US lacks full picture of ransomware attacks, Senate panel finds

Federal government lacks information on how much ransom was paid by victims

Sen. Gary Peters, D-Mich., said the government doesn't have the information it needs to deter ransomware attacks and hold the perpetrators accountable. (Tom Williams/CQ Roll Call file photo)
Sen. Gary Peters, D-Mich., said the government doesn't have the information it needs to deter ransomware attacks and hold the perpetrators accountable. (Tom Williams/CQ Roll Call file photo)
Posted May 24, 2022 at 5:00am

The U.S. government lacks a complete picture of ransomware attacks that routinely cripple government and private sector networks, according to an investigation by Senate Homeland Security and Governmental Affairs Committee staff.

The report, released Tuesday, also found that the government lacks information on how much ransom was paid — typically in the form of cryptocurrencies — by victims of such ransomware attacks.

“Cryptocurrencies, which allow criminals to quickly extort huge sums of money, can be anonymized, and do not have consistently enforced compliance with regulations, especially for foreign-based attackers, have further enabled cybercriminals to commit disruptive ransomware attacks that threaten our national and economic security,” Sen. Gary Peters, D-Mich., chairman of the committee, said in a statement accompanying the report.

The investigation found the federal government “lacks the necessary information to deter and prevent these attacks, and to hold foreign adversaries and cybercriminals accountable for perpetrating them,” Peters said.

In 2021, ransomware attacks affected at least 2,323 local governments, schools and health care providers in the United States, according to the report.

“Many of these attacks generated significant losses and damages for victims,” the report said. Data from the FBI based on complaints from victims during 2018-2020 showed “a 65.7 percent increase in victim count and a staggering 705 percent increase in adjusted losses.”

In 2021, the FBI received 3,729 ransomware complaints, with adjusted losses totaling $49.2 million, according to the report.

But the data “drastically underestimates” the number of attacks and ransoms paid, and the FBI considers the numbers to be “artificially low,” the report said.

The real cost of such attacks could range from several hundred million dollars to as much as $10 billion, the report said.

In 2020, criminal gangs were said to have received “at least $692 million in cryptocurrency” as ransom payments, the report said, citing data from Chainalysis, a blockchain data and analysis company that tracks such payments. That compares with $152 million in ransoms paid in 2019, the report said.

Another study by anti-malware company Emsisoft counted 24,770 ransomware incidents across the United States in 2019, with estimated damages, including downtime losses, of “just under $10 billion,” the report said.

Legislation sponsored by Peters and the committee’s top Republican, Sen. Rob Portman of Ohio, became law as part of the omnibus spending bill that passed in March. It is intended to address such gaps in information.

The report recommended that federal agencies use a standard format to collect data on ransomware attacks and ransom payments “to facilitate comprehensive analysis.”

Congress should encourage public-private partnerships to “investigate the ransomware economy,” including the relationship between criminal gangs and cryptocurrency providers that facilitate ransom payments, the report said.

Congress and federal agencies should also encourage private and nonprofit entities to share information with the federal government on ransomware attacks and payments, the report said.