Businesses and organizations victims of ransomware attacks shouldn’t pay hackers to unlock their data and should quickly contact law enforcement, opening up the possibility of creative solutions, FBI Director Christopher Wray said .
“It’s our policy, it’s our FBI directive, that companies should not pay the ransom,” Wray told the House Judiciary Committee in a hearing Thursday.
US businesses and government agencies are reeling from recent ransomware attacks that disrupted essential services, from a major oil pipeline to a beef producer and hospitals. The attacks have sparked a nationwide debate over whether victims should pay a ransom, which can run into the millions of dollars.
The National Security Council also issued a statement saying that “the administration has been very clear: private companies should not pay ransom. It encourages and enriches these malicious actors, continues the cycle of these attacks and there is no guarantee that companies will recover their data. “
Meat producer JBS USA said it paid $ 11 million to criminals responsible for a ransomware attack on May 30 that disrupted operations in North America and Australia. Colonial Pipeline Co. paid $ 4.4 million, or 75 bitcoins, in ransom after a hack that forced it to shut down the United States’ largest pipeline on May 7, spiking gasoline prices and causing shortages at gas stations.
“The Biden administration basically winked and winked to pay off the thugs,” Rep. Steve Chabot, an Ohio Republican, said during the hearing with Wray. “Don’t we need to clarify the policy on paying criminals?
In a separate Senate hearing Thursday, two candidates for top cybersecurity positions in the Biden administration said they, too, believed companies should not pay for hackers’ extortion demands.
“It is not appropriate to pay a ransom,” said Chris Inglis, whom President Joe Biden has appointed as national cybersecurity director. “Sadly, we are entering a place where this is the only thing that is the cure – possible to save lives or to bring back critical capabilities.”
He pleaded for holding companies to be responsible “not so much for paying the ransom, but for being in a position where they had to pay the ransom in the first place – for not preparing for it.”
Voluntary guidelines don’t work
Jen Easterly, named head of the Cybersecurity and Infrastructure Security Agency, said she believed her role would be to prevent companies from falling victim to ransomware in the first place, by providing the private sector with information and ” best practices to protect yourself “. However, she and Inglis agreed that simply asking companies to follow voluntary cybersecurity standards has not been effective. “It seems to me that voluntary standards probably don’t do the job and there is probably some sort of role in making some of those standards mandatory to include notification,” Easterly said.
The White House National Security Council released a statement on Wednesday saying that “the administration has been very clear: private companies should not pay ransom. It encourages and enriches these malicious actors, continues the cycle of these attacks and there is no guarantee that companies will recover their data. “
But last month Anne Neuberger, deputy national security adviser for computer and emerging technologies, told reporters that “it’s usually a private sector decision, and the administration has offered no further advice. for the time being”.
Wray said attacked companies should contact the Federal Bureau of Investigation as soon as possible so law enforcement can help take action in response, potentially obtaining the encryption keys used by hackers.
JBS paid hackers $ 11 million
Referring to ransomware and other cyber attacks, Wray said: “The scale of this is something I don’t think the country has ever seen anything like, and it will get worse.”
The Justice Department recovered 63.7 Bitcoins that hackers stole from Colonial. Due to the decline in the value of Bitcoin since the colonial ransom was paid, the US foreclosure at the end of May was $ 2.3 million, just over half of the ransom paid weeks earlier.
Dividing along partisan lines, lawmakers pursued further controversies by questioning the FBI chief.
Democrats cited apparent intelligence failures that led to the Jan.6 attack on the United States Capitol by a host of supporters of former President Donald Trump.
Rep. Steve Cohen, a Democrat from Tennessee, asked Wray if the FBI was investigating Trump’s mob provocation, which Cohen called “Mr. Grand – No.1. Wray declined to comment on specific investigations.”
Republicans asked Wray if what they called Biden’s “open border” with Mexico was causing a wave of criminals and potential terrorists crossing the southern border. Wray said he should get back to lawmakers with specific information.
(Updates with comments from Biden’s cyber nominees from the sixth paragraph)
–With help from Rebecca Kern and Jennifer Jacobs.
Top photo: Christopher Wray, Director of the FBI
Copyright 2021 Bloomberg.
Interested in Cyber?
Receive automatic alerts for this topic.