats and to provide timely and actionable cybersecurity guidance to reduce the risk of attack for everyone,” and “a great example of this guidance is CISA’s Shields Up messaging campaign which we launched in the lead-up to the Russian invasion of Ukraine.” This has become one of CISA’s most visited pages on CISA.gov.
The StopRansomware.gov collaborative government resource has amassed more than 830,000 views, and the Ransomware Readiness Assessment tool on the site has been downloaded about 15,000 times.