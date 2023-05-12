Report: US making progress in fight against ransomware

The U.S. has spent recent years strengthening its efforts to combat ransomware, yet that specific type of cyber attack remains a problem, with new strains that are harder to attribute and incident reporting gaps that leave questions. Even so, at the same time, there may be new reasons for optimism.

Ransomware has spiked in public awareness of late, with high-profile incidents such as the 2021 Colonial Pipeline panic, and it continues to cause new problems for local government, in places ranging from Dallas to Spartanburg County, South Carolina. As a result, federal efforts to fight these attacks are ongoing, and they have frequently aligned with the recommendations of the Ransomware Task Force (RTF), a public-private collaboration whose members have previously included the now-acting National Cyber Director Kemba Walden.

RTF released a 2021 report detailing the global ransomware landscape with proposals for how nations could work to disrupt it in long-lasting ways, and the U.S. has made at least some progress on most of the recommendations in that report, speakers said during a recent event hosted by the Institute for Security and Technology (IST), which coordinates the RTF. Among the wins: international partnerships have disrupted some perpetrators, and the U.S. has started pre-emptively warning organizations when they have vulnerabilities that are susceptible to ransomware actors.

But ransomware variants are becoming harder to attribute, and insufficient incident reporting still leaves researchers and governments in the dark on the full scope of the problem, speakers said.

Federal security and cybersecurity officials said they want to compel cryptocurrency entities and cloud services providers to keep cyber criminals off their services. Anne Neuberger, U.S. deputy national security adviser, said the U.S. is also mulling a ban on ransomware payments, with exemptions granted to some essential organizations.

The state of ransomware in the U.S.

Ransomware attacks against U.S. entities dipped notably during the first half of 2022, per the RTF's new report. Other research also finds that more cyber criminals may be looking to other ploys as easier and faster ways to extort money. CrowdStrike, for example, previously reported an upsurge in cyber criminals extorting victims by simply stealing and threatening to leak their data — without ever bothering to use ransomware to lock up victims' files.

But it's unclear if any of this marks a lasting shift away from ransomware. The drop in such attacks against the U.S. may have been driven by world events, with Russia's war against Ukraine diverting the attention of cyber crime groups in the region, the RTF said.

Officials are cautious about describing the landscape, but some tentatively suggest hope.

The rate of ransomware attacks seems to be somewhat stabilizing, and, "I think a level, plateau, steady state is where we've been," said David Ring, head of the FBI Cyber Division's private-sector engagement and cyber criminal intelligence missions.

However, Allan Liska, intelligence analyst at the threat intelligence platform provider Recorded Future, said the situation remains murky.

"We think ransomware attacks have seen a resurgence in 2023, after dipping a little bit in 2022," Liska said, "... but the answer is that we don't know," because there's not enough incident reporting to get a clear picture.

Regardless of the number of attacks, those that do successfully hit can be punishing. Ransomware continues to strike U.S. hospitals, schools and local governments.

Fully understanding the ransomware landscape is challenging, because reporting requirements are often nonexistent or "fragmented," making it hard to get a complete view, Liska said. Even the FBI believes it only received victim reports on about 20 percent of Hive ransomware attacks, Ring said.

Michael Phillips — RTF co-chair and chief claims officer at cyber insurance provider Resilience — said organizations fear being stigmatized if they admit to suffering a ransomware attack, and they also want a standardized way to report. That latter step would make it easier for victims to inform authorities promptly, while they're still in crisis mode dealing with the effects of an attack.

Mandatory reporting requirements are forthcoming for some sectors under the Cyber Incident Reporting For Critical Infrastructure Act (CIRCIA), which passed in 2022. But the Cybersecurity and Infrastructure Security Agency (CISA) is still paving the way for its implementation, and CISA Chief Strategy Officer Valerie Cofield said "we won't see the fruits of that legislation for a couple of years."