Senate Report Finds Government is Unprepared To Stop Ransomware Attacks (fastcompany.com) 48
In the past few years, ransomware attacks have crippled schools, hospitals, city governments, and pipelines. Yet, despite the heavy toll such incidents have on both the public and private sectors, government officials have only a limited understanding of ransomware attacks and how cryptocurrencies are being used to collect payment, according to a new report from the Senate Homeland Security and Governmental Affairs Committee. From a report: "Cryptocurrencies -- which allow criminals to quickly extort huge sums of money, can be anonymized, and do not have consistently enforced compliance with regulations, especially for foreign-based attackers -- have further enabled cybercriminals to commit disruptive ransomware attacks that threaten our national and economic security," said Michigan Senator Gary Peters, the committee's chair, in a statement. "My report shows that the federal government lacks the necessary information to deter and prevent these attacks, and to hold foreign adversaries and cybercriminals accountable for perpetrating them."
Part of the issue is in reporting: The federal government doesn't have a standardized place for victims to log ransomware attacks, which typically encrypt data until a ransom is paid in cryptocurrency. Both the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have websites where victims can report incidents, and some people report the attacks directly to their local FBI field offices -- all of which can leave people unsure of where to turn and lead to different agencies having records of different incidents. Financial regulators, including the Treasury Department's Financial Crimes Enforcement Network, also gather some data on ransomware, particularly around payments, but it's also far from comprehensive. A new law passed by Congress in March, as part of a broad government funding bill, will soon require operators of "critical infrastructure" to report to CISA within 72 hours when they've been the victims of a "substantial cyber incident," and within 24 hours of paying a ransom, but the provision hasn't yet gone into effect, pending regulatory decisions by CISA.
Part of the issue is in reporting: The federal government doesn't have a standardized place for victims to log ransomware attacks, which typically encrypt data until a ransom is paid in cryptocurrency. Both the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have websites where victims can report incidents, and some people report the attacks directly to their local FBI field offices -- all of which can leave people unsure of where to turn and lead to different agencies having records of different incidents. Financial regulators, including the Treasury Department's Financial Crimes Enforcement Network, also gather some data on ransomware, particularly around payments, but it's also far from comprehensive. A new law passed by Congress in March, as part of a broad government funding bill, will soon require operators of "critical infrastructure" to report to CISA within 72 hours when they've been the victims of a "substantial cyber incident," and within 24 hours of paying a ransom, but the provision hasn't yet gone into effect, pending regulatory decisions by CISA.
Comment removed (Score:5, Insightful)
Re: (Score:3)
Regardless it seems like no organization is willing to actually take action against the ransomware by breaking down their systems into smaller segments because centralized IT administration that covers a large amount of sites and that's sometimes even outsourced "saves money".
Imagine an outsourced centralized IT administration site getting infected by ransomware that contaminates all their customers. It won't be pretty.
Re: (Score:2)
Golden parachute side-effect (Score:3)
Golden parachutes are one reason why too many corporations gamble with security. If nothing bad happens they get a mansion and beemers from all the money saved by cutting corners. If something bad does happen, they pull the gold parachute tab and end up with a slightly smaller mansion and slightly fewer beemers. It's usually customers who take the brunt of breach pain, not managers and owners.
Re: (Score:2)
No, no, no! They get a mansion and a yacht [wikipedia.org]'! Can't you get anything right?
Re: (Score:2)
We've long held ourselves up for the world to see as a shining example of what is possible with enlightened self government.
The world has seen what we're capable of, and that's why they're both repelled and disappointed.
Re: (Score:2)
Re: (Score:1)
> A meaningful fraction of these attacks are originating in nations with which we currently enjoy friendly relations.
Evidence?
...No Kidding? (Score:2)
Government offices get hit with ransomware just as much as non-government offices, if not proportionally more.
The funny part to me is the requirement to report a ransomware attack to the government...what are they going to do if a cyberattack goes unreported? Fine them?
Re: (Score:2)
Government offices get hit with ransomware just as much as non-government offices, if not proportionally more.
