DHS: Agencies Reported 321 Cases of Potential Ransomware

Federal agencies since last summer have alerted the Homeland Security Department to 321 possible malware infections with the potential to hold government networks hostage.

Fortunately, it seems, the "ransomware" infections in all the cases were neutralized by severing the affected computers from the agency's network.

"The department is not aware of any instances in which federal agencies paid a malicious actor to remove ransomware from a government computer," states a just-released written response from the agency to a Senate inquiry.

Police stations, law offices and even hospitals hacked by the nasty encryption programs in the past year have gone retro, resorting to pen and paper backup systems, eventually wiring criminals money or scrubbing their hard drives.

In the most recent high-profile situation, Washington area medical system MedStar Health on Monday suffered a likely ransomware breach that led IT workers to shut down patient care systems.

Reported incidents inside the government spanned 29 different agency networks, according to Homeland Security. In some instances, alarms were raised over infected emails that tried to deliver ransomware. Other times, agencies detected the real deal and eliminated the malicious programs from government systems.

"The majority of infections affected end-user workstations," DHS officials said. "In all cases, the system was removed from the network and replaced with a new, clean system with minimal impact to the user and agency."

In Dec. 3, 2015, letters, the Senate Homeland Security and Governmental Affairs Committee directly asked DHS and the Justice Department if they or other federal agencies have paid attackers to retrieve hacked government information.  

When any individual or organization is hacked by ransomware, "it is up to the victim as to whether they decide to pay the ransom or not," Assistant Attorney General Peter J. Kadzik said in a March 4 response to committee ranking Democrat, Sen. Tom Carper, D-Del.

Bureau public awareness campaigns stress the importance of creating data and system backups, he added.

Ransomware, akin to a digital form of extortion, generally originates from malicious emails or websites that trick users into downloading encryption programs that lock their data until they wire money for a key code.

When victims share their experiences with the federal government, DHS can capture the "signatures" of each particular ransomware job to help catch similar infections at other organizations. The threat indicators also are loaded into a federal firewall called EINSTEIN to detect and block the hostage-taking code on agency networks.

EINSTEIN 3 Accelerated, the latest iteration of the tool, filters emails, "which protects against the use of malicious file attachments and embedded links in email content," and also allows Domain Name System sinkholing, "which prevents malware already on a government computer from contacting its command and control servers," DHS said.

In an emailed statement to Nextgov, Carper said the committee will continue examining data extortion in the federal government. 

"This virus has the potential to endanger not only the security of businesses and individual citizens, but also the security of our government agencies," he said. "These responses from the departments of Homeland Security and Justice are a first step toward understanding the problem so we can make informed policy decisions about these unique threats."