Ransomware losses on track to exceed $1 billion this year in U.S., panel testifies to Congress

Ransomware attacks on the computer systems of governments, enterprises and individuals continues to grow, with losses on pace to exceed $1 billion during 2016, federal lawmakers and panelist said yesterday during a Senate subcommittee hearing to explore the issue.

Ransomware is computer malware that infects a computer and spread to other devices on an enterprise network, allowing the perpetrator to encrypt data on the system until the enterprise pays a ransom fee to receive a decryption key enabling access to the data. Reported ransoms have ranged from a few hundred dollars to tens of thousands of dollars, and they are typically paid in Bitcoin, a digital payment system that allows the recipient to remain anonymous.

Ransomware is a digital version of a longtime criminal scheme, Sen. Lindsey Graham (R-S.C.), said during yesterday’s Senate Judiciary Subcommittee hearing on the subject.

“This is as old as time itself; this is just a different way of shaking people down and stealing,” Graham said during the hearing, an archive of which is available online. “The bottom line is the oldest concept out there: shaking you down, taking something that is important to you, holding it hostage and extracting money from you.

“When it comes to systems that hospitals need and school districts need, you’re threatening the lives and safety of thousands of people … It is a terrible crime, and it has its own psychological, violent aspect to it, and it’s just a matter of time until somebody physically gets hurt because these systems go down.”

Sen. Sheldon Whitehouse (D-R.I.) said ransomware attacks are on pace to inflict more than $1 million in losses this year, according to the FBI. More than a dozen hospitals already have been attacked by ransomware in 2016, he said.

“Attacks like these prevent doctors and nurses from accessing patient files, and they slow down the processing of lab results,” Whitehouse said. “In one case, a patient was kept on a powerful antibiotic for more than eight hours after it should have been stopped, because the nurse could not get the lab results, which were delayed as a result of the ransomware attack.

“The message from this should also be that we’re at a stage where it’s not just breaches any longer. We’ve jumped from cyber into real space with some of these things … This is a warning, I think, to all of us that we need to up our game.”

Richard Downing, acting deputy assistant attorney general for the U.S. Department of Justice (DOJ), confirmed that reported ransomware attacks in 2016 are on pace to generate losses in excess of $1 billion. In fact, the real figure could be much greater, he said.

“It’s hard to know where it would all end,” Downing said. “The reports of [ransomware] are much lower than the instances of it actually happening.”