The funny part to me is the requirement to report a ransomware attack to the government...what are they going to do if a cyberattack goes unreported? Fine them?
Most likely, yes.
I mean, let's cut to the chase here. Nobody in our government cares that this shit is happening. They care that money is exchanging hands (the crypto payments for ransomware) and the government isn't getting a cut of the funds. But, they know if they try to publicly claim tax no ransomware payments people will be pissed, so they'll develop "fines" surrounding them to be the tax instead.
It's our government's answer to everything. I'm actually shocked they haven't found a way to tax or fine i
The devil is in the details (Score:3)
Reports like this are clear, but they're long and nuanced. This specific report is 52 pages, for example.
We have laws that used to work, but don't work in the modern form of the crimes. In the old days it was an individual who generally had physical access to the money or office records, they could be tracked down locally, they could be prosecuted, convicted, and jailed locally.
In the digital era there are plenty of laws about the digital trespass, laws about destruction/encryption of data to be unusable,
Re: (Score:2)
"Senate Report Finds Government Unprepared." (Score:5, Funny)
Full stop. That should be the report. The whole report.
Re: (Score:2)
In other shocking news, water is wet and the Sun is hot
"Stop" ransomware attacks? That not how it works. (Score:5, Insightful)
You cannot prevent ransomware attacks — period. You could severely reduce their numbers by making security job one. They existed before cryptocurrencies were used to cash them out, and they would still exist if we waved a wand and eliminated all cryptocurrencies now. They exist because they are possible, and while they are always going to be possible with some level of effort, they do not have to be this prevalent.
The best way to reduce them right now though is to make paying the ransom illegal, and to make immediate reporting of ransomware mandatory for the largest targets. There's no good reason to mess around with small businesses who can't afford large ransoms anyway, at least not at this point. It should not have to be pointed out that ransomware exists because people will pay, and stopping the payments is the simplest way to stop the ransomware.
Re: (Score:3)
Re: (Score:3)
Unfortunately, the laws you're suggesting creating are unenforceable
What? Who told you that? We often find out about ransomware attacks and payoffs now, despite many corporations' best efforts to hide them. What causes you to imagine that we won't continue to hear about them in the future?
The real problem is that the laws I'm suggesting creating are basically uncreatable, with the corporations in charge.
It's not unlike making it illegal to be addicted to drugs and requiring all drug addicts to self-report.
It's very, very different. Make reporting ransomware attacks to shareholders explicitly mandatory, and have the SEC up their ass if they don't report them. Give a bonus to w
Re: (Score:2)
Re: (Score:2)
You seem to be narrowing the scope of your proposed law - now it will only apply to publicly traded corporations? To mangle a movie quote, that's like putting a band-aid on a bullet wound.
It should of course also apply to the government. You clearly have to start with the big corporations, though. Starting with the little guy always goes badly and accomplishes little.
Re: (Score:2)
That's Brilliant! (Score:2)
It's very, very different. Make reporting ransomware attacks to shareholders explicitly mandatory, and have the SEC up their ass if they don't report them. Give a bonus to whistleblowers. Tada! This will work fine against the large corporations making the large payouts, which are the largest part of the problem.
100% sincerely - this sounds brilliant. While small businesses will still remain targets, mandating that publicly traded companies engage in ransomware reporting, including payment amount, known system impacts, and the wallet address to which the payment was made, will make it unprofitable to ignore security concerns.
Re: (Score:2)
Re: (Score:2)
If you saw a carpenter driving screws with a hammer, and upon asking him, he explained, "It's easier to use than a screwdriver," you'd probably think quite a bit less of him. You might expect a toddler to make a mistake like that, but not a professional.
