The government’s still mostly in the dark on ransomware | #malware | #ransomware | #hacking | #aihp

Below: The annual Verizon data breach report is out today with some surprising conclusions, and hackers compromised an online wedding registry and stole a couple’s gifts.

The government may only be made aware of one-fourth of ransomware attacks

The government is largely in the dark when it comes to the scale of ransomware attacks pummeling schools, local governments and businesses, a congressional report out this morning warns. 

Government officials don’t reliably know how many attacks there are, how badly those attacks are hurting victims or how much victims are paying to rid themselves of the malicious software that locks up their computers and data. That’s the troubling assessment of a 10-month investigation by Democratic staffers on the Senate Homeland Security Committee. 

How opaque is the ransomware threat? The report cites an estimate by the Cybersecurity and Infrastructure Security Agency (CISA) that only about one-quarter of ransomware attacks are ever reported in a way that comes to the government’s attention. 

That paucity of data is having real impacts — making it tougher for law enforcement to investigate attacks, limiting how other agencies help victims and making it tougher to help companies more broadly defend themselves against the most dangerous hacking threat in decades, the report finds.  

• “My report shows that the federal government lacks the necessary information to deter and prevent these attacks, and to hold foreign adversaries and cybercriminals accountable for perpetrating them,” said Sen. Gary Peters (D-Mich.), chairman of the Homeland Security Committee.

The report is the latest in a series of alarms about the scale of the ransomware threat and government’s limited ability to combat it. 

The attacks have seized Washington’s attention more than any previous brand of cyberattack — largely because of their ability to seize up major companies with dramatic consequences for national security and the economy. The 2021 attack on Colonial Pipeline was the most prominent example, which threatened U.S. gas supplies and prompted panic buying. 

Such attacks are likely to become even more common, the report warns — especially if the Kremlin turns to Russian ransomware gangs to help fund its ailing economy, which is suffering under international sanctions imposed after the Ukraine invasion. 

• The pace of ransomware attacks has almost certainly shot up dramatically during the past year, according to numerous industry projections and hacks reported to the FBI.
• A comprehensive annual report from Verizon also released this morning, found ransomware attacks had roughly doubled as a percentage of breaches tracked by the company. Ransomware accounted for about 25 percent of all breaches in 2021 compared with about 12 percent in 2020.
• “We don’t really see a ceiling,” Alex Pinto, director of the Verizon team that produced the report, told me, noting that ransomware attacks are more lucrative than any previous form of financially motivated cybercrime.

Government has made some progress at getting its arms around the threat. 

• Most notably, in March Congress passed a bill requiring some companies to report to CISA when they pay a ransom to hackers. Peters sponsored the Senate version of that bill with the Homeland Security Committee’s top Republican Sen. Rob Portman (Ohio).
• But that law will only apply to companies in sectors critical for national security, such as transportation, finance and energy. It also may be more than a year before CISA rolls out the final regulations, though Peters previously told me he expects the rules to come out sooner rather than later.

• The report cites major barriers to financial regulators tracking payments in cryptocurrency — which accounts for the vast majority of ransomware payments.
• From the report: “The lack of data on ransomware attacks and cryptocurrency ransom payments blunts the effectiveness of available tools for fighting ransomware attacks including U.S. sanctions, law enforcement efforts, and international partnerships, among other tools.”
• The report stops short of recommending specific reforms to cryptocurrency markets. But it urges additional investigations on the topic — ideally established by Congress and conducted by a mix of government and industry officials.

The report also chides federal agencies for a “fragmented and incomplete” approach to collecting and analyzing the ransomware data that is out there. 

It calls for standardizing how that data is organized and formatted so it’s easier for agencies to share apples-to-apples information about ransomware and make better-informed policy decisions. 

A former Pentagon cyber official’s security clearance became an issue at a Republican primary debate

Rep. Nancy Mace (R-S.C.) blasted Republican challenger Katie Arrington during a debate yesterday for having her security clearance suspended when she was a top cybersecurity official at the Defense Department. Arrington responded by saying she was a “victim of a political hit job” and that Mace was lying. Her response was met with heckling by the audience, including by one person who yelled, “you’re a liar.”

