DHS: Over 300 incidents of ransomware on federal networks since June
- By Sean Lyngaas
- Mar 30, 2016
There have been 321 incident reports of "ransomware-related activity" affecting 29 different federal networks since June 2015, according to the Department of Homeland Security. The numbers indicate a form of malware that has done high-profile damage in the private sector is a threat to government computers as well.
DHS relayed the information in a letter to Sens. Ron Johnson (R-Wis.) and Tom Carper (D-Del.) after the senators inquired about the spread of ransomware, which encrypts a computer user's data until hackers are paid off, usually via crypto-currency.
Not all of the 321 incident reports involved a computer being infected with ransomware, according to DHS – some were phishing emails or ransomware that was thwarted by an agency's security operations center.
"In the cases where agency systems were confirmed to be infected with ransomware, the majority of infections affected end-user workstations," the letter said. "In all cases, the system was removed from the network and replaced with a new, clean system with minimal impact to the user and agency." DHS officials said they were unaware of cases in which federal agencies paid off hackers to remove ransomware.
The reports of ransomware came through either the DHS-backed intrusion detection program known as Einstein or other incident reports, the department added.
Johnson and Carper, chairman and ranking member of the Senate Homeland Security and Governmental Affairs Committee respectively, last December requested details on federal efforts to combat ransomware. Carper posted the agencies' responses to his website on March 30.
Since 2005, the FBI's Internet Crime Complaint Center has received 7,694 ransomware complaints totaling $57.6 million, DOJ said in its response. It is, however, difficult to pinpoint the cost of ransomware attacks because victims sometimes put a price on encrypted data based on its perceived value, wrote Peter Kadzik, assistant attorney general for legislative affairs.
The two department's work closely together on ransomware: the FBI shares information about compromised U.S.-based websites with DHS' U.S. Computer Emergency Readiness Team to notify ransomware victims.
Cooperation gets trickier outside the country. "One of the biggest obstacles with foreign law enforcement cooperation is that cyber crime laws vary by country," Kadzik wrote. "In some places, if there is a lack of victims in the actors' home country it is difficult to take any legal action against the suspect."
The agencies' letters leave unanswered the question of how many "ransomware-related viruses" DHS and DOJ are tracking.
DHS said its tracking scheme "does not currently allow for the calculation of the number of ransomware variants." The DOJ's response to the question is redacted because, spokesman Peter Carr told FCW, it contains "law-enforcement sensitive information."
Sean Lyngaas is an FCW staff writer covering defense, cybersecurity and intelligence issues. Prior to joining FCW, he was a reporter and editor at Smart Grid Today, where he covered everything from cyber vulnerabilities in the U.S. electric grid to the national energy policies of Britain and Mexico. His reporting on a range of global issues has appeared in publications such as The Atlantic, The Economist, The Washington Diplomat and The Washington Post.
Lyngaas is an active member of the National Press Club, where he served as chairman of the Young Members Committee. He earned his M.A. in international affairs from The Fletcher School of Law and Diplomacy at Tufts University, and his B.A. in public policy from Duke University.
Click here for previous articles by Lyngaas, or connect with him on Twitter: @snlyngaas.