Ahead of Hearing, Committee Releases New Staff Memo on Ransom Attacks on U.S. Companies

Washington, D.C. (November 16, 2021)—Today, Carolyn B. Maloney, Chairwoman of the Committee on Oversight and Reform, released a supplemental memo providing new insights into how the high-profile ransomware attacks on CNA Financial Corporation (CNA), Colonial Pipeline Company (Colonial), and JBS Foods USA (JBS) unfolded, and how legislation and policies responses may be developed to counter the threat of ransomware.

In June 2021, the Committee launched an investigation into ransomware attacks and U.S. companies' payments of ransom to cybercriminals. As part of this investigation, the Committee sent letters to companies that were the victims of some of the most prominent ransomware attacks of the past year, including CNA Financial Corporation, Colonial Pipeline Company, and JBS Foods USA.

Today's supplemental memo reveals the findings of the Committee's investigation, including:

1. Small lapses led to major breaches. Ransomware attackers took advantage of relatively minor security lapses, such as a single user account controlled by a weak password, to launch enormously costly attacks. Even large organizations with seemingly robust security systems fell victim to simple initial attacks, highlighting the need to increase security education and take other security measures prior to an attack.

1. Some companies lacked clear initial points of contact with the federal government. Depending on their industry, companies were confronted with a patchwork of federal agencies to engage regarding the attacks they faced. For example, two companies' initial requests for assistance were forwarded to different FBI offices and personnel before reaching the correct team. Companies also received different responses on which agencies could answer questions as to whether the attackers were sanctioned entities. These examples highlight the importance of clearly established federal points of contact.

2. Companies faced pressure to quickly pay the ransom. Given the uncertainty over how quickly systems could be restored using backups and whether any sensitive data was stolen, the companies appeared to have strong incentives to quickly pay the ransom. This pressure was compounded by attackers' assurances that payment of the ransom would resolve the situation and avoid negative publicity for the company. For instance, after the initial hack of JBS, REvil told the company, "We can unblock your data and keep everything secret. All we need is a ransom." Further examination is needed of the factors encouraging ransom payments, including the role of cyber insurance and the costs companies can face even after paying a ransom, especially when the cybercriminals fail to deliver on their promises.

Click hereto read today's memo.

Click hereto watch the Committee hearing.

###