GAO Blog – How much would a government entity or business pay to restart its operations after an attack on its critical IT systems? $4 million? $11 million? Those behind recent ransomware attacks are trying to cash in big by holding our nation’s under-protected IT hostage.
Today’s WatchBlog post explores some of the big ransomware attacks against federal, state, and local governments and the private sector, and our recent work on cybersecurity and recommendations for improving protections against ransomware.
What is ransomware and why should we worry?
Ransomware is a type of malware used to deny access to IT systems or data, holding them hostage until a ransom is paid. After the initial infection, the ransomware attempts to spread to shared storage drives and other accessible systems. If the ransomware perpetrators’ demands are not met, the system or encrypted data remains unavailable, data may be deleted, or the data could be released publicly. If ransom is paid, the perpetrators will typically provide the victim the information needed to regain access to the system or unencrypt the data.
According to the Department of Homeland Security (DHS), attacks using ransomware have at least doubled since 2017, and criminal groups are increasingly targeting U.S. critical infrastructure, which includes systems and assets supporting emergency services, telecommunications networks, and energy production and transmission facilities. Risks from attacks on these key systems and assets include national security, economic stability, and public health and safety.
Ransomware attacks and indictments
- In June 2021, the White House and U.S. Department of Agriculture announced that a meat processing company had been targeted with ransomware that affected the company’s operations. The company reportedly paid $11 million in ransom.
- In May 2021, Colonial Pipeline Company announced that it was the victim of a ransomware attack that led to temporary disruption in the delivery of gasoline and other petroleum products across much of the southeast U.S., and paid over $4 million in ransom.
- In February 2021, the Department of Justice (DOJ) announced that 3 North Korean individuals were indicted for, among other things, the creation of the destructive WannaCry ransomware, as well as the extortion and attempted extortion of victim companies from 2017 through 2020. The WannaCry campaign, which was discovered in May 2017, remotely compromised systems and encrypted files, affecting hospitals, schools, businesses, and numerous organizations. It led to tens of thousands of infections in over 150 countries.
- In December 2020, federal law enforcement received numerous reports of ransomware attacks against K-12 educational institutions. In these attacks, malicious cyber actors targeted school computer systems, slowing access, and—in some instances—rendering the systems inaccessible for basic functions, including distance learning.
- In October 2020, DOJ announced that 6 Russian individuals were indicted for, among other things, NotPetya ransomware which caused nearly $1 billion in losses to the 3 known victims identified in the indictment. NotPetya, which was discovered in June 2017, was a form of malware that exploited existing vulnerabilities in computer software or networks to encrypt files and allowed attackers to gain privileged rights and encrypt essential files making the infected Windows computers unusable. It infected organizations in several sectors, including finance, transportation, energy, commercial facilities, and healthcare.
- In May 2019, the Mayor of Baltimore reported that the city was the victim of a ransomware attack. As a result, city employees were not able to access their emails and the attack delayed real estate sales and water billing for months.
What’s been done?
The federal government has spread the word about the threat of ransomware and provided actionable guidance to organizations and individuals to mitigate this threat. For example, in recent months, DHS’s Cybersecurity and Infrastructure Security Agency unveiled the Reduce the Risk of Ransomware campaign and published guidance on the rising ransomware threat in response to increases in ransomware attacks targeting operational technology assets and control systems. Earlier this month, DOJ issued a memorandum for all federal prosecutors with guidance for investigations and cases related to ransomware and digital extortion.
What needs to be done?
Ensuring the cybersecurity of our nation has been on our High Risk List since 1997, and in September 2020, we highlighted the need for the federal government to develop and execute a more comprehensive strategy for national cybersecurity and global cyberspace. Since 2010, we have issued over 3,300 recommendations that could improve the nation’s cybersecurity. As of December 2020, more than 750 of those recommendations were not yet implemented. We also have ongoing work related to ransomware, including examining how the federal government strategizes and builds allies to combat cybercrime, protects K-12 institutions’ cybersecurity, and provides assistance to state and local governments to promote their security efforts.
Want to learn more about this issue and our recommendations to address it? Check out our High Risk List page on Ensuring the Cybersecurity of the Nation, which includes a list of recent reports, and recent podcasts with GAO cybersecurity experts.