It can start with something as simple as an email. The recipient clicks on a link or downloads an attachment, and an attacker has a foothold in the IT systems. From there the attacker can escalate access to different systems and then eventually encrypt and exfiltrate the data and hold it for ransom.

In the second quarter of 2023,  1,378 organizations named as victims on ransomware data-leak websites – a 64% increase from the record-breaking number of victims (838 organizations) named in the previous quarter. To gain a better understanding of ransomware, particularly on businesses and critical infrastructure, as well as policy recommendations for mitigating these impacts the House Oversight Subcommittee on Cybersecurity, Information Technology, and Government Innovation and Subcommittee on Economic Growth, Energy Policy, and Regulatory Affairs held a joint subcommittee hearing on combating ransomware attacks.

Grant Schneider, Senior Director of Cybersecurity Services at Venable, LLP, laid the groundwork for the hearing in his testimony, describing ransomware attacks in broad terms. He discussed why ransomware attacks have grown in frequency and scale in recent years, testifying that “more critical services and sensitive data have moved to an internet accessible environment. Correspondingly, ransomware actors have increased access to technical capabilities, anonymous payment systems, and safe havens from which to operate.” While answering questions from subcommittee members, Schneider also described how ransomware groups are operating increasingly like business enterprises, providing Ransomware-as-a-Service to other criminal organizations and investing in their capabilities to be able to hit more high value targets. These tactics have increased the prevalence of ransomware attacks.

During his testimony and questioning, Schneider also provided recommendations for mitigating ransomware attacks, including implementing phishing resistant multi-factor authentication, developing tools and procedures for backups and recovery, encrypting data at rest and in transit, as well as implementing other cybersecurity measures. While none of these solutions are glamorous, they are necessary steps and need to be done consistently. He also stated that an update to the Federal Information Security Management Act of 2002 (FISMA) would be timely, in addition to adequate funding and focused leadership.

Dr. Lacey Gosch, Assistant Superintendent of Technology at the Judson Independent School District, and Dr. Stephen Leffler, President and Chief Operating Officer at The University of Vermont Medical Center, also provided testimonies. Their testimonies focused on the impact of ransomware attacks on their organizations, highlighting that whether victims choose to pay the ransom, these attacks are still incredibly costly. These costs stem from the need to rebuild digital infrastructure, the loss of business, and any stopgap solutions they may need to engage in.

Sam Rubin, Vice President and Global Head of Operations of Palo Alto Networks Unit 42, provided a deeper dive into the technical aspects and statistics on ransomware. He highlighted the need to take preventive steps to address the impacts of ransomware, both traditional cybersecurity solutions and more innovative AI tools to leverage detection; however, many organizations do not have the funds to adequately invest in these solutions. Government and other grants are important to fill these gaps and ensure broader cybersecurity.

Ransomware attacks are quickly growing and evolving, becoming a bigger threat to businesses, governments, and critical infrastructures, and requiring more action from the government. As Grant Schneider testified: “Given these dynamics for victims, ransomware remains a pernicious and prevalent threat to large and small businesses, public sector entities, and critical infrastructure organizations. In short, it’s bad. That said, there is hope. The U.S. – through the Department of Justice – has invested heavily in disrupting ransomware activities across the globe. Cybersecurity luminaries have partnered with policy professionals to propose legal and policy updates that will empower law enforcement officials and other cyber defenders to pursue these bad actors and build resilience across our digital ecosystem. We must continue to develop these ideas while collaborating with companies and public sector entities to harden their networks and protect their data.”

A recording of the hearing can be watched here.