Ransomware actors have not eased their attacks on U.S. companies and institutions in recent months and high cryptocurrency prices are helping to bolster cyber criminal networks, a key Federal Bureau of Investigation official told lawmakers on Tuesday.
“In the last six months, we have not seen a decrease in the amount of frequency of reporting of ransomware attacks,” Bryan Vorndran, assistant director of the FBI’s Cyber Division, told the House Committee on Oversight and Reform. “We attribute that to the simple fact that it’s incredibly lucrative for the criminals. That’s partially due to the valuation of virtual currency, but it’s partially due to the vulnerability of our systems and in our infrastructure.”
The price of bitcoin BTCUSD, -5.55%, the virtual currency used for most high-profile ransomware payments, has increased nearly 300% over the past year from less than $18,000 to more than $60,000 today.
The hearing was part of a congressional investigation into a spate of multimillion dollar ransomware attacks on major U.S. companies in 2021, including those on CNA Financial Corporation CNA, +0.62%, Colonial Pipeline Co. and the U.S. division of JBS Foods JBSAY, -0.84%. CNA ultimately paid a $40 million bitcoin ransom to cybercriminals to recover its network, while Colonial Pipeline paid $4.4 million and JBS paid $11 million, according to the committee.
The hearing also featured testimony from White House National Cyber Director Chris Inglis and Brandon Wales, executive director of the Cybersecurity and Infrastructure Security Agency, and all three witnesses urged Congress to pass legislation that would require private companies to notify the government when they are faced with a ransomware attack.
Congress is currently debating whether to mandate such notification and whether companies should be required to notify the government within 24 or 72 hours, and the witnesses urged the committee to support a faster notification requirement.
“The faster we get the information, the faster we can deploy a local cyber threat expert to victims to work, track, freeze and seize funds taken and ultimately hold cybercriminals accountable,” the FBI’s Vorndran said. “Twenty-four hours probably wouldn’t seem like a big delay to most people, but the help we can offer within that time can be the difference between a business or a piece of critical infrastructure staying afloat or being crippled.”
The FBI has touted recent successes in recovering ransom funds of late, including the seizure in June of 64 bitcoin paid by Colonial Pipeline to hackers, then valued at about $2.3 million, from a virtual wallet. Last Monday, the DOJ announced that it had arrested Ukrainian Yaroslav Vasinskyi and Russian Yevgeniy Polyanin, alleging them to be part of the REvil ransomware gang that perpetrated the attack on JBS. It also said that it had recovered $6.1 million in ill-gotten gains from Polyanin.
National Cyber Director Inglis said Polyanin’s arrest, which occurred when he crossed the border into Poland, shows the U.S.’s diplomatic and offensive efforts to thwart cyber criminals are paying dividends. “Cyberspace is a borderless terrain, and therefore, as much as they can reach us we can reach them,” he said. “If we bring allies to bear, we can use jurisdiction in places like Poland and Romania to apprehend these criminals and bring them to justice using the courts of law that exists in the West.”
In January, international law enforcement agencies, including the FBI, announced that a joint effort had successfully taken down the EMOTET ransomware service by hacking it, gaining control of its infrastructure and “taking it down from the inside,” according to a Europol press release.
The panelists stressed that despite these offensive successes, ransomware cannot be stopped without bolstering defenses at the government, corporate and individuals levels, as more than 90% of criminal breaches are the result of human error, like clicking on an infectious hyperlink. Inglis said institutions must make it a top priority to train their people on cyber hygiene.
“The vast majority of those people don’t intend to make those mistakes,” Inglis said, “They simply make them. They are not well equipped to make an appropriate choice at the moment.”