Back to General Resources

Senate HSGAC Ransomware and Cryptocurrency Hearing

Senate Committee on Homeland Security & Government Affairs

Rising Threats: Ransomware Attacks and Ransom Payments Enabled by Cryptocurrency

Tuesday, June 7, 2022

Topline

  • Megan Stifel said reported information should be shared with the private sector and that the cyber incident notification process should be streamlined to allow for consistency. Jackie Koven called for aggregation and standardization of reporting.
  • Witnesses also touted the need for foreign AML regulations, an all-tools approach to combating ransomware, government investment in cybersecurity funds and emergency authorities, and better equipping departments and agencies to manage the investigatory process.

Witnesses

Opening Statements

Chairman Gary C. Peters (D-Mich.)

In his opening statement, Peters discussed the role of cryptocurrency in facilitating ransomware attacks. He introduced into the Record an investigation report saying that the U.S. government lacks data on ransomware attacks and must collect better data to understand the scope of the issue. He touted the cyber incident reporting law he authored and passed earlier this year as a significant first step to combat this growing threat. He also discussed the need to build on this legislation by holding foreign actors accountable.

Ranking Member Rob Portman (D-Ohio)

In his opening statement, Johnson referenced a report released in March that documented the experiences of American companies victimized by Russian ransomware gangs called REvil. He stated that public reports indicate the gang may be resuming operations as it is common for these criminals to claim retirement and later reemerge with a new name. He highlighted the cyber incident reporting legislation, which he drafted with Chairman Peters and became law a couple of months ago, to enhance the nation’s visibility into cyberattacks and its response. He concluded by saying that the Committee will continue to identify solutions to address these threats and ways to fortify their defenses.

Testimony

Megan Stifel, Chief Strategy Officer, Institute for Security and Technology

In her testimony, Stifel discussed the Institute for Security and Technology (IST) report outlining IST’s Ransomware Task Force recommendations, including: the need for sustained, coordinated collective action, led by the United States, among governments, industry, academia, and nonprofits to meaningfully reduce the ransomware threat; an intelligence-driven anti-ransomware campaign, coordinated by the White House, including the capability necessary to support operational collaboration with industry; the establishment of ransomware response and recovery funds, a framework for preparation, and mandated reporting of ransom payments; as well as closer regulation of the cryptocurrency sector that enables ransomware crime, including through compliance with existing tools designed to reduce illicit payments, e.g., Know Your Customer (KYC), Anti-Money Laundering (AML), and Combatting Financing of Terrorism rules and Regulations.

Bill Siegel, Chief Executive Officer, Coveware

In his testimony, Siegel said the percentage of a ransom that finds its way into a cybercriminals pocket is much higher when cryptocurrency is used as opposed to other currencies or stores of value. He noted the clear disparity in the recovery rates between wire fraud and ransomware, that if reported within 72 hours, illegitimate wires can be reversed and recovered but that no such mechanism exists with cryptocurrency. He presented the second topic of mandatory reporting and expressed hope that reporting requirements will be extended to all victims of ransomware attacks. He explained that mandatory reporting will allow the U.S. government to gain perspective on the scope of the problem, given that collecting accurate statistics is step number one. He stated that new legislation has the potential to answer major questions and enable agencies to make progress but will bury these agencies with inaccurate data if not implemented correctly.

Jackie Burns Koven, Head of Cyber Threat Intelligence, Chainalysis

In her testimony, Koven stated that while it is true that cryptocurrency is generally the preferred payment of choice in these cases, it is not true that cryptocurrency is the cause of ransomware attacks, adding that the issue should be addressed by equipping government agencies to go after ransomware actors and bring them to justice. She also discussed the need for information sharing, government funding, and international cooperation in anti-money laundering laws.

Question & Answer

Data

Peters asked Stifel about the need for data on cryptocurrency-based ransomware attacks. Stifel said there is a discrepancy in the information available to those in the ecosystem versus those receiving information on the government side, adding that agencies receiving information are asking for different types of information, contributing to a disaggregated picture of the threat. She also said that reported information should be shared with the private sector and that the government needs to be structured in the way it seeks information and disseminate that information to the private sector.

