Bryan A. Vorndran
Assistant Director, Cyber Division
Federal Bureau of Investigation
Statement Before the House Committee on Oversight and Reform
Washington, D.C.
November 16, 2021

Cracking Down on Ransomware: Strategies for Disrupting Criminal Hackers and Building Resilience Against Cyber Threats

Statement for the Record

Chairwoman Maloney, Ranking Member Comer, and members of the committee, thank you for the invitation to provide remarks on the FBI’s role in our nation’s fight against ransomware.

Ransomware is a growing threat to the health and safety of the American people and our national and economic security, with no shortage of recent examples of ransomware’s wide-ranging effects. I am honored to lead the men and women of the FBI’s cyber program, where we are using our unique authorities to impose risk and consequences on the malicious cyber actors who are committing these crimes. But we cannot go at it alone, and as you will hear today, our strategy involves not only our partners in the federal government, but also those in the private sector and abroad.

The individuals who conduct cyber intrusions and ransomware campaigns, and the officials who direct or harbor them, believe they can compromise U.S. networks, steal our financial and intellectual property, and hold our critical infrastructure hostage for ransom, all without incurring risk themselves.

The FBI sits at the convergence of U.S. government efforts to change this risk calculus.

As a member of both the law enforcement and intelligence communities, with domestic and international reach, the FBI is focusing our unique authorities, and our ability to engage with international law enforcement, domestic victims, and key technology service providers, to identify and disrupt adversaries before they compromise U.S. networks, and hold them accountable when they do.

Key to the FBI’s strategy is using the information and insight we develop through our investigations to support our full range of public and private sector partners. There are many countries, companies, and agencies who play roles in defending networks, sanctioning destabilizing behavior, collecting cyber threat intelligence, and conducting cyber effects operations. We seek to work with all of them, in the belief that our collective actions to combat cyber threats are most impactful when they are planned jointly and sequenced for maximum impact.

In coordination with our partners, the FBI has successfully disrupted numerous cybercriminal enterprises, including those deploying ransomware, but lasting impact will require joint, sequenced operations with our U.S. counterparts and foreign allies as well as a removal of the sense of impunity many of these actors currently feel.

Just last week, we held a joint press conference with the departments of Justice, State, and Treasury to highlight our whole-of-government approach to tackling ransomware—in this case, the Sodinokibi/REvil variant responsible for thousands of ransomware attacks worldwide, including the July 2021 attack on IT management company Kaseya. Together, we announced:

  1. The arrest and unsealing of charges on Ukrainian national Yaroslav Vasinskyi for deploying Sodinokibi ransomware on victims, including Kaseya’s computer systems;
  2. The seizure of $6.1 million in funds traceable to and unsealing of charges on Yevgeniy Polyanin, a Russian national charged with conducting Sodinokibi/REvil ransomware attacks against thousands of victims;
  3. OFAC sanctions against Vasinskyi and Polyanin, as well the Chatex virtual currency exchange for its part in facilitating financial transactions for ransomware actors; and
  4. Two awards, totaling up to $15 million, for information leading to the identification, arrest, and/or conviction of Sodinokibi/REvil ransomware leadership or conspirators.

And it is no coincidence that we announced these actions on the same day our foreign partners in Europol announced the arrest of two additional affiliates of the same group in Romania, and Eurojust made its own announcement regarding related efforts. These coordinated and sequenced operations are the culmination of close and painstaking international and federal law enforcement collaboration, across governments and with private sector companies. Yes, the cyber threat is daunting, but when we combine the right people, the right tools, and the right authorities, our adversaries are no match for what we can accomplish together.

What is Ransomware?

At its most basic, ransomware is a computer program created by malicious actors to 1) infect a computer or server, 2) encrypt its contents so they cannot be accessed or used, and 3) allow the malicious actors to demand that a ransom be paid in exchange for the decryption key. Victim organizations without effective backups are not able to operate until their data is restored. Ransomware can paralyze organizations, and the cost to rebuild an encrypted network can be catastrophic for small- and medium-sized businesses and municipalities.

