Senate report examines REvil ransomware attacks on US firms

The top Republican on the Senate Homeland Security Committee released a report early Thursday examining the approaches of three unnamed U.S. companies that were the targeted by the Russia-based ransomware group REvil.

The report from Sen. Rob Portman (R-Ohio) follows warnings from several senior government officials — including President Biden himself — that Russian hackers might unleash a wave of digital attacks against American companies and critical infrastructure. "Today, my Administration is reiterating those warnings based on evolving intelligence that the Russian Government is exploring options for potential cyberattacks,” Biden said in a statement on Monday.

Government officials have been quick to call on leaders in the private sector to improve incident response plans and harden cyber defenses, but the investigation by Portman highlights the systemic flaws in both the private sector and the federal government. 

In a call with reporters on Wednesday, a committee aide frequently referred to the Cyber Incident Reporting Act that Portman introduced last September as a possible solution. “Until we get Senator Portman’s legislation implemented, there is no coordinated defense because only those companies know that they're being attacked.”

Instances of ransomware attacks have skyrocketed in recent years, with the U.S. being the biggest target. According to the report, there were 421.5 million ransomware attempts against U.S. organizations in 2021.

Three cyberattacks examined

The new report focuses on three unnamed companies, all of which were attacked by the ransomware group REvil but varied in size, business model and industry. “We don't want to risk these victims being retaliated against by ransomware criminals. So we didn't think that it was necessary to reveal their identity,” the aide said, adding that the attacks all occurred in the last five years.

“Entity A” was the largest company examined in the report, being a global multi-sector Fortune 500 company with approximately 100,000 employees. “Entity B,” a global manufacturing firm, fell into the mid-range category with a few thousand employees. “Entity C” represented a smaller technology company with around 50 employees.

In each case, REvil successfully infiltrated and encrypted the systems of the companies. All of the firms had prepared incident response plans and had notified the federal government. None of them paid the ransom. 

Entities A and B were highly critical of the FBI’s response to the attacks. “Entity A found the FBI to be unhelpful throughout the process,” the report states. “Entity A indicated the FBI prioritized investigating those responsible for the attack over helping Entity A respond and secure its network.”

Furthermore, Entity A said the hostage negotiator had “little expertise” and that they had no interaction with the Department of Homeland Security or its Cybersecurity and Infrastructure Security Agency (CISA). Entity B also reported that they had no interaction with CISA and that “there was no ‘here’s a playbook’ discussions with the FBI regarding how to best respond.” Entity C chose to handle the incident internally, although they did notify the FBI.

“CISA was not involved with those particular incidents, which is one of the reasons the Cyber Incident Reporting legislation is so important. I think the benefit that CISA can have in that space is helping ransomware victims recover,” the aide said. “As it stands today, I think the coordination between CISA and the FBI has improved and gotten better.”

The report concludes by recommending that both the private sector and the federal government learn from the shortcomings displayed in the report — organizations should maintain offline backups and encrypt sensitive data, while CISA and the National Cyber Director should work more cohesively with the FBI.