And yet, in institutions large and small, this is the reason given for using Windows. Windows is fine OS for grandma, who just needs to occasionally check her email. It's fine for the kids, who just want to play games. But when security breaches cost
Re: (Score:2)
The technical aspect of the ransomware problem is easy - use Linux.
https://duckduckgo.com/?q=linu... [duckduckgo.com]
Re: (Score:2)
hmm...
most office drones need to use ms office and other windows only tools
those who don't need software like that would typically be developers/etc. who aren't the type to run trojans (i.e., I believe this is the primary source of ransomware?)
good luck forcing corporate america to not use ms office/etc. - it would be easier just to at least semi-lock down windows and use some corporate cloud backup software (e.g., egnyte, etc.)
That said, as an office drone myself, if they made me lock down my laptop, my pr
Re: (Score:2)
NO, that will NOT even slow it down.
However, it is TRIVIAL to kill off 66-90% of these. How? Simply have ppl use digital certificates on email/text/IMs, social media, etc. And have them ISSUED (not necessarily hosted) by federal governments. THIS would kill off a large amount of attacks, since most of these involve phishing, email/text virus, etc.
Re: (Score:2)
another person with no experience in network or even coding.
lol
NO, that will NOT even slow it down.
lol again
However, it is TRIVIAL to kill off 66-90% of these. How? Simply have ppl use digital certificates on email/text/IMs, social media, etc.
oh shit belly laugh there
You think it's trivial to get people to use digital signatures? You absolute fucking noob.
And have them ISSUED (not necessarily hosted) by federal governments.
Yeah! Don't let anyone email unless they get a cert from the feds! What a wonderful idea, why didn't I think of it? Oh yeah, because I didn't get a brain disease from licking boots, you total fucking numpty.
Re: (Score:2)
You think it's trivial to get people to use digital signatures? You absolute fucking noob.
And have them ISSUED (not necessarily hosted) by federal governments.
Yeah! Don't let anyone email unless they get a cert from the feds! What a wonderful idea, why didn't I think of it? Oh yeah, because I didn't get a brain disease from licking boots, you total fucking numpty.
Gads, you have always loved proving that you are a TOTAL IDIOT.
First off, it IS trivial to USE DIGITAL CERTIFICATES. Digital SIGNATURES are something very different, and the fact that you do not understand the difference says that you do not have anywhere NEAR enough experience on the net for security talk.
Secondly, the hard part with Digital CERTIFICATES is obtaining them, esp. in the US. It costs $75/year for one that handles a number of issues and required me to send in a photo of my ID (front AND bac
Re: (Score:2)
Isn't having backups like the best response to those kinds of attack?
We are fully prepared! (Score:3)
Just look at our citizen preparedness!
the only thing that stops a bad guy with a ransomware tool is a good guy with 4 or 5 semiautomatic guns.
problem solved
Re: (Score:2)
Re: (Score:2)
Someone has no sense of satire or sarcasm.
Want to stop the attacks? (Score:2)
Educate people to not do preventable shit that causes ransomware to get into a system.
Make doing preventable shit that causes such an incursion an immediate fireable offense.
People will eventually get the idea... don't open random emails, don't plug in unknown usb drives into machines on a network, don't visit shit websites, etc....
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
The Federal government has jets (Score:2)
... I'm pretty sure the sources can be hunted down and tracked accordingly.
In other news... (Score:1)
Finds a user for (Score:2)
Re: (Score:2)
The only way yo prevent them is to not give any average people write access to critical data.
Close, but no cigar. It is having given read access to the bad guys via emails/text/IM/social media that was unauthenticated.
When you do not know who you are communicating with, it is trivial for the bad guys to spoof and then own you.
Neon Sign (Score:2)
Gov unable to stop ransomware attacks (Score:1)
The government can't even stop physical attacks (Score:2)
Follow the Money (Score:2)
Not all solutions need to be increased IT security, but yes you should do that too.
1. Force disclosures of such attacks to at least some government agency, depending on the scope or severity, disclose to the public.
2. If the company pays the ransom, fine them 10x the ransom. The fine must be paid in full within one year of the ransom payment, unless it's a financial hardship, then pay in installments.
3. Sanction banks that facilitate these transactions.
4. Some crypto-currency is tough to trace, I get it, b