In an alert published today, the U.S. Federal Bureau of Investigation (FBI) warned that recent ransomware variants have targeted and compromised vulnerable business servers (rather than individual users) and multiplyied the number of infected servers and devices on a network.
Powerful Ammo For Budget
The FBI explains one more time what ransomware is, how fast it mutates, and that infections are skyrocketing. They explain what the potential losses are -- service disruptions, financial loss, and in some cases, permanent loss of valuable data -- and that it is challenging for the FBI to keep pace. Knowing that they only have about 800 cyber agents, including 600 agents who conduct investigations, the agency doesn’t have the ability to address every attack, and must triage the most significant ones.
Tell Us How Much Ransom You Have Paid
The FBI is requesting victims reach out to their local FBI office and/or file a complaint with the Internet Crime Complaint Center, at www.IC3.gov, with the following ransomware infection details (as applicable):
- Date of Infection
- Ransomware Variant (identified on the ransom page or by the encrypted file extension)
- Victim Company Information (industry type, business size, etc.)
- How the Infection Occurred (link in e-mail, browsing the Internet, etc.)
- Requested Ransom Amount
- Actor’s Bitcoin Wallet Address (may be listed on the ransom page)
- Ransom Amount Paid (if any)
- Overall Losses Associated with a Ransomware Infection (including the ransom amount)
- Victim Impact Statement
The FBI does not support paying a ransom to the adversary. Paying a ransom does not guarantee the victim will regain access to their data; in fact, some individuals or organizations are never provided with decryption keys after paying a ransom. Paying a ransom emboldens the adversary to target other victims for profit, and could provide incentive for other criminals to engage in similar illicit activities for financial gain. While the FBI does not support paying a ransom, it recognizes executives, when faced with inoperability issues, will evaluate all options to protect their shareholders, employees, and customers.
What To Do About It
The FBI recommends users consider implementing the following prevention and continuity measures to lessen the risk of a successful ransomware attack:
- Regularly back up data and verify the integrity of those backups. Backups are critical in ransomware incidents; if you are infected, backups may be the best way to recover your critical data.
- Secure your backups. Ensure backups are not connected to the computers and networks they are backing up. Examples might include securing backups in the cloud or physically storing them offline. It should be noted, some instances of ransomware have the capability to lock cloud-based backups when systems continuously back up in real-time, also known as persistent synchronization.
- Scrutinize links contained in e-mails and do not open attachments included in unsolicited e-mails.
- Only download software – especially free software – from sites you know and trust. When possible, verify the integrity of the software through a digital signature prior to execution.
- Ensure application patches for the operating system, software, and firmware are up to date, including Adobe Flash, Java, Web browsers, etc.
- Ensure anti-virus and anti-malware solutions are set to automatically update and regular scans are conducted.
- Disable macro scripts from files transmitted via e-mail. Consider using Office Viewer software to open Microsoft Office files transmitted via e-mail instead of full Office Suite applications.
- Implement software restrictions or other controls to prevent the execution of programs in common ransomware locations, such as temporary folders supporting popular Internet browsers, or compression/decompression programs, including those located in the AppData/LocalAppData folder.
Additional considerations for businesses include the following:
- Focus on awareness and training. Because end users are often targeted, employees should be made aware of the threat of ransomware, how it is delivered, and trained on information security principles and techniques.
- Patch all endpoint device operating systems, software, and firmware as vulnerabilities are discovered. This precaution can be made easier through a centralized patch management system.
- Manage the use of privileged accounts by implementing the principle of least privilege. No users should be assigned administrative access unless absolutely needed. Those with a need for administrator accounts should only use them when necessary; they should operate with standard user accounts at all other times.
- Configure access controls with least privilege in mind. If a user only needs to read specific files, he or she should not have write access to those files, directories, or shares.
- Use virtualized environments to execute operating system environments or specific programs.
- Categorize data based on organizational value, and implement physical/logical separation of networks and data for different organizational units. For example, sensitive research or business data should not reside on the same server and/or network segment as an organization’s e-mail environment.
- Require user interaction for end user applications communicating with Web sites uncategorized by the network proxy or firewall. Examples include requiring users to type in information or enter a password when the system communicates with an uncategorized Web site.
- Implement application whitelisting. Only allow systems to execute programs known and permitted by security policy.
We all know that your users are the weak link in your IT security. There are 5 ways (call them generations) to train end-users:
"Do Nothing", rely on filters and count on users to not click on phishing links. It is surprising that 25% of organizations still use this tactic.
"The Break Room", herd all users once a year into the break room. Keep them awake with donuts and coffee during the death by PowerPoint slide deck.
"The Monthly Security Video", where users are being given short videos that each cover a topic related to keeping the network secure, but causing training fragmentation.
"The Phishing Test", select a group of high-risk users and send a mock phishing attack. Employees that fail are asked to do a short remedial training.
"The Human Firewall", 1) Pre-test all users to find out your organization’s Phish-prone percentage and get your baseline. 2) Train all your employees on-line, on-demand to resist important attack vectors. 3) Schedule monthly phishing attacks to all users year-round -- Fully automated, super simple, highly effective, and very little time required.
Find out how affordable the "Human Firewall" option is. Get a quote for your organization now and be pleasantly surprised.
PS, don't like to click on redirected links? Cut & Paste this link in your browser: