In brief
- Companies have already paid at least $90 million in Bitcoin for ransomware payments this year.
- Rep. Carolyn Maloney is concerned that ransomware payments encourage more attacks on US infrastructure.
US Representative Carolyn Maloney (D-NY), who chairs the House Committee on Oversight and Reform, is putting two recent ransomware victims on the hot seat.
In letters today to Colonial Pipeline and CNA Financial, Chairwoman Maloney asked for details about payments the two companies reportedly made to hackers who took control of their computer networks in May and March, respectively.
“I am extremely concerned that the decision to pay international criminal actors sets a dangerous precedent that will put an even bigger target on the back of critical infrastructure going forward," she wrote.
NEW: @OversightDems Chair @RepMaloney sent letters to Colonial Pipeline Company and CNA Financial Corporation requesting documents regarding their decisions to pay ransoms following recent ransomware attacks.
— Oversight Committee (@OversightDems) June 3, 2021
Maloney's missives reflect how ransomware attacks, and the cryptocurrency payments they often induce. have become a political issue.
The US Department of Justice today announced it would treat such attacks with the same urgency as it treats terrorism. And a Biden administration spokesperson yesterday said it was looking to expand cryptocurrency tracing as a countermeasure. Bitcoin and other cryptocurrencies, most notably privacy coin Monero, are used to facilitate the majority of ransoms as they can operate outside tightly regulated financial spheres.
Hacking groups have already raked in over $90 million in Bitcoin this year, according to a recent report from analytics firm Elliptic. And hackers aren't letting up. Just this week, an attack on meatpacker JBS, allegedly by Russia-linked REvil/Sodinokibi, threatened to cut off much of the US's meat supply. JBS says it has now taken back control of its facilities, though it's unclear whether it paid a ransom to resolve the issue.
Last year, with ransomware attacks on the rise, the US Treasury Department's Office of Foreign Assets Control (OFAC) warned companies that facilitating payments to hacking groups could cause them to run afoul of US sanctions that bar transactions with people and entities on a government blacklist.
DarkSide, the group responsible for an attack on Colonial Pipeline that resulted in a gas shortage on the East Coast, isn't on that list. However, affiliates may be. According to New York Times correspondent Andrew Kramer, DarkSide uses a franchise model that allows hacking entrepreneurs to buy ransomware software to deploy.
Ransomware payments may otherwise be permitted, provided companies that facilitate such transactions—it's something of a cottage industry—have a rigorous compliance program in place.
But few details are known about the specifics of Colonial or CNA's payments. CNA, one of the country's largest insurance companies, reportedly paid $40 million to restore access to its network but has not confirmed that any payment was made.
“CNA followed all laws, regulations, and published guidance, including OFAC’s 2020 ransomware guidance, in its handling of this matter,” CNA spokesperson Cara McCall told Bloomberg in May.
Colonial, meanwhile, parted with $4.4 million in Bitcoin to help get oil flowing again, according to CEO Joe Blount.
Chairwoman Maloney is asking for documents and communications pertaining to the discovery of the attack and the ransom itself, including anything regarding sanctions screenings undertaken by the companies. She has given Colonial and CNA until June 17 to provide the requested documents.
“Congress needs detailed information about ransom payments made to cybercriminal actors to legislate effectively on cybersecurity and ransomware in the United States,” she wrote.