CISA: Do Not Pay Ransomware
Federal cybersecurity agency works to confront and protect against ransomware activity.
The Cybersecurity and Infrastructure Security Agency, or CISA, the nation’s lead federal agency for protecting government networks and critical infrastructure against cybersecurity threats, reminded agencies and the private sector not to succumb to paying ransoms in cyber attacks and to take much greater steps to shore up any vulnerabilities. “As last week’s ransomware attack against the Colonial Pipeline and recent intrusions impacting federal agencies demonstrate, our nation faces constant cyber threats from nation states and criminal groups alike,” said Brandon Wales, CISA’s acting director in a May 13 statement.
In a call the same day with reporters as part of a Defense Writers Group event, Wales noted that paying ransom just furthers the activities of malicious attackers. “Hundreds of millions of dollars are being paid to ransomware operators and that is feeding this business model and is causing more ransomware incidents to happen.”
As far as the case of Colonial Pipeline, which halted operations temporarily for several days due to an attack by Darkside, a malicious ransomware hacking group, Wales declined to confirm or deny whether or not the pipeline had paid a ransom, instead emphasizing that paying it only spurs nefarious activities.
“The Darkside ransomware operator is showing no signs that they are stopping what they are doing,” Wales explained. “We have consistently held that as long as the business model for ransomware remains viable it will continue to be used by adversaries. We've seen in the middle of the pandemic ransomware operators go after hospitals, with particularly egregious attacks, and then go after schools given the move to remote learning or go after manufacturing sites, local police departments, like right here in D.C., and so, this is a this is a scourge that is that is not going to be easily eradicated.”
Darkside inc., is a ransomware group with reported Russian affiliation—although Wales declined to indicate that the nation-state was behind the attacks, leaving that confirmation role to the FBI’s federal law enforcement officials who are investigating and working with Colonial Pipeline on details of the attack.
Cybersecurity company Varonis observed Darkside’s activity and said it indicates Russian ties. “Our reverse engineering revealed that Darkside’s malware will check device language settings to ensure they don’t attack Russia-based organizations,” said Snir Ben Shimol, Varonis’ director of cyber security, in a recent report. “They have also answered questions on Q&A forums in Russian and are actively recruiting Russian-speaking partners.”
Shimol explains that last August, the group announced “in a press release” their Ransomware-as-a-Service. “Since then, they have become known for their professional operations and large ransoms,” Shimol stated. “They provide web chat support to victims, build intricate data leak storage systems with redundancy and perform financial analysis of victims prior to attacking.”
The CISA acting director expects the FBI’s incident report on the Darkside attack on Colonial Pipeline to aid other critical infrastructure organizations that may not yet realize they have vulnerabilities or have been breached. “Late last night, we received some indicators of compromise from the incident at Colonial,” the acting director said. “We're working with the FBI to get that information out today. It does not tell us the complete story, but it does provide at least initial indications of where and how the attack took place.”
Wales also noted that CISA’s efforts to secure the federal government’s networks will be bolstered by President Biden’s new executive order, which gives the agency “greater visibility into cybersecurity threats, advancing incident response capabilities and driving improvements in security practices for key information technology used by federal agencies,” he said. “And because the federal government must lead by example, the executive order will catalyze progress in adopting leading security practices like zero-trust architectures and secure cloud environments.”
And while the recent National Defense Authorization Act provided CISA with “most” of the authorities the agency needs to deploy improved cyber defense technologies and to proactively look for threats in the federal space, Wales told the reporters that President Biden’s executive order provides additional resources, deemed necessary in the wake of the SolarWinds compromise—and now the Colonial Pipeline attack.
“I think this executive order is absolutely critical to our ability to continue making advancements in cybersecurity at the federal level,” Wales stated.
He sees some changes taking place almost immediately due to the executive order, such as notifications to CISA and the FBI when contractors for the federal government start to see disruptions or cyber incidents on their networks. Regarding the expanded use of multifactor authentication across the government, a measure called for by the order, Wales sees “significant” progress already.
Other efforts “are going to take time to develop and roll out new technology,” such as for the new incident logging requirements of the order. He predicted that the policy also would accelerate the cultural shift of more secure software development by the large number of vendors that provide information technology to the federal government.
The executive order also adds to CISA’s responsibilities, having the agency develop security principles for federal cloud service providers and create a federal cloud security strategy. To aid cyber incidence response, CISA will help inform contracting terms with federal contracting agencies. “We have already started working on contract language related to cybersecurity requirements for government contractors,” Wales stated. “The language in the executive order focuses, for example, on making sure that the federal government and CISA and the FBI, in particular, are notified when vendors or other contractors for the federal government have incidents. That’s directly coming from our experience with some of the challenges we had in the early days of the SolarWinds incident.”
Given that U.S. adversaries “are growing far more aggressive and far more sophisticated” in their cyber attacks, the federal government must act now, Wales stated.
“We needed the entire government to be moving in the same direction,” Wales stressed. “We needed clear direction from the White House to the federal agencies that the cybersecurity of federal systems was a priority, and to outline some of the essential steps they need to take. This executive order checks that box in a really big way, and I think it's going to be critical for our ability to work with our federal interagency partners to move to more secure networks. Using the federal government's procurement power to drive software development in a more secure direction, that will pay huge dividends for beyond the federal government for all customers of those same software and hardware vendors.”
And while the problem of ransomware and cyber attacks are very challenging, “the problem is not insurmountable.” he added.