The ransomware threat is not new, and it has been one of the FBI’s top priorities for cybercriminal investigations for some time. In 2018, for example, we eliminated the threat from a highly impactful ransomware variant called SamSam that infected victims in nearly every U.S. state, including the city of Atlanta, the Port of San Diego, and multiple major healthcare companies. Our investigation led to a November 2018 indictment of the responsible Iranian cybercriminals and sanctions against two digital currency exchanges that enabled their operations; this ransomware variant has not been seen since.

In a trend not unique to cybercrime, as we expand our capability to disrupt ransomware actors, criminals have adapted to increase the scale, impact, and prevalence of ransomware attacks. The increasingly sophisticated and targeted nature of ransomware campaigns has significantly increased their impacts on U.S. businesses, and ransom demands are growing larger. Simultaneously, “ransomware-as-a-service” (RaaS), in which a developer sells or leases the ransomware tools to their criminal customers, has decreased the barrier to entry and technological savvy needed to carry out and benefit from these compromises and increased the number of criminals conducting ransomware campaigns. As this has happened, the number of ransomware variants has grown; today, we have investigations into more than 100 variants, many of which have been used in multiple ransomware campaigns. Recently, we have seen “double extortion” ransomware—where actors encrypt, steal, and threaten to leak or sell victims’ data—emerge as a leading tactic for cybercriminals, raising the stakes for victims, which in turn has increased the likelihood of ransom payments being made.

While cybercriminals remain opportunistic, they have also become more targeted in their campaigns, purposely aiming their malware at those institutions that can least afford downtime, specifically infrastructure critical to public safety, including hospitals and emergency services.

These ransom payments are typically requested in the form of a virtual currency, like Bitcoin. Virtual currency is not governed by a central authority, and regulation of the industry is still evolving globally, which can make it difficult to find out who is behind a transaction.

Cryptocurrency can be moved anywhere in the world, often more quickly than traditional currency, and these transactions frequently take place on the dark web, which presents its own set of problems. While these ransom demands often used to be just a few hundred dollars, we now see American businesses targeted with ransom demands in the millions, and in some cases tens of millions, of dollars. The statistics paint a stark picture: In 2020, the FBI’s Internet Crime Complaint Center (IC3) statistics showed a 20 percent increase in reported ransomware incidents and a 225 percent increase in reported ransom amounts.

Unfortunately, what is reported is only a fraction of the incidents out there.1

We have also seen both nation-state adversaries and cybercriminals targeting managed service providers (MSPs), whereby infecting one system, they can access the networks of hundreds of potential victims, as we saw in the Kaseya incident. But we are working to bring awareness to this method of compromise. In June, our partners at the U.S. Secret Service put together a cyber incident response simulation for companies that use MSPs, and it was my pleasure to join the Secret Service and give a unified federal message on the importance of hardening their systems and engaging with law enforcement before they are victims of an attack.

Ransomware has become one of the most costly and destructive threats to businesses and governments. On top of this, throughout the COVID-19 pandemic, we saw callous opportunism by criminal groups who put public safety at risk by attacking health care providers during a global pandemic. These groups demonstrate no morality; they will target entities big and small, public and private, and show little care for how their actions affect vulnerable populations.

How the FBI’s Cyber Strategy Counters the Ransomware Threat

Because this criminal activity has become more lucrative and enticing, it is our job to make it harder and more painful for hackers to do what they are doing. That is why we announced a new FBI cyber strategy last year, using our role as the lead federal agency with law enforcement and intelligence responsibilities to not only pursue our own actions, but to work seamlessly with our domestic and international partners to defend their networks, attribute malicious activity, sanction bad behavior, and take the fight to our adversaries overseas. We must impose risk and consequences on cyber adversaries and use our unique law enforcement and intelligence capabilities and authorities to do so through joint operations sequenced appropriately for maximum impact. We have to target the entire criminal ecosystem—including malware developers, money launderers, and shady infrastructure providers—and work with all relevant federal agencies like the Cybersecurity and Infrastructure Security Agency (CISA) and the Office of the National Cyber Director (ONCD), as well as victims and cybersecurity firms. All the while, we must continue to team with the Department of State to ensure our foreign partners are able and willing to cooperate in our efforts to bring the perpetrators of cybercrime to justice.

