Ransomware Threat Could Mean Agency Investments: This Is IT

Ransomware is a growing concern, according to a panel of intelligence community experts during the Cybersecurity and Infrastructure Security Agency’s third annual National Cybersecurity Summit on Sept. 16. To address the increase in attacks, agencies are likely to require contractor help.

Ransomware is a type of malicious software, or malware, that holds data for ransom. Some of the most famous ransomware attacks, such as WannaCry in May 2017 and Petya in June 2017, held data ransom for around $300 transferred using cryptocurrencies, particularly bitcoin. The purpose of such small ransom amounts is to make it easier to pay the ransom than find another means of retrieving the data while also targeting enough systems that the total payout is large. Requesting the money in bitcoin is common as it helps protect the criminals from being traced.

The attack landscape has changed since 2017. There are more events, new tactics, and more money is at stake. Some attackers require payments in the millions of dollars, according to supervisory special agent at the Federal Bureau of Investigation Jonathan Holmes, during Wednesday’s panel that focused on trends and the challenges of ransomware. The new tactics include ransomware organizations working together as cartels to share tactics and techniques and bad actors expanding the consequences of not paying the ransom. Originally, if the ransom wasn’t paid, the data would be lost. Now, the criminals may threaten to release the data publicly to embarrass the data owner, release personal information about customers or clients of organization, or reveal organization secrets.

This puts healthcare and government organizations at particularly high risk. Not only are healthcare and government data often highly sensitive with significant consequences associated with losing them entirely, the prevalence of legacy systems brings a higher risk of successful attacks against the systems since they are run on outdated software that is no longer supported by the providers and no longer receives patches. Custom software can be vulnerable as well, due to the lack of maintenance and updates that are often associated with bespoke or proprietary software.

Covid-19 brings additional concerns due to the economic impacts. The unemployment rate was 8.4% in August 2020, up from 3.5% in February and peaking at 14.7% this year in April, which may make it more appealing to commit one of these crimes. In addition to people having a greater incentive than previously, ransomware is easy for anyone to use. An individual can purchase “ransomware as-a-service” to perform the attack, and pay the ransomware developer a cut of the profits, according to Mike Moran, special agent with the U.S. Secret Service. The ransomware owners even have a help desk for users who are having trouble using their malware.

Response Strategies

Federal agencies can reduce the chances of ransomware attacks through better cyber defense strategies, according to draft standards documents released this year by the National Institute for Standards of Technology on ransomware identification and protection, detection and response, and recovery.

Cyber defense strategies include asset inventory; vulnerability identification and analysis; asset, data, and infrastructure protection; system backups and use of cloud storage; updating and patching systems; and education and outreach. The three main strategies for the intelligence community, according to Holmes, are to hold the bad actors accountable, target the criminal ecosystem, and outreach and education including making it clear that the incentive to use ransomware will remain high if the victims pay the ransom fees.

Agencies are likely to require contractor assistance in these and other areas. When it comes to investigations, contractors may be needed to help track emails and transactions in cryptocurrencies, so knowledge of Blockchain technologies would be valuable.

Agencies would also benefit from retiring antiquated systems that no longer receive support, including patches and other updates, especially those that store sensitive or important data. For example, in the WannaCry attack, UK healthcare system MRI machines that ran on old systems were attacked. Agencies that modernize systems and use off-the-shelf software that can be automatically updated and patched will reduce the risk of ransomware attacks.

The Current Ransomware Market

It’s difficult to identify ransomware-specific agency spending because of the overlap with other malware and cybersecurity threats and because it’s likely that many of the opportunities will be with the intelligence community or will be designated for classified work. Finding legacy systems would also be a clue into what is needed in this market, which further broadens the market.

Bloomberg Government data reveals $51 million in contract obligations since fiscal 2016 that specifically mention malware or ransomware, not including names of companies that provide anti-ransomware software or malware support software. That said, the contract obligations alone don’t provide a full definition of the ransomware market nor limit the types of technologies agencies can use to address the threat.

Cloud and backup services will be required to better protect government data and agencies will need to use analytics capabilities to identify vulnerabilities and information security to address those weaknesses. Knowledge of Blockchain could be needed as well. Together, those markets are billions of dollars annually. Not all the contracts and task orders are relevant to protecting against ransomware, but many of the capabilities captured in those markets could be applied to this threat. Agencies have also spent $4.3 billion on legacy hardware, software, and support during that time frame, for systems that could be at higher risk of a ransomware attacks and those that may need to be modernized or patched.

What’s Ahead

If trends in ransomware attacks continue, agencies will want to invest more in protecting their data, with an emphasis on data about Americans and data on classified and sensitive networks. Agencies that are likely most in need of ransomware-related support are the departments of Defense, Homeland Security, Veterans Affairs, Justice, and Health and Human Services due to them either housing vast amounts of medical data or focusing on investigations.

There are currently eight open, active solicitations that have a ransomware-related component to them, ranging from protecting against malware and minimizing the effects of ransomware to training and workshops. Clients can save the search and set an alert for any upcoming solicitations.

Note: This Is IT is a weekly column by Bloomberg Government focused on information technology matters affecting government contractors.

To contact the analyst on this story: Laura Criste in Salt Lake City, Utah at lcriste@bgov.com

To contact the editors responsible for this story: Daniel Snyder at dsnyder@bgov.com; Jill Oleson at joleson@bloombergindustry.com