House Oversight Committee Probing JBS Ransomware PaymentChairwoman Carolyn Maloney Also Wants Details About Colonial, CNA Payments
The House Oversight and Reform Committee is probing the $11 million ransom payment that meat-producer JBS says the company paid to a cybercriminal gang following a ransomware attack in May that forced some of its operations to shut down.
In a letter released Friday, Oversight Chairwoman Carolyn Maloney demanded that JBS provide documents and other information by June 24 related to the attack, including any details about when the company first discovered the intrusion and any communication between employees and executive and the attackers.
Following the incident, the FBI attributed the attack to REvil, aka Sodinokibi, which is a ransomware-as-a-service operation believed to be at least partially based in Russia (see: FBI Attributes JBS Attack to REvil Ransomware Operation).
"I am deeply troubled by this and similar ransomware attacks. Any ransom payment to cybercriminal actors like REvil sets a dangerous precedent that increases future risk of ransomware attacks," Maloney, a Democrat from New York, wrote. "Congress needs detailed information about the attack to legislate effectively on ransomware and cybersecurity in the United States."
A spokesperson for JBS tells Information Security Media Group that the company "will fully cooperate with the congressional investigation."
Besides JBS, Maloney has requested documents and other information from Colonial Pipeline Co. about the company's decision to pay $4.4 million to attackers following a May 7 ransomware incident. The committee is also probing a third ransomware attack that targeted insurance firm CNA, which reportedly paid $40 million in ransom to cybercriminals (see: Should Paying Ransoms to Attackers Be Banned?).
The letters from Maloney and the House Oversight Committee come as Congress has taken a more active interest in a series of ransomware and other cyber incidents that have affected both the federal government and multiple private companies.
Earlier this week, Colonial Pipeline CEO Joseph Blount appeared twice before lawmakers in the House and Senate to explain his company's actions both during and after the May 7 ransomware attack as well as his decision to pay the ransom to a cybercriminal group known as DarkSide.
During a hearing Wednesday before the House Committee on Homeland Security, Blount explained that the decision to pay the ransom was his alone, although the company waited several days to inform the FBI of the payment, despite the fact that the bureau had been notified of the attack within hours of the company discovering it (see: House Probes Specifics of Colonial Ransomware Attack).
"We did not have any discussion with the FBI or any other governmental entity about the actual negotiation or the payment of the ransom at that time," Blount testified. He later added that the company has cyber insurance and that Colonial Pipeline has submitted a claim for the ransom payment.
While the FBI discourages ransomware victims from paying since it could encourage more attacks, there is no law against paying off cybercriminals. Companies, however, can run into legal trouble if the ransomware attacker has any connection with nations placed on the U.S. Treasury Department's Office of Foreign Assets Control sanctions list.
On Monday, the FBI and U.S. Department of Justice announced that they had managed to recover $2.3 million of the $4.4 million of the ransom that Colonial Pipeline paid to the attackers. As part of the investigation, the FBI tracked part of the payment to a bitcoin wallet it controls, enabling law enforcement officials to recover the money.
And while the lawmakers and Blount praised the FBI for recovering at least some of the payment, Rep. John Katko, R-N.Y., said during the hearing that Congress, the federal government and businesses need to do more to break the ransomware business model. This should include enhancing Know Your Customer laws to stop money laundering and illegal payments as well as more enhanced ways to trace cryptocurrency such as bitcoin.
"While it's encouraging that the FBI was able to recover the majority of the bitcoin ransom and this insistence … we can't depend on this capability going forward," Katko said. "We also need to codify a process of identifying systematically important critical infrastructure."
While Congress has started to probe JBS, Colonial Pipeline and other ransomware attacks, the Biden administration is also working on ways to stem these incidents. Earlier this month, the White House released a memo to corporate executives and business leaders, urging them to ensure they're following a detailed list of cybersecurity best practices (see: White House Urges Businesses: Improve Ransomware Defenses).
The Justice Department has also issued new guidance for federal prosecutors, to ensure that all cases they're tracking - domestically and abroad - get coordinated with the government's recently launched Ransomware and Digital Extortion Task Force.
On Thursday, Anne Neuberger, the deputy national security adviser for cyber and emerging technology, met with the National Association of Attorneys General and laid out the Biden's administration plan to disrupt ransomware attacks, which includes disrupting the infrastructure used by attackers, greater international corporation and better tracking of cybercriminal's cryptocurrency transactions, according to an official readout of the event.