Why Government Isn’t the Primary Target for Ransomware

(Illustration: Shutterstock)

(Illustration: Shutterstock)

Though the Federal government has certainly experienced ransomware attacks, experts speaking at the Armed Forces Communications and Electronics Association (AFCEA) Cybersecurity Summit on Tuesday explained that it is not the primary target for ransomware hackers.

“Is the U.S. government a target of those attacks? Absolutely. However, there may be reasons why they are not as susceptible as some of the private sector folks,” said Jeffrey Coburn, unit chief of Major Cyber Crimes at the FBI.

One of those reasons is a lack of financial motivation, as the government is more likely to have policies against paying the ransom at all.

“These particular bad actors, they are going after money. They’re financially motivated, they’re going after who they think are going to be able to pay them money,” Coburn said. He said that the FBI policy was to not pay ransomware hackers, as there can be equal or greater negative consequences to paying.

“There are some ramifications if you pay: you could be paying to a criminal enterprise, you could be paying funds to a terrorist enterprise,” said Coburn. “Another consequence, and we have seen this happen, is an individual or a company will pay the ransom, they will get the token that should unencrypt, and then they find that the token does not actually unencrypt. In another instance, we’ve actually seen when a ransom was paid, they tried to obtain the token, the bad guys are bad guys for a reason, and said ‘Oh that’s not enough money, we’re going to need a bit more money.’ Or they get reinfected.”

Frank Konieczny, chief technology officer of the U.S. Air Force, “doubt[s] the Air Force would ever pay” in the case of a ransomware attack, in part because they keep separate backups of most of their data. He also said that the government overall should have a policy about when to pay and not to pay ransoms.

“Normally we don’t pay ransoms, and so that would have to be a policy, basically,” Konieczny said. “But to enforce that policy you have to make sure that you have the necessary prevention method in place. I mean, that’s always the issue that you’re going to have.”

According to Coburn, those prevention methods are for the most part simple and straightforward to implement.

“Some of the simplest things are also the ones that are going to keep you most protected: having a backup of your system, and not only having a backup but testing your backup to make sure that it can actually be restored, having software in place such as firewalls and anti-virus scanners that are going to stop the malware from ever intruding and getting into your system,” Coburn said. “These are some simple steps. Also, you can implement some user-level privileges.”

“You have to look at the problem assuming that it is going to happen,” agreed Bob Gregg, CEO of ID Experts.

Though the panelists provided many ways that the government is working to prevent ransomware attacks, Coburn explained that prosecuting the hackers responsible is more complicated.

“They’re not coming from your backyard; they’re not coming from the United States, more than likely,” Coburn said. Even when these hackers can be identified, if they live in a country that doesn’t have prosecutorial agreements with the United States, there is little the government can do to combat the hackers through legal means.

Jessie Bur
About Jessie Bur
Jessie Bur is a Staff Reporter for MeriTalk covering Cybersecurity, FedRAMP, GSA, Congress, Treasury, DOJ, NIST and Cloud Computing.
  1. Anonymous | - Reply
    Ransomware was a game changer for the cybercriminals. It took the cyberattacks to the next level as it made the cybercrimes economically beneficial. According to statistics, the ROI for a cybercriminal from ransomware is 1500%. A ransomware kit costs (estimated figures) about $5,900 and the buyer can make up to $90,000 within a month of operation. That explains the recent popularity behind ransomware. Any industry which uses connected networks to operate is a potential target for a criminal who has a ‘ransomware kit’ in his bag. The list includes Health sector, energy sector, financial sector, and Universities. https://cyware.com/journal/menace-ransomware-cryptodrop-solution/
  2. Anonymous | - Reply
    Good, thanks. Also from that session: They said there are 4,000 ransomware attacks every day. (But they didn't define "attack". E.g., if a ransomware virus is sent to 1M email users, is that one attack or 1M attacks, or based on the number of successful infections?) Ransomware had focused on Financial Services / Banking targets, but that sector has tightened security. The ransomware target is shifting to Healthcare, since it is more distributed and less secure, and patient-care is urgent and time-critical. The greatest risk is to their internet-facing systems; the backend systems (e.g., that operate the Cat-Scan) are not exposed, not at risk. The panel was not aware of zero-day vulnerabilities being the basis of ransomware attacks. A new thing is Ransomware as a Service, where any attacker can use that RaaS as a platform for attacking the victims, and they then split the ransom payoff with the RaaS provider. The ransomware attacks are financially motivated (to obtain the ransom payout), not done to be destructive to the victim's computers. Kit Lueder kitdaddio@yahoo.com

Leave a Reply