Ransomware: Attacks Against Government Agencies WidespreadHundreds of Incidents Reported, But No Ransom Paid
Although organizations in a number of business sectors, including healthcare, have been targeted by ransomware attacks in recent months, a new report reveals that government agencies also were targeted hundreds of times during the second half of last year, but no ransoms were paid.
Meanwhile, the FBI has issued new guidance and an alert warning of the growing risks posed by ransomware (see Ransomware Epidemic Prompts FBI Guidance) .
Some 29 federal agencies reported they were targeted with ransomware 321 times between June and early December, according to a Department of Homeland Security response to an inquiry by Sen. Tom Carper. The Delaware Democrat, who serves as the ranking member of the Senate Homeland Security and Governmental Affairs Committee, had requested information about the government's ransomware defenses as part of the panel's oversight of government IT security.
Not all of the incidents resulted in ransomware infections. Of those that did, most affected end-user workstations. In all those cases, DHS reports, "the system was removed from the network and replaced with a new, clean system with minimal impact to the user and agency."
DHS told Carper that it "is not aware of any instances in which federal agencies paid a malicious actor to remove ransomware from a government computer."
Understanding the Problem
Carper said the response from DHS, as well as one from the Justice Department, "are a first step toward understanding the problem so we can make informed policy decisions about these unique threats."
In addition to federal agencies, state and local governments are also being targeted. The Multistate Information and Analysis Center told DHS that MS-ISAC's associated Computer Emergency Response Team identified and addressed 40 incidents related to ransomware-associated activity on state, local, tribal and territorial governments' systems. DHS did not characterize the success or failure of those ransomware attack attempts, but said MS-ISAC did not request special assistance to address this incidents from NCCIC in 2015.
But the Boston Globe reported the town government of Medfield, Mass. - population 12,000 - in December paid a ransom demand of about $300 to a cybercrime gang after one of its servers was infected with ransomware, which encrypted its contents (see Town Faces Ransomware Infection, Blinks)
Ransomware: A Global Threat
The attacks on government agencies comes at a time of an increase in reported ransomware attacks across many U.S. business sectors and around the world.
Healthcare has been particularly hard hit. Just this week, the Washington, D.C.-area, 10-hospital system MedStar Health shuttered many of its systems to avoid the spread of apparent ransomware (see MedStar Shuts Systems After Cyberattack). Other recent ransomware attacks have targeted hospitals in California, Kentucky and Ontario, Canada.
Assistant Attorney General Peter Kadzik, in the DOJ's response to Carper's inquiry, said the FBI's Internet Crime Complaint Center received 7,694 ransomware complaints in 2015, with losses from these attacks costing victims an estimated $57.6 million.
Carper, in his inquiry, noted testimony before the Senate that suggested the government's anti-malware defenses need to evolve to keep pace with increasingly sophisticated botnets used to disseminate viruses, including ransomware. The senator asked DHS what techniques it uses to combat botnets.
"To protect federal agencies against ransomware-type botnets, NCCIC leverages the Einstein 3 Accelerated system," DHS responded, referencing the latest rendition of the intrusion detection and protection system operated by NCCIC. DHS said some of the ransomware incidents at government agencies last year were detected by Einstein, although it did not provide a specific number. The agency, in its response to Carper, said Einstein 3A could prevent malicious behaviors but did not furnish any examples of the system preventing infections.
Einstein and Its Limitations
Einstein has limits on detecting malware. According to a Government Accountability Office report issued earlier this year, Einstein comes up short because it relies on known signatures - patterns of malicious data - to identify intrusions rather than a more complex anomaly-based approach, which compares network activity to predefined "normal behavior" to identify deviations and identify previously unknown threats. If the ransomware signature is unknown, Einstein won't detect it (see GAO: Feds' Einstein Program Comes Up Short).
"It doesn't do a very good job in identifying deviations from normal network traffic," said Gregory Wilshusen, the GAO director of information security issues who co-authored the audit of the Department of Homeland Security's National Computer Protection System, which includes Einstein.
DHS, in its response to Carper, confirms Wilshusen's analysis that Einstein relies on known signatures. "The techniques that adversaries use to deliver the malware, the techniques they use to communicate with and control infected systems, the Internet infrastructure used in that command and control activity, and the low-level behavior of the malware on a victim system are all similar across most families of malware," DHS said. "Therefore, Einstein capabilities are equally effective at detecting and blocking ransomware attack as with any other type of known malware."
Capturing the Culprits
In his inquiry, Carper asked the Justice Department to describe the challenges it faces in attempting to capture Evgeniy Mikhaylovich Bogachev, architect of the CryptoLocker ransomware Trojan who's reportedly at large in Russia (see FBI Hacker Hunt Goes 'Wild West'). "Many of the most sophisticated cybercriminal actors are located in jurisdictions that do not cooperate directly with the United States," Kadzik wrote Carper, with the remainder of his answer about hunting down Bogachev redacted from the report that Carper released.
Kadzik characterizes the actors behind ransomware as "very business oriented [who] want to make it known that, if victims pay the ransom, they will follow through and provide the private key needed to decrypt the files." Most ransomware variants include the option for victims to decrypt one file for free "to show that the actors do in fact have the ability to restore victims' files." In most cases, he says, victims pay, and the criminals provide the key to decrypt the locked files upon payment.