Ransomware tools are opening up the field to a growing number of less tech-savvy actors even as many ransomware operations have increased in sophistication, DHS Assistant Secretary for Cyber, Infrastructure, Risk and Resilience Iranga Kahangama told Congress.
“I think it’s appropriate to liken a ransomware organization almost to a modern-day mob or mafia,” Kahangama said June 28 at a Michigan field hearing of the House Homeland Subcommittee on Intelligence and Counterterrorism on combating ransomware. “It’s very large structures. There is something called ransomware as a service, in which you break up a ransomware attack into different parts. There is initial access. There is deploying malware. There’s getting the money. These are kits that you can literally buy online. And as a result, anyone with very basic technical knowledge can become a ransomware operator, unfortunately. And so with this lowest common denominator environment, you have a proliferation of individuals who are seeking to conduct these attacks.”
“And the fact is that they like to do one of these and two of these in very small increments, in order to not go on the radar, to be undercover a little bit,” he added. “And so I think you have ransomware actors growing in terms of their sophistication, but at the same time the tools they have are becoming quite basic. And so you have very low-level people conducting these attacks at a much higher frequency, with a wide availability of these tools. So it’s a growing issue.”
Cybersecurity and Infrastructure Security Agency Deputy Executive Assistant Director for Cybersecurity Matt Hartman told lawmakers that the Cyber Incident Reporting for Critical Infrastructure Act recently passed by Congress is “going to be monumental in terms of the federal government being able to understand what is happening from a ransomware and a broader cybersecurity perspective, and cyber incident perspective, as well as take action as a U.S. government to deter future attacks.”
“With respect to the implementation of the legislation, we are in the process of a very thorough and rigorous rulemaking process,” he said. “We intend to really find the sweet spot between in implementation between defining the types of incidents that need to be reported to the federal government and when, to allow victim organizations to focus on restoring their systems and data, but also in sufficient time providing the information to the federal government so we can limit the impact of a potential campaign and help the broader community.”
DHS intends to finish that rulemaking within 24 months and work with partners at the FBI to “make sure that when CISA receives information about ransomware or other cybersecurity incidents from all sectors, that we are quickly sharing that information back with the FBI, with the Sector Risk Management Agency from any of the 16 sectors, and with appropriate state and local authorities so that we as a community can take action to combat this problem.”
Kahangama, who used to be director for cyber incident response at the National Security Council, started at the Department of Homeland Security in May.
“We want to minimize the risk posed from cyberattacks, and we want to ensure the resilience of critical services that are provided to this country,” Kahangama said.
Ransomware attacks, he stressed, “do not discriminate: They target large and small targets, whether it’s large corporations, small and medium enterprises, hospitals, local governments or schools.” And often, “the cost of cleaning up an attack can be more expensive than paying the ransom itself or to provide mitigating services beforehand.”
DHS is “rapidly increasing our ability to investigate cryptocurrency because it is the preferred payment method for ransomware actors,” he said, with the department “actively getting tools and learning how to track and trace cryptocurrency so that we can better…
Read More: Ransomware Actors with ‘Very Low-Level’ Skills Committing More Attacks, DHS Official Says