More specifically, and in conjunction with the Department of Justice’s recently-formed Ransomware and Digital Extortion Task Force, our strategy for countering ransomware and other complex cybercriminal schemes is focused on pursuing and disrupting 1) the actors, 2) their infrastructure, and 3) their money—all while providing help to victims and actionable intelligence to warn potential future victims. If there’s one thing the Bureau understands, it’s taking down criminal organizations, and when it comes to ransomware, we’re working with an unprecedented number of government and private sector organizations to do just that. When pursuing these actors, we work with like-minded countries to identify those responsible for damaging ransomware schemes, arrest them, and extradite them to the United States to face justice whenever possible. At the same time, taking down cybercriminals’ technical infrastructure adds to the impact, as it raises their costs, disrupts their operations, prevents new victims, and often gives us new intelligence on their operations. Lastly, since virtual currencies are so central to ransomware, we have developed our ability to trace these transactions and have been able to seize funds and shut down illicit currency exchanges in some instances. In addition to the seizure of $6.1 million from the Sodinokibi/REvil group that we announced just last week, we were also recently able to accomplish this objective in the Colonial Pipeline case, when the victim and our federal partners worked quickly and closely with us to recover a substantial portion of the cryptocurrency paid as ransom. Each of these is important, but we have the most durable impact when we do disrupt all three together.

We do all this with victims at the center of our efforts. At the FBI, we aim to inform, support, and assist victims in navigating the aftermath of crime and the criminal justice process with dignity and resilience. We want to empower all victims of cyber intrusions, just as we do for victims of other crimes. In some instances, we have done this by developing or acquiring a ransomware’s decryption key to help victims recover without paying the ransom. We have also, on occasion, been able to give advance warning to vulnerable or targeted entities. While the FBI is not a remediation service, the work we do to investigate and respond to cybercrime enables us to collect information, which we share to prevent future attacks and use to assist victims if they have already been hit.

As I mentioned, we have certain distinctive investigative authorities. And we have the good fortune of another domestic agency, CISA, with very different authorities and insights. Our roles complement each other, and when we work together, we strengthen our defense of cyberspace in ways we could not do if we were in competition or isolation.

To be more precise, the FBI contributes information we uniquely collect through a combination of criminal and national security authorities that are the envy of many partners overseas, and our physical presence across the U.S. enables our close engagement with victims. That engagement can yield details that unlock the secrets of who is compromising our networks, how our adversaries are succeeding, and where they may strike next because of the technical clues they leave behind. Once revealed, that information gives CISA the opportunity to identify other networks vulnerable to the same technique; it may give us, U.S. Cyber Command, or the National Security Agency a piece of the actor’s infrastructure to disrupt or exploit; and it helps the National Security Council know where to focus all the instruments of power the government might bring to bear against those responsible. These coordinated actions lead to the U.S. government’s most impactful cyber disruptions. We have also worked especially closely with CISA to share information with critical infrastructure owners and operators via FBI reports and joint advisories.

Our strategy has enabled us to land some major blows against the threat actors behind ransomware and its delivery mechanisms. But the ransomware threat is not going away, so we must carry this strategy and its momentum forward into 2022.

Addressing Ransomware’s Global Footprint

As I mentioned earlier, without strong foreign partnerships, our cyber strategy cannot be fully implemented, and we cannot successfully counter the ransomware threat.

We know our most significant threats come from foreign actors using global infrastructure to compromise U.S. networks. By working with friendly foreign law enforcement agencies and intelligence partners, we make it harder for these actors to conceal their activities and their whereabouts.

