Organizations worldwide were busy this weekend after Keyasa, a software provider servicing more than 40,000 organizations, disclosed that it was the victim of a sophisticated cyberattack that is believed to have been orchestrated by REvil, a cybercriminal acting out of Russia. This latest announcement comes on the heels of several high-profile ransomware attacks that have occurred during the COVID-19 pandemic. Ransomware attacks traditionally involved the use of malware designed to encrypt an organization’s files and systems. However, over the last 18 months, threat actors have engaged in a practice known as double-dipping, where malware is used to encrypt files and systems, while the threat actor is also exfiltrating data to threaten public disclosure in the absence of a ransom payment.
Businesses and governments worldwide are concerned with the growing trend of ransomware attacks. A recent report by SonicWall states there has been a 116% increase in ransomware attempts during the first half of 2021. Another report by Cybereason found that “80% of businesses that choose to pay to regain access to their encrypted systems experience a subsequent ransomware attack[.]”
To address ransomware attacks, federal laws exist to prohibit the payment of ransom to a threat actor. For instance, the Office of Foreign Assets Control (OFAC) issued guidance late last year that organizations could face potential sanctions when making ransom payments to certain individuals or groups. Senate Majority Leader Chuck Schumer initiated a review to determine whether additional legislation is required, however. In addition to the review, Schumer appears to be seeking “a $500 million increase in the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) budget” to assist it in responding to high-profile incidents, including those dealing with ransomware.
State legislatures are also examining the issue.
In New York, lawmakers have proposed two bills. The first bill, New York’s SB 6806, prohibits “governmental entities, business entities and health care entities from paying a ransom in the event of a cyber ransom or ransomware attack,” while (2) New York’s SB 6154 “relates to creating a cybersecurity enhancement fund and restricting the use of taxpayer money in paying ransoms.”
North Carolina’s HB 813 focuses on public agencies and governmental entities. HB 813 would prevent these entities from paying threat actors to release information held for ransom. This bill would also clarify to agencies how they must coordinate with the state’s Department of Information Technology.
Pennsylvania’s SB 726 would “prohibit [state government agencies] from engaging in ransomware attacks and from extorting payments to resolve or prevent ransomware attacks.” SB 726 would also require organizations to notify certain entities of an attack “within one hour of discovery” for managed service providers and “within two hours” for state agencies.
Texas’ HB 3892 would prohibit state agencies from making ransom payments related to a cyberattack. The bill also offers to broadly implement security and response plans to state agencies. For instance, the Department of Information Resources would be tasked with conducting a study “regarding cyber incidents and significant cyber incidents affecting state agencies and critical infrastructure” owned by the state.
The goal of all of this legislation is to eliminate the financial incentive of a ransom payment to threat actors.
Whether legislation will mitigate the ransomware risks organizations face is yet to be seen. For now, leaders are reminded to follow several precautions to protect against ransomware. CISA recommends that businesses should:
- Never click on links or open attachments in unsolicited emails;
- Back up data regularly and keep it on a separate device;
- Segment data based on use cases;
- Practice proper cyber hygiene;
- Follow safe practices when using devices that connect to the internet;
- Restrict users’ permission to install and run software applications;
- Enable strong spam filters to prevent phishing emails from reaching the end users and authenticate inbound email to prevent email spoofing;
- Update software and operating systems with the latest patches; and
- Configure firewalls to block access to known malicious IP addresses.
For the complete list of recommendations, check out CISA’s Ransomware Guide. For business leaders interested in evaluating their cybersecurity practices on their networks, check out CISA’s just-released Cyber Security Evaluation Tool.