The FBI might be coming up short when helping ransomware victims restore their systems, according to an investigation released Thursday by the Senate Homeland Security and Governmental Affairs Committee’s ranking member Rob Portman, R-Ohio.
Senate investigators plumbed three case studies of ransomware attacks against U.S. companies within the past five years. All three companies interviewed for the investigation reported the attacks to the FBI at the time, but only two pursued assistance. All three attacks were committed by REvil, the notorious Russian ransomware gang that drew intense scrutiny from U.S. law enforcement last year after major attacks on software supplier Kaseya and global meat supplier JBS.
The Senate committee report withholds the names of the victims and dates of the attacks to protect victims from potential retaliation from hackers, a committee aide said in a call with reporters. The aide declined to say if the attacks were previously publicly reported.
The report notes that both companies that sought out assistance from the FBI found the response lacking.
“They told the Committee that the Federal Bureau of Investigation (FBI) prioritized its investigative efforts into REvil’s operations over protecting the companies’ data and mitigating damage,” the report notes. “Both companies also indicated they did not receive advice on best practices for responding to a ransomware attack or other useful guidance from the Federal Government.”
In the case of “Entity A,” a Fortune 500 company, the FBI reportedly offered a hostage negotiator with no experience in ransomware. Neither of the companies in the report interacted with CISA during their response to the attacks, according to investigators.
There have also been publicly reported cases of the FBI leaving victims in the lurch. The FBI reportedly withheld a decryption key that could have helped hundreds of Kaseya customers in order to not tip off REvil to an operation against the group, The Washington Post reported in September.
When asked about the decision at a Senate Homeland hearing, Wray defended the FBI’s process. “We make the decisions as a group not unilaterally, and these are complex, case-specific decisions designed to create maximum impact, and that takes time in going against adversaries where we have to marshal resources not just around the country, but all over the world,” he said.
One recent game-changer the report mentions is a bill co-sponsored by Portman and signed into law last week that requires critical infrastructure companies to report incidents to CISA within 72 hours and ransomware payments within 24 hours.
“This report shows that all organizations, no matter the size or financial resources, can fall victim to sophisticated cyber adversaries,” Portman said in a statement. “The Biden administration should work quickly to implement my recently enacted bipartisan Cyber Incident Reporting Act. This law will help prevent future cyberattacks by facilitating increased information sharing and enhance the federal government’s cyber defense and investigative capabilities.”
“This law will enhance the federal government’s ability to combat cyberattacks, mount a coordinated defense, hold perpetrators accountable and prevent and mitigate future attacks through information sharing,” the report notes.
But there’s still progress to be made so that CISA and the FBI work together in a way that’s beneficial to victims.
“Close coordination between these two entities will best position the FBI to investigate those responsible for ransomware attacks while also allowing CISA to provide the technical assistance victims need to recover,” the report suggests.
The committee aide acknowledged that coordination between CISA and the FBI has improved in recent months.
The report also puts forth recommendations for the private sector, including making it harder for attackers by using stronger authentication methods, maintaining offline backups and encrypting all data in transit. One thing all three entities that the committee studied had in common was that they had incident response plans in place, allowing them to avoid the worst-case scenarios, including paying a ransom.
The committee informed the FBI about the investigation in advance but the bureau declined an offer to brief staff for the report, a committee aide said. The FBI did not respond to a request from CyberScoop for comment by press time.