Senate Report Highlights Lack of Government Data on Ransomware Payments

Ransomware attacks are on the rise but federal agencies do not have enough data and information to deter, mitigate and prevent these attacks, according to a report released Tuesday by Sen. Gary Peters, D-Mich., Chairman of the Senate Homeland Security and Governmental Affairs Committee.

The report, authored by committee staff, further found the government lacks data regarding ransoms paid to criminals—usually through cryptocurrencies—by ransomware attack victims.

“Cryptocurrencies—which allow criminals to quickly extort huge sums of money, can be anonymized, and do not have consistently enforced compliance with regulations, especially for foreign-based attackers—have further enabled cybercriminals to commit disruptive ransomware attacks that threaten our national and economic security,” Peters said in a statement. “My report shows that the federal government lacks the necessary information to deter and prevent these attacks, and to hold foreign adversaries and cybercriminals accountable for perpetrating them.”

The Senate committee report indicates that reported ransomware attacks have increased significantly in recent years. In 2020, ransomware attacks jumped 435%, according to the World Economic Forum, and in 2021, ransomware attacks “impacted at least 2,323 local governments, schools, and healthcare providers in the United States.” Those increases caused a comparative increase in financial losses.

“A three-year comparison of the number of complaints of ransomware submitted to the FBI between 2018 and 2020, demonstrates a 65.7% increase in victim count and a staggering 705% increase in adjusted losses. In 2021, the agency received 3,729 ransomware complaints with adjusted losses of more than $49.2 million,” the report states.

Yet even those tallies “likely drastically underestimate the actual number of attacks and ransom payments,” the report states, with public sector assessments “significantly lower” than private sector estimates.

“The report finds that there is a lack of comprehensive data on the amount of ransomware attacks and use of cryptocurrency as ransom payments in these attacks. While multiple federal agencies are taking steps to address the increasing threat of ransomware attacks, more data is needed to better understand and combat these attacks,” the report states.

The report makes several key recommendations for addressing the data problem, including that the government implement a ransomware attacks and ransom payments reporting mandate immediately. 

Other recommendations include standardizing existing federal data on ransomware incidents and ransom payments for better analysis and instructing Congress to establish additional public-private initiatives to investigate the ransomware economy.