Senate report reveals gaps in data collection on ransomware payments

A new report from Senate Homeland Security Chairman Gary Peters (D-Mich.) found that the federal government lacks sufficient data on the use of cryptocurrency in ransom payments.

The report, released on Tuesday, stems from a year-long investigation into the rise of ransomware attacks and how cryptocurrencies facilitate cybercrimes.

“My report shows that the federal government lacks the necessary information to deter and prevent these attacks, and to hold foreign adversaries and cybercriminals accountable for perpetrating them,” Peters said in a statement. 

Citing experts, Peters said that ransomware attacks in 2020 increased to 150 percent from the previous year, and more than $412 million was paid to cybercriminals in ransom through cryptocurrencies.

The report also found that current government reporting of ransomware attacks and cryptocurrency is “fragmented across multiple federal agencies,” and that the lack of reliable data limits the tools needed to secure the nation against cyber threats.

The analysis also said such attacks have limited both the private sector and the federal government in assisting cybercrime victims.

“Cryptocurrencies – which allow criminals to quickly extort huge sums of money, can be anonymized, and do not have consistently enforced compliance with regulations, especially for foreign-based attackers – have further enabled cybercriminals to commit disruptive ransomware attacks that threaten our national and economic security,” Peters said. 

The senator’s investigation also found that more than 70 percent of global ransomware revenue in 2021 went to entities likely located in Russia or tied to the Russian government. 

Although the report identifies areas where federal agencies can improve, the government has over the past year stepped up its cybersecurity investment, which was expedited following the war in Ukraine. 

In the last couple months, federal agencies have invested millions in cyber technology, seized and sanctioned hacking forums, charged Russian cyber criminals, and issued frequent warnings on cyber threats. 

Lawmakers have also ramped up their efforts with the introduction of several cyber-related bills, and the passage of a new law requiring companies in critical sectors to report significant cyberattacks within 72 hours and ransomware payments within 24 hours.

The law was introduced by Peters and the Homeland Security Committee’s ranking member, Sen. Rob Portman (R-Ohio).

“My bill that was recently signed into law to require critical infrastructure to report cyber-attacks and ransomware payments will be a significant step to ensuring our government has better data to understand the scope of this threat, disrupt the incentive virtual currencies provide for cybercriminals to commit attacks, and help victims quickly recover after breaches,” Peters said. 

The report also made several other specific recommendations, including implementing a reporting mandate on ransomware attacks and payments, standardizing existing federal data on ransomware incidents, and establishing additional public-private initiatives to investigate the ransomware economy.