FBI Issues Guidance on Ransomware Response
On April 29, 2016, the FBI published an alert regarding “Incidents of Ransomware on the Rise.”
The piece provides FBI guidance on how to protect organizations, as well as the FBI’s recommendation not to pay the ransom (though in practice, they have acknowledged that it may be necessary to do so if no backup is available for essential data).
The FBI alert notes that hospitals, school districts, state and local governments, law enforcement agencies, small businesses, and large businesses alike have all been victimized by ransomware, “an insidious type of malware that encrypts, or locks, valuable digital files and demands a ransom to release them.”
The FBI also notes that:
The inability to access the important data these kinds of organizations keep can be catastrophic in terms of the loss of sensitive or proprietary information, the disruption to regular operations, financial losses incurred to restore systems and files, and the potential harm to an organization’s reputation.
The FBI explains that a ransomware attack usually begins with an e-mail and “clicking on an attachment that appears legitimate, like an invoice or an electronic fax, but which actually contains the malicious ransomware code. Or the e-mail might contain a legitimate-looking URL, but when a victim clicks on it, they are directed to a website that infects their computer with malicious software.” In some new instances of ransomware, criminals are not using e-mails. According to FBI Cyber Division Assistant Director James Trainor, “[t]hese criminals have evolved over time and now bypass the need for an individual to click on a link. They do this by seeding legitimate websites with malicious code, taking advantage of unpatched software on end-user computers.”
With regard to paying the ransom, Trainor said, “Paying a ransom doesn’t guarantee an organization that it will get its data back—we’ve seen cases where organizations never got a decryption key after having paid the ransom. Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity. And finally, by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.” Businesses are faced with a tough decision to pay the ransom when they have no alternative to recover the data, which counsels for a comprehensive and frequent back up process. And while all companies would benefit from a consistent and unified refusal to pay, inconsistency in back-ups and a collective action problem will likely perpetuate payments and continue to incentivize ransomware attacks.
The FBI provides the following suggestions “Dealing with the Ransomware Threat” —
While the below tips are primarily aimed at organizations and their employees, some are also applicable to individual users.
- Make sure employees are aware of ransomware and of their critical roles in protecting the organization’s data.
- Patch operating system, software, and firmware on digital devices (which may be made easier through a centralized patch management system).
- Ensure antivirus and anti-malware solutions are set to automatically update and conduct regular scans.
- Manage the use of privileged accounts—no users should be assigned administrative access unless absolutely needed, and only use administrator accounts when necessary.
- Configure access controls, including file, directory, and network share permissions appropriately. If users