Last week, an advisory warning from the FBI and the Cybersecurity and Infrastructure Security Agency recommended that businesses be vigilant about possible ransomware attacks over Labor Day weekend. The warning was issued not because of a specific threat but because several major ransomware attacks this year have happened on holiday weekends.
Ransomware attacks are far more prevalent this year. According to data reported by the FBI's Internet Crime Center (IC3), the number of reported ransomware incidents was 2,474 in 2020. In the first seven months of 2021 alone, there have been 2,084 ransomware complaints with $16.8 million in reported losses.
Understanding the prevalence of a particular type of crime enables those directing law enforcement to establish where the best use of valuable resources should be deployed. However, the numbers reported in 2021 do not even appear to scratch the surface of ransomware attacks that took place, as the FBI has been involved in some of the largest ransomware demands ever posted this year.
The threat overview detailed in the warning includes examples of attacks that have taken place over holiday weekends. The Colonial Pipeline was attacked by cybercriminals – attributed by the FBI to the DarkSide group – on May 7 (Mother's Day), resulting in the company paying $4.4 million. Then on May 30 (Memorial Day), JBS USA, a food processing company, fell victim to a cyberattack that caused the company to handover $11 million to the perpetrators, whom the FBI identified as Sodinokibi and the REvil ransomware-as-a-service group. (The Kaseya ransomware attack also took place on a holiday weekend – Independence Day – but the company said it didn't pay the ransom.)
There are other notable attacks in which the victims have shared details with the FBI and which alone far exceeded $16.8 million. For instance, the attack on CNA Financial involved a $40 million payout to the hackers involved. In just these three examples, the payments to cybercriminals total $54.4 million. All of these incidents have been attributed by, or reported to, the FBI.
The result of this understated number is that law enforcement may not give the attacks the attention they deserve, as the data does not accurately capture the vast number of attacks that actually happened. It may even create a false sense of security for companies and organizations as they try to understand what they need to protect against.
Moreover, when legislators and politicians examine the data put in front of them, it's important that it represents a close approximation of reality so that informed decisions can be made on how to deploy law enforcement resources to tackle the issue effectively. So it's head-scratching that the data shared by the FBI doesn't reflect some of the major attacks this year. The problem may be that victims are not reporting the issue directly to the IC3, even though it's a division of the FBI. For the sake of everyone, that is an issue that needs to be addressed.
Australian politicians are currently considering legislation that will require any company or government agency to notify the Australian Cyber Security Centre before making a ransomware payment in response to an attack. The Ransomware Bill would mandate that the notification would include the specifics of the cryptocurrency wallets and other key details that will be deidentified and shared with other agencies. This is a big step in the right direction and one that other countries should emulate.
Mandatory reporting of payments to cybercriminals would provide a full picture of the ransomware attacks and the subsequent losses incurred by an organization that paid the demand. More importantly, it would give companies a full understanding of the risks to their business and politicians the data to understand the severity of ransomware attacks and how much it's costing us. This information could help prevent many more attacks and one day make CISA/FBI warnings about holiday weekends a thing of the past.