Not every foreign nation helps us in this fight. While we seek to disrupt entire cybercriminal enterprises, the most impactful consequence we can impose on a malicious cyber actor is an arrest as part of comprehensive disruption. If an actor is in a country like Russia or China, an arrest is currently not a viable option. Even when an indicted cybercriminal is in another country, Russia in particular takes actions to interfere with our extraditions. To make things more difficult, the lines between nation-states and cybercriminal actors are blurred, and even though a foreign nation may not be directing a ransomware campaign, it may still be complicit by providing a safe haven to those malicious actors who are doing harm to the United States, our citizens, and our businesses.

But our allies outnumber our foes, and in just the past few months, our work with foreign partners—supported by our legal attaches overseas—has led to impactful consequences against cybercriminals and sent a strong message that the reach of the U.S. government extends beyond its borders.

In January 2021, the FBI and others at the Department of Justice (DOJ) partnered with law enforcement and judicial authorities in the Netherlands, Germany, the United Kingdom, France, Lithuania, Canada, and Ukraine, with international activity coordinated by Europol and Eurojust, to disrupt the infrastructure of a highly destructive malware known as Emotet. Among other things, Emotet could also be used as a way to spread ransomware. This was one of the longest-standing professional cybercrime tools and had enabled criminals to cause hundreds of millions of dollars in damage to government, educational, and corporate networks. In this case, we used sophisticated techniques and our unique legal authorities, but it could never have happened without our international partners.

Also this January, we worked with international partners in Canada and Bulgaria to disrupt NetWalker, a ransomware variant that affected numerous victims, including companies, municipalities, hospitals, law enforcement, emergency services, school districts, colleges, and universities. In this case, we obtained federal charges, and a subject was arrested in Canada pending extradition proceedings. In addition, we seized more than $450,000 in cryptocurrency.

In June, through coordination with law enforcement and judicial authorities in the Netherlands, Germany, the United Kingdom, Canada, Sweden, Italy, Bulgaria, and Switzerland, as well as Europol and Eurojust, we seized the web domains and server infrastructure of DoubleVPN, a virtual private network that allowed ransomware actors to attack their victims and hide their tracks. Thanks to this international operation, this service, which was heavily advertised on both Russian and English-speaking cybercrime forums, is no longer available to cybercriminals.

How Victims and Potential Victims Can Help Themselves and Others

We have the strategy to take action against our cyber adversaries. But the strategy will fail if we do not know about suspicious activity or that a compromise has occurred. And because of the nature of U.S. laws and network infrastructure, we will never know about most malicious activity if it is not reported to us by the private sector.

We know ransomware victims, particularly large enterprises, risk negative publicity if they disclose being impacted by ransomware. As a result, ransomware incidents are often addressed by the victim directly and are never reported to the public or law enforcement.

Ransomware incidents targeting public entities, such as state or local municipalities, often receive high levels of publicity. In addition to the losses reported to the IC3 that I mentioned earlier, these groups face costs associated with business disruption and remediation, which can eclipse the ransom demand itself. For example, these costs were $17 million and $18.2 million, respectively, in ransomware campaigns against Atlanta and Baltimore.

I would like to spend a moment on the decision of whether or not to make a ransom payment. The FBI discourages ransomware victims from paying ransom for a variety of reasons. Even if a ransom is paid, there is no guarantee the business or individual will regain access to their data. On top of this, paying a ransom does not always keep data from ultimately being leaked. Additionally, paying a ransom incentivizes future ransomware attacks and emboldens criminal actors to continue their illicit work. However, regardless of whether or not a victim chooses to pay, the FBI strongly encourages victims to report ransomware incidents to the FBI. Our goal is to identify, pursue, and impose consequences on criminal actors, not their victims.

We are pushing important threat information to network defenders, and we are making it as easy as possible for the private sector to share information with us. For example, we are emphasizing to the private sector how we keep our presence unobtrusive in the wake of a breach, how we protect information that companies and universities share with us and commit to providing useful feedback, and how we coordinate with our government partners so we speak with one voice. A call to one federal agency is a call to all federal agencies, and I hope we are sending that message by sitting as a unified front here today.

