FBI agents from the Cyber Task Force office in Oregon have helped investigators identify three suspected Russian government hackers accused of compromising the computer network of a company that operates a nuclear power plant in Kansas.
Portland-based FBI agents had expertise in the type of malware used to infect the operator of the Wolf Creek nuclear power plant in Kansas.
Their work with FBI agents in Anchorage, Alaska, and the bureau’s headquarters in Virginia led to federal indictments in Kansas of three men with ties to the Russian Federal Security Service, Russia’s main security agency.
The case is just one example of ransomware’s growing threat to vital US industries, private businesses and public agencies, the Oregon FBI chief said.
Ransomware is malicious software that blocks access to a computer system or files until a “ransom” is paid.
Ransomware complaints to the FBI increased by 82% between 2019 and 2021, according to Kieran L. Ramsey, special agent in charge of the Oregon FBI.
The Oregon FBI Cyber Squad is one of the busiest units in the local FBI office, prompting Ramsey to redouble his efforts to sound the alarm about the ever-present threats. All 56 FBI field offices have a cybersecurity task force.
In Oregon last year, health care companies and school districts were big targets, along with more family stores and small businesses, such as Yoshida Foods and McMenamins.
The FBI has noticed not only a significant increase in the number of ransomware variants, but also in the number of attacks and the amount of money demanded, according to Ramsey. A variant is a type of encryption or hacking tool or code used to infiltrate a computer system, experts said.
In 2019, the FBI’s Internet Crime Complaint Center received 2,047 ransomware complaints, with losses of over $8.9 million reported. In 2021, the center received 3,729 ransomware complaints with losses of over $49.2 million.
Scams have become more sophisticated. Threats can come from people operating outside the United States who attempt to threaten national or economic security or from profit-driven criminal groups.
Hackers also sometimes create a franchise system, outsourcing their ransomware and hacking tools to other developers or for use by other countries, Ramsey said.
Sometimes double extortion occurs when victims are coerced into paying a ransom to have their data unlocked but also not to be publicly disclosed.
“It shows you the real threat to the legitimacy of your business, because what’s going to happen to your business when your customers and shareholders see your stuff going out the back door and onto the internet for everyone to see,” said Ramsey.
He wants the private and public sectors – especially companies working in health care, banking, energy or transportation – to be aware of the problem, contact the FBI in advance to form a partnership, and immediately contact the FBI if they detect an intrusion into their computer networks.
“The sooner they contact us, the better the chance that we can recover some of that money” paid as a ransom, he said.
In the FBI’s Portland Field Office, its Safe Streets Task Force investigating gun violence and its Cybersecurity Task Force are the two busiest teams in the building, Ramsey said. The cybersecurity task force has more than a dozen data analysts, computer scientists, intelligence analysts, operations specialists and special agents.
They know about the more than 100 ransomware variants that have been detected worldwide. They have also formed private and government partnerships and fostered foreign partners who assist intelligence in investigating cyberattacks, he said.
The three alleged Russian government hackers charged in the Kansas case are also accused of conspiring to compromise critical infrastructure and energy companies around the world from 2012 to November 2017.
They hid malware in more than 17,000 software devices and controllers used by power and energy companies in the United States and elsewhere, according to a federal indictment. They are presumed to be in Russia and have not been arrested.
In Oregon, the Oregon Anesthesiology Group fell victim to ransomware on July 11, 2021, when it was locked out of its servers, according to the group. He alerted the FBI and a cybercrime firm and learned that federal agents had seized an account belonging to Ukrainian hackers.
The hackers had exploited a vulnerability in a third-party firewall, allowing them to access the Oregon company’s network and determine administrator credentials. Next, they accessed the names, addresses, dates of service, diagnosis, insurer names and IDS of 750,000 patients and 522 current and former employees, according to the company.
After last year’s attack, the group replaced its third-party firewall and expanded the use of multi-factor authentication to access its system. It also contracted with a vendor for around-the-clock security monitoring and increased use of cloud-based infrastructure, the group said in a statement.
In 2019, Portland Public Schools fell victim to a multi-million dollar cyber scam after fraudsters tricked one or more employees through a compromised email account into transferring money to them.
In such attacks, attackers impersonate a trusted staff member of an organization, such as a CEO, with legitimate bank accounts being surreptitiously swapped with accounts controlled by the attacker.
The school district immediately contacted the FBI and expected to recover approximately $2.9 million in district funds that had been transferred to a fraudulent account, as the banks implicated in freezing the money transfer.
The FBI continues to investigate the school district‘s breach, Ramsey said.
The FBI does not encourage ransom payments because it may encourage hackers to target other organizations and does not guarantee that a victim’s files will be recovered, according to the agency.
Still, the FBI understands that companies that can’t operate can pay a ransom just to get back to work. But Ramsey said they should always report attacks to the local FBI office.
If contacted early, “we can either disrupt it or mitigate it…and prevent further damage from happening again,” he said.
Darrin Johnson, head of the cybersecurity team at information technology company Progent, pointed out that hackers are hitting not just large corporations, but small and medium-sized businesses as well.
The average ransom payment from a company in the first quarter of 2022 in the United States was $211,259, he said.
The FBI has become more involved in the fight against ransomware since 2019, but Johnson said those responsible are often beyond the reach of law enforcement.
Many live in countries that do not have extradition treaties with the United States and would only risk arrest if caught after entering the United States or another country with an extradition treaty. extradition, Johnson said.
“In some cases, we know exactly who the threat actors are,” he said. “We know where it’s coming from outside the country, and there’s nothing we can do about it.”
He also acknowledged that some companies avoid going to the FBI because they don’t want anyone to know about the breach.
Still, he and Ramsey said it was good to report the attacks, if only to share information.
“There is a good chance that another organization somewhere in the United States will be victimized in the same way at the same time,” Ramsey said.
Email to [email protected]; 503-221-8212
Follow on Twitter @maxoregonian