Regulation

Peters asked what shortfalls exist in AML regulations with respect to cryptocurrency, what has happened to address these shortfalls, and if regulation is enough to solve this problem. Koven explained the need for U.S. support to foreign countries in implementing AML regulations. Stifel said the absence of regulation oversees has facilitated the demand for ransomware as a tool for financial gain and explained the need for Congress to act by clarifying the scope of the Cybersecurity and Information Sharing Act of 2015 and streamlining the cyber incident notification process to allow for consistency. Sen. Maggie Hassan (D-N.H.) asked how witnesses would strengthen regulatory requirements to combat cryptocurrency-based ransomware. Stifel touted the benefits of KYC and other rules but said the rules are inadequate once leaving the U.S. system.

Hawley asked how agencies should optimally implement reporting requirements. Koven and Siegel said standardization is important and that being able to operationalize and share data at scale can lead to further successes.

Senator James Lankford (R-Okla.) asked about private and public sector cooperation and communication. Siegel said it would be great if one agency could handle this issue, but several have a responsibility to impose costs on these threat actors. He added that recently passed legislation has designated a single agency to handle the initial inbound and then routing of that information to the proper branches for different kinds of investigations. Koven called for aggregation and standardization of reporting, said the recently passed legislation will help bolster intelligence, and in order to handle the insane amount of data, hopes the agencies are resourced appropriately. Stifel said that there needs to be greater clarity and simplicity for victims to share information with the federal government and that there is a significant need for adequate resources in these agencies.

Ransomware Criminal Activity

Sen. Jacky Rosen (D-Nev.) discussed her Improving Cybersecurity of Small Entities Act to direct agencies to develop cybersecurity recommendations and trading for small businesses and asked how ransomware criminals choose victims. Siegel called ransomware attacks opportunistic, not targeted. Sen. Kyrsten Sinema (D-Ariz.) asked how to balance decisions to pay ransoms with the desire to disincentivize further hacks. Siegel said the use of data is key and that providing accurate information on the forecasted outcome of payment is critical in the decision.

Senator Josh Hawley (R-Mo.) asked if Siegel could expand on the implications of his statement that financially motivated cybercriminals almost universally denominate ransom demands in cryptocurrency. Siegel explained that ransomware actors want to cash out their illicit proceeds with the most efficient means. He said that cryptocurrency is the most efficient because it can be moved without the worry of being reclaimed and concluded by saying that cyber criminals know they have options to move between different types of cryptocurrencies, which further allows money laundering to occur and enhances the possibility that more of their proceeds will end up in their pockets at the end of the day. Hawley asked if there is a specific cryptocurrency that is used more often than others for ransom demands. Siegel said that Bitcoin is the predominant option.

Hawley asked Ms. Koven to expand upon her point that crypto can enhance these investigations into ransomware demands and if it is much easier to investigate cases involving the illicit use of cryptocurrency than other forms of payment. Koven said that what blockchain forensics and its transparency can provide is the ability to see the cash out destination of these exchanges, which enables law enforcement to subpoena these exchanges as well as potentially freeze the accounts.

Sanctions

Hassan asked if the federal government should more aggressively sanction groups that launder ransomware payments. Koven deferred to policymakers on whether more sanctions should be enforced but said sanctions have been catastrophic for firms thought to be laundering ransomware payments. Stifel stated the need for an all-tools approach to combating ransomware and said sanctions have been effective in keeping ransomware actors from cashing out their proceeds.

Recovering Ransomware Payments

Peters asked what additional tools would help the federal government recover cryptocurrency ransom payments that have already been made. Stifel said the government should invest in cyber funds, emergency authorities, and better equipping departments and agencies to manage the investigatory process, which would also be useful for engaging agencies’ international counterparts.

For more information on this hearing, please click here.

For an archive of past SIFMA hearing coverage, please click here.