Ransomware losses on track to exceed $1 billion this year in U.S., panel testifies to Congress

At the heart of ransomware attacks are botnets—networks of compromised computers that can be instructed to commit cybercrimes, often without the computer owner’s knowledge—which Whitehouse described as the “engine of cybercrime on the Internet.” Whitehouse noted that there is “no such thing as a good botnet,” and Downing echoed this opinion.

During the hearing, panelists and lawmakers outlined an ecosystem associated with ransomware. Developers of software that enable ransom scenarios—typically through the creation of botnets—often sell the capability to interested buyers via online marketplaces. In some cases, access to an established botnet is sold to the highest bidder, so a ransomware perpetrator does not need significant computer skills to execute the crime, according to panelists.

These transactions, as well as the victim’s ransom payment, typically are executed by using Bitcoin, which makes it difficult to determine the identity of those responsible.

Downing said that hacking computers to establish botnets and using botnets to commit crimes is illegal, but current law does not make selling access to botnets illegal. Downing expressed support for proposed legislation that would close this “loophole” and would give DOJ officials the authority to tear down botnets, even if they were part of an active crime at the time.

Another person providing testimony during the hearing was Charles Hucks, executive director of technology for Horry County Schools in South Carolina. Although the public-school system had received ransomware attacks in past years, those incidents were overcome through the implementation of backup systems and without paying the ransom amount, he said.

But the ransomware attack that Horry County Schools received in February—caused by a cyberattack on school-system website that used older software, not by an inadvertent e-mail download—was far more widespread than previous efforts, infecting more than 600 servers, Hucks said. After being told by the FBI that it would not be able to undo the damage, the school system paid a ransom amount of $8,500, he said.

“We had no choice, if we wanted the data returned in a reasonable amount of time,” Hucks said.

Adam Meyers, vice president of intelligence for CrowdStrike, a security-technology company , said that about 40% of those victimized by ransomware pay the requested ransom amount.

Whitehouse noted that ransomware attacks have been used against other enterprises, including police departments. Another high-profile cyberattack caused a significant power outage in the Ukraine, and the DOJ recently secured indictments against Iranian cyberattackers for actions taken against the U.S. financial system and a New York dam, Whitehouse said.