At the same time, we need the private sector to do its part. We need to be warned—quickly—when they see malicious cyber activity. We also need companies to work with us when we warn them they are being targeted. The recent examples of significant cyber incidents—SolarWinds, Microsoft Exchange, Colonial Pipeline, JBS, and Kaseya—only emphasize what Director Wray has been saying for a long time: The government cannot protect against cyber threats on its own. We need a whole-of-society approach that matches the scope of the danger.

There is really no other option for defending a country where nearly all of our critical infrastructure, personal data, intellectual property, and network infrastructure sit in private hands. So what specific steps can companies take to follow our guidance, protect themselves and our nation, and help themselves if ransomware strikes?

First, the public, cybersecurity professionals and system administrators, and business leaders can use threat information shared by the FBI and the rest of the federal government to strengthen their network defenses and guard against ransomware and other malicious cyber activity.

Our reports, which are coordinated with our federal partners, are shared directly with critical infrastructure owners and operators, and when possible, are posted to our IC3 website to warn the public about the trends we are seeing and the specific threats out there. In addition to these threat advisories, CISA’s website and the new interagency site have resources on how people and businesses can protect themselves. Some of the general cybersecurity practices we encourage include creating and securing offline backups of critical data, installing patches as soon as they become available, updating anti-virus software, connecting only to secure networks, employing multi-factor authentication, and ensuring the validity of all e-mails and the links they contain before clicking them.

Second, if you are an organization, create an incident response plan. If you are compromised, you need to know what to do. All of your leaders and security professionals need to be on the same page, and you must be able to make decisions quickly. Having worked with victims who had incident response plans versus those who did not, the difference is stark.

Victims with incident response plans are often able to respond faster and more efficiently and can significantly limit the damage caused by a ransomware incident.

Third, organizations should build relationships with their local FBI field offices. Whether you are a small organization or a large corporation, our local offices welcome making connections before anything has gone wrong. If you see us speaking at an event in your area, show up, and talk to us after—we would be thrilled to meet your CEO, chief information security officer (CISO), general counsel, or anyone who has a role in keeping your networks secure and incident response. But it cannot stop there. Continue to share information with us after that meeting, and you have my word we will do the same back to you.

Fourth, if you are compromised, or if you think you may have been, report it to us as quickly as you can. You can report these incidents via the Internet Crime Complaint Center at or by contacting your local FBI field office, hopefully to the FBI agent you already know. We will take it from there and make sure the wheels of the entire federal government incident response team are set into motion so you can focus on remediation.

If an incident occurs, it may not be too late, but time is of the essence. The difference between seeking help on day one and day five is real–it can be the difference between a company reconstituting its network or declaring bankruptcy. We will always use our full range of national security authorities and criminal legal processes to investigate ransomware incidents, but many of those techniques require probable cause and prior court authorization, so there is no substitute for quick, voluntary action by private owners of U.S. networks and infrastructure in helping us act rapidly against a threat. Swift action from the private sector is an enormous public service, and we truly appreciate private sector cooperation whenever we can get it. In the Colonial Pipeline and Kaseya incidents, for example, swift reporting and response contained the impact of what could have been significantly worse events.

Mandatory Reporting of Ransomware and Other Cyber Incidents

The administration is supportive of legislative proposals that would require the reporting of a wider range of cyber incidents, to include ransomware and incidents that impact critical infrastructure and federal entities and their supply chain. These proposals would grant courts the authority to enjoin a greater range of botnets and other cybercrime involving damage to 100 or more computers, explicitly criminalize the sale or renting of a botnet, bring the forfeiture provisions of the Computer Fraud and Abuse Act (CFAA) in line with other federal statutes, and update the CFAA to add penalties for the crime of conspiracy.

