A Justice Department official warned a Senate subcommittee that it is "hard to overstate" ransomware's impact on victims, amplifying the need for legislative solutions like a recently introduced botnet bill lauded by security professionals also testifying at Wednesday's hearing.
The Botnet Prevention Act of 2016, which aims to disrupt the use of botnets by cybercriminal groups, played front and center at the Senate Judiciary Subcommittee on Crime and Terrorism hearing as the industry struggles to combat what Citi's Global Head of Information Security Charles Blauner termed "vast botnet armies of infected computers."
The proposed legislation, co-sponsored by subcommittee chairman Sen. Lindsey Graham (R-S.C.), Ranking Member Sen. Sheldon Whitehouse, (D-R.I.), and Sen. Richard Blumenthal (D-Conn.), and introduced Monday, was initially considered by Sens. Graham and Whitehouse almost two years ago.
Citi's Blauner, testifying on behalf of the American Bankers Association (ABA), told SCMagazine.com in emailed comments that the bill "would provide important, additional protections, and would update the criminal code with improved legal tools to stop criminals and foreign agents from leveraging botnets and attacking our critical infrastructure.”
Wednesday's hearing marked the Senate's focus on ransomware following a dramatic spike in attacks this year that have targeted hospitals and medical facilities, leaving them in a bind and at least considering meeting cybercriminals' demands.
“Unfortunately, many victims today lack reliable options for quickly restoring their systems that do not involve paying the ransom,” DoJ Acting Deputy Assistant Attorney General Richard Downing said.
Charles Hucks, executive director of technology at Horry County Schools, recounted a ransomware incident that paralyzed the school district in February. The technology group received a call from a teacher who could not access her documents or presentations and her files all had a filename extension .encryptedRSA. “Within a matter of minutes another call from another school with the same problem was received, then another — and it became terrifyingly clear what was happening,” Hucks said. “We had been hit by a ransomware attack and this time it was spreading like wildfire throughout our 52 schools, central offices and hundreds of servers.”
He said the school district decided to pay the ransom to restore access to data “more quickly that was possible via backup restoration.” According to a CNN report, the South Carolina school district paid approximately $10,000 to the attackers' Bitcoin account.
During hearing testimony, Crowdstrike Vice President of Intelligence Adam Meyers strongly warned against paying ransom. “Threat actors have likely taken note that victims such as hospitals have paid ransoms in the tens of thousands of dollars in order to recover their data, prompting them to look for other victims who provide critical services to target,” he said. “As long as victims continue to pay these ransoms, these malicious actors will continue to be emboldened to operate.”During testimony, ABA's Blauner noted the use of botnets by criminal groups in targeting victims, especially the financial sector. “The use of botnets by criminals and nation states to deploy malware, including ransomware, is becoming more prevalent and complex,” he said.
“While the threat detection, information sharing, and incident response capabilities of our sector make us well-positioned to withstand attacks, we must also increase the likelihood that our attackers will be held accountable and be subject to real consequences,” Blauner said, during the subcommittee hearing.