The federal government lacks comprehensive data on ransomware attacks and the use of cryptocurrency in paying ransoms, according to a Senate report.
A 10-month investigation by Senate Homeland Security and Governmental Affairs Committee staff found that while multiple federal agencies are addressing ransomware attacks, more data is needed from federal and the private sector to better understand the attacks.
Even though the FBI acknowledges that its data is artificially low, the number of complaints to the agency between 2018 and 2020 showed a 65.7% increase in the number of victims and a 705% increase in adjusted losses. The bureau received 3,729 ransomware complaints in 2021 alone, accounting for more than $49.2 million in adjusted losses.
However, private sector estimates by blockchain data and analysis firm Chainalysis reported that malign actors received at least $692 million in cryptocurrency as part of ransomware attacks in 2020, a 300% increase from the $152 million in 2019. A separate study by anti-malware company Emsisoft found at least 24,770 ransomware incidents in the U.S. in 2019, costing about $10 billion, including costs for downtime.
Legislation signed into law earlier this year requires critical infrastructure firms to report breaches, ransomware payments and other ”significant” cyber incidents to the federal government.
Homeland Security and Governmental Affairs Committee Chairman Sen. Gary Peters, D-Mich., who sponsored the breach reporting measure and the committee report, said: “My bill that was recently signed into law to require critical infrastructure to report cyberattacks and ransomware payments will be a significant step to ensuring our government has better data to understand the scope of this threat, disrupt the incentive virtual currencies provide for cybercriminals to commit attacks, and help victims quickly recover after breaches.”
The report recommends that the government should standardize data on ransomware incidents and payments; establish additional public-private initiatives to investigate the ransomware economy; Congress should support information sharing regarding ransomware attacks and payments.