All of these legislative proposals would enhance the FBI’s ability to combat ransomware, but I would like to focus on mandatory cyber incident reporting legislation that is being considered in Congress. We welcome and applaud congressional efforts that would require the reporting of certain cyber incidents, including ransomware attacks. However, we are troubled that all legislation being considered on mandatory cyber incident reporting does not explicitly account for the essential role that federal law enforcement, and notably the Department of Justice and the FBI, plays in receiving cyber incident reporting and actioning the information to assist victims and impose risk and consequences on cybercriminals.

The administration’s position is that the Department of Homeland Security (DHS) and DOJ – the two lead agencies respectively responsible for federal cyber incident response mitigation and investigation efforts for significant cyber incidents—should immediately receive all information mandated to be reported with appropriate protections. Cyber incidents that would have to be reported are not only digital breaches that require remediation, but also federal crimes that need to be investigated. Cyber incident reporting is crime reporting. To streamline and simplify reporting obligations, there should be one designated reporting intake mechanism for entities that are required to report, with the reports going to both DOJ and DHS.

Our need to receive all cyber incident reports is two-fold: one, to provide victims with rapid federal incident response support, and two, to disrupt ongoing harm through our unique authorities and forward-deployed capabilities.

Cyber threats are global, but victims need and deserve a local response. Many victims choose to report cyber incidents to the FBI because they know their local field office has a cyber squad with technically trained special agents, computer scientists, and other digital evidence and cyber threat experts who are ready to arrive on a victim’s doorstep in hours or less nationwide. But we can only move as fast as we learn about the incident. We owe it to the American people to not create any unnecessary delays to providing them with this assistance.

When the FBI responds to a cyber incident report, the Bureau is not just there to collect evidence of a crime. The FBI arrives to assist victims. Our cyber threat experts rapidly analyze information that victims provide to determine if the incident resembles others that we are investigating so we can provide victims with the technical information and hands-on support they need to limit ongoing harm and prevent additional malicious activity on their networks. With the insights that we have as a member of the USIC, we are able to meld the information victims provide with the community’s holdings to fill in visibility gaps and inform victims how they can defend against active and potential threats.

Rapid FBI responses to cyber victims has helped thwart major ongoing cyber incidents nationwide. Examples include stopping active intrusions into critical infrastructure entities, including a major healthcare facility; helping defense contractors block sensitive information from being exfiltrated from its networks; and helping a large financial institution secure terabytes of customer records, including personally identifiable information, that had been stolen from its systems.

But our rapid incident response services do not only help individual victims; they also help others who are vulnerable to similar cyber attacks. When recently assisting a major critical infrastructure victim during an ongoing incident, we identified a zero-day exploit the attackers were using, used our investigative tools to search for other victims affected by this vulnerability, and worked with CISA to provide cybersecurity assistance to these entities while a patch for the vulnerability was being developed.

In another incident reported to the FBI, a victim reported the malicious sever that connected to its network. We used our law enforcement and intelligence authorities to quickly monitor the malicious actor’s virtual infrastructure, dispatched agents across the country to warn targeted entities that the actor planned to compromise next, provided these entities with security advice, and intercepted and corrupted some stolen information before it could be exfiltrated.

Each response feeds into our collective efforts to link intrusions to common perpetrators and virtual infrastructure, attribute incidents, and impose risk and consequences on cybercriminals.

We need to track and disrupt malicious hackers’ activity, infrastructure, and illicit proceeds in as close to real-time as possible. The FBI needs to be able to receive cyber incident reporting information as soon as it is reported to facilitate the fastest federal response possible. There is simply no time to waste, especially in cyberspace.

The administration also holds that both DHS and DOJ should be co-equal partners in developing the rules that will be used to set incident reporting requirements. However, current incident reporting legislation being considered fails to recognize the critical expertise and role that DOJ, including the FBI, play when it comes to cyber incident reporting.

