Measuring the ups and downs of ransomware activity remains a difficult task for the U.S. government because so many victims decline to acknowledge when attacks occur.

Making determinations about whether ransomware is getting better or worse “is an extraordinarily hard question for any of us to answer because we know that the rate of reporting of ransomware intrusions, or cyber incidents generally, is far below the actual prevalence of these events,” Eric Goldstein, executive assistant director at the Cybersecurity and Infrastructure Security Agency, said Wednesday during Rubrik’s virtual Data Security Summit.

This lack of forthrightness from organizations that have been hit by ransomware is one of the primary reasons Congress passed legislation in March that requires critical infrastructure providers and federal agencies to promptly report cyberattacks and ransomware payments to CISA.

The provision mandates critical providers notify CISA within 72 hours of a major cyberattack or 24 hours of a ransom payment. Goldstein lauded the development but noted the industry shouldn’t wait for finalization of those rules to increase the rate of incident reporting to CISA and the FBI.

“If CISA and our partners in government don’t know about a victim, we can’t offer help with eviction, with mediation, with recovery,” Goldstein said. “We also can’t glean technical information that we can then share broadly to help protect others from common ransomware strains.”

While CISA and cybersecurity professionals know common controls, such as multifactor authentication and consistent vulnerability patching can help prevent ransomware intrusions or other attacks, confidence in the effectiveness of those measures is directly tied to the sample set available to government officials. 

“Our guidance is inherently based upon incomplete data,” Goldstein said.

CISA wants every victim to report cyber intrusions to the government so it can provide timely and actionable guidance tailored to how adversaries are breaking into organizations’ networks, he said.

Ransomware gangs feast on vulnerabilities

Ransomware persists because the attack surface and install base is so vulnerable. Threat actors figured out how to extract value from these vulnerabilities and many cybercriminals operate from safe havens, sometimes with implicit support from nation states, Chris Krebs, a founding partner at Krebs Stamos Group, said on the panel.

“You’re seeing it just spread throughout the world because it pays – there’s a profit motive here,” said Krebs, the former founding director of CISA. 

Officials need to disrupt the flow of money and narrow the attack surface before the rate and threat of ransomware dissipates, he said. 

The FBI and Departments of Justice and Treasury are targeting cryptocurrency exchanges to interfere with cybercriminals’ ability to make money. Government officials are also influencing the command and control infrastructure of ransomware groups, sowing doubt and distrust among affiliates in a bid to splinter or effectively end their ability to operate in a collaborative manner, Krebs said.

The pool of potential ransomware victims in the U.S. is vast and threat actors are opportunistically targeting known weaknesses, misconfigurations and vulnerabilities, but there are means to drive down risk, according to Goldstein.

CISA’s Known Exploited Vulnerabilities Catalog serves an important role in that effort because it highlights the vulnerabilities adversaries are actively using and helps organizations prioritize cyber resources accordingly, Goldstein said. 

“With that, organizations that might be running in an environment with hundreds or even thousands of vulnerabilities across their network, which of course is not uncommon, can figure out what [they] need to fix today to actually block the attacks that adversaries are undertaking,” he said.

Phishing-resistant forms of multifactor authentication can also drive down whole categories of attacks, Goldstein said. “Although the target space is broad and the range of vulnerabilities is wide, there are steps that any company can take to drive down their risk.”