The Senate Homeland Security and Governmental Affairs Committee published a new report entitled America’s Data Held Hostage: Case Studies in Ransomware Attacks on American Companies. The report summarizes the events experienced by three targets of the REvil ransomware gang. The organizations vary in size, sector, and dedicated cybersecurity resources. In addition, the report has background information on Russian cyber aggression, including attacks against Ukraine. Key findings included:
— All organizations, regardless of size and sophistication, are susceptible to ransomware attacks.
— Ransomware gangs often use phishing attacks to gain initial access to victim networks.
— In past ransomware attacks, multifactor authentication, zero trust principles, and network segmentation helped prevent attackers from gaining access to more sensitive data in a victim’s networks.
— Maintaining offline backups and a well-defined incident response plan helped victims resume critical operations quickly without paying a ransom, when attackers did get in.
— The laws and regulations at the time discouraged victims from sharing information with other potential victims that could prevent future ransomware attacks.
— Until recently, there was no Federal agency charged with collecting and tracking reports of cyber incidents to prevent and mitigate future attacks
Analyst Notes
Organizations can expect increased legislative and regulatory scrutiny as well as additional requirements based on the heightened bipartisan perception of urgency on matters related to information security in the US. Given elevated threat levels due to geopolitical events, the existence of offline backups and incident response plans should be not taken for granted. Checking both that backups are being made regularly, in accordance with disaster and incident response planning, and that backups are safely stored offline so that attackers cannot disable them is important. In order to avoid significant downtime and interruption of services, it is equally important to ensure that a smooth, error free process exists to restore from backups as necessary in the event of a major incident. In addition, incident response plans should include public relations and executive personnel with clear communication channels to make decisions about notifications and business-related workflows, as well as technical response teams. Externally sourced incident response teams should be contacted to ensure availability in the event they are needed.
https://www.hsgac.senate.gov/media/minority-media/new-portman-report-demonstrates-threat-ransomware-presents-to-the-united-states