Congress has previously recognized how valuable it is to have both DHS and DOJ setting standards to address cyber threats. In the Cybersecurity Information Sharing Act of 2015, Congress established joint roles for both departments to establish policies, procedures, and guidelines related to the receipt of cyber threat indicators and defensive measures. The administration believes co-equal roles for DHS and DOJ is also the right approach for cyber incident reporting rulemaking.

DOJ, including the FBI, bring investigative and intelligence expertise about what information law enforcement and national security agencies need to disrupt malicious cyber actors, degrade their capabilities, and ultimately hold them accountable. DOJ also has extensive experience in navigating complex privacy and civil liberties issues that will inevitably arise from new requirements and would prove to be invaluable in helping to set standards that strike the right balance to ensure that incident report information is collected, stored, and shared appropriately.

The FBI also brings substantial knowledge about how to manage centralized federal cyber incident reporting mechanisms based on its experience running the IC3. Each year, IC3 receives hundreds of thousands of complaints from the public, which the FBI uses to prompt response efforts and inform other agencies about intrusions. Joint DHS and DOJ rulemaking will provide for the best outcomes for the entire federal government as well as the public.

We are delighted so many in Congress are invested in passing cyber incident reporting legislation, but we have to make sure legislation explicitly empowers the agencies at the front lines of incident response. As you will hear all the witnesses at today’s hearing emphasize, cyber is the team sport, and the Department of Justice and the FBI are key players. It is time for legislation to reflect this reality.

The Resource Demands of Malicious Cyber Activity

When we do learn of a ransomware incident, our agents are in direct contact with victims and with private industry partners to share threat indicators—such as malicious IP addresses—and gather evidence that helps us identify who is compromised and who else is vulnerable. Our technically trained incident response assets throughout the country, collectively known as our Cyber Action Team (CAT), assist affected entities. Our field offices with experience in complex national security and cyber investigations are our hubs for triaging the data we acquire through legal process, from partners, and through other lawful means. And our digital forensics and intelligence personnel exploit that information for indicators and intelligence that will help us to attribute the malicious activity to those responsible.

With the growing frequency and scale of recent significant cyber incidents—in some cases involving tens of thousands of victims—we are increasingly faced with hard choices that carry risk, include moving personnel away from long-term investigations or other significant incidents so we can surge toward the immediate need. In our SolarWinds investigation alone, a single FBI field office collected more than 170 terabytes of data, about 17 times the content of the entire Library of Congress. The FBI continues to exploit and analyze intelligence and technical data to uncover adversary tactics, share our findings, and pursue actions that will prevent those responsible from striking again.

Recent ransomware campaigns have shown us the investments in time, money, and talent cybercriminals are willing to make to compromise our networks. Accordingly, it requires a teams-based approach among various departments and agencies to understand, defend against, and counter these malicious cyber actors. Congress can help us by providing the resources requested in the President’s 2022 budget request to ensure the FBI and our partners are resourced to play our respective parts as we defend the nation together.


Even more than the other criminal violations we investigate, the FBI depends on our partners—public and private, foreign and domestic—to help us keep Americans safe from the many threats posed by ransomware. As part of our strategy, we have been putting a lot of energy and resources into cultivating these partnerships. As Director Wray has put it, cyber is the ultimate team sport, and I truly believe our partners are seeing the benefits of having FBI Cyber on their team.

Chairwoman Maloney, Ranking Member Comer, and members of the committee, thank you for the opportunity to testify today. I am happy to answer any questions you might have and to work together with you in the nation’s fight against ransomware so the FBI can help achieve our collective cyber mission—to give the American people safety, security, and confidence in our digitally connected world.


1 In 2019, the IC3 received 2,047 ransomware complaints with adjusted losses of more than $8.9 million. This likely represents a small fraction of the true scope of the threat because it captures only those who individually reported to the IC3. These numbers represent a nearly 40 percent increase in ransomware complaints to the IC3 and more than double the adjusted losses reported in 2018. In 2020, the IC3 received 2,474 complaints identified as ransomware with adjusted losses of over $29.1 million.