Arrington, who played a key role in helping reduce foreign hacking threats in Pentagon acquisitions, is one of a handful of Trump administration cyber officials who’s remained tightly tied to the former president. She’s  positioning herself as a Donald Trump-endorsed candidate to challenge Mace, who Trump endorsed in 2020. 

The Pentagon accused Arrington of improperly disclosing classified information and pulled her security clearance shortly before she left the Pentagon job to run for Congress. The issued stemmed from a top-secret briefing from an intelligence officer who shared the name of a contractor that was facing problems, Arrington told the Associated Press. Arrington subsequently briefed a supervisor and offered her assistance to the company, she told the outlet. 

• The intelligence officer said they never worried about Arrington’s handling of classified information and didn’t understand what rule Arrington allegedly violated, according to a sworn affidavit she gave the AP.

Mace has called for Arrington to take a polygraph test about her security clearance loss, the AP reported. Arrington rebutted by saying she would take a polygraph test when Mace, who supports legalizing cannabis, takes a drug test. (Scientists are skeptical that polygraphs are effective.)

Hacked wedding registry company Zola promises to refund customers

Zola customers complained that hackers stole thousands of dollars from their credit cards and wedding gifts after breaching their registry accounts, Motherboard’s Lorenzo Franceschi-Bicchierai reports. 

• One couple told Motherboard they saw “$1,000 stolen from a cash fund within Zola and our credit card information was stolen and used to purchase $675 in gift cards from the Zola website.”
• Another victim said a hacker “charged thousands of dollars on my credit card beyond the max limit and potentially can steal wedding funds if this isn’t resolved by Wednesday.”

Zola responded by resetting all passwords. The hackers breached the accounts by reusing stolen passwords they found online, the company told Motherboard.

“Ultimately, fewer than 0.1 percent of all Zola couples were impacted,” and all of those couples “will be fully refunded in every way,” Zola spokesperson Emily Forrest told Motherboard.

Hacks have changed dramatically since 2008, Verizon says in its 15th annual report

Verizon’s Data Breach Investigations Report out this morning highlights how the landscape of cyberattacks has changed over the last decade and a half. 

• Hacktivism was the second most common motive for hackers as recently as Verizon’s 2015 report, but it’s an afterthought in 2022, Verizon says. Hacking for espionage purposes, meanwhile, has been in second place for years.
• Payment card data was the most commonly compromised item in 2008. Now, email addresses and passwords are most often stolen.
• Hackers from outside an organization are consistently more likely to cause mischief than malicious insiders, the report says. In 2008, the cybersecurity world thought insider threats outnumbered external ones, according to the report.

D.C. attorney general sues Zuckerberg over Cambridge Analytica scandal (By Cat Zakrzewski)

DOD not meeting same standards it plans to hold contractors to under CMMC (FedScoop)

Jurors hear contrasting stories about FBI handling of Trump-Russia secret server claims (Politico)

The hypnotherapist and failed politician who helped fuel the never-ending hunt for election fraud in Wisconsin (ProPublica)

Advocates urge Amazon to drop controversial DHS surveillance program (CyberScoop)

FBI Wiretap Opens Window To Murderous Drug Gang—And A Crucial Flaw In Snapchat Privacy (Forbes)

Senators push for $300M boost to TMF (NextGov)

Pentagon seizes foreign reporter’s phone during official travel (Politico)

GM credential stuffing attack exposed car owners’ personal info (Bleeping Computer)

• A House Oversight and Reform Committee panel holds a hearing on the Technology Modernization Fund on Wednesday at 10 a.m.
• Undersecretary of Commerce for Industry and Security Alan Estevez speaks at an event hosted by the Atlantic Council and Krach Institute for Tech Diplomacy at Purdue on Wednesday at 10 a.m.
• FBI Director Christopher A. Wray testifies before a Senate Appropriations Committee panel’s hearing on Wednesday at 2 p.m. 
• Lt. Gen. Michael S. Groen, who leads the Pentagon’s Joint Artificial Intelligence Center, speaks at an Atlantic Council event on Wednesday at 2:30 p.m.

From the BBC: “This is the Kola Superdeep Borehole, the deepest manmade hole on Earth and deepest artificial point on Earth… so deep that locals swear you can hear the screams of souls tortured in hell.” Thanks for reading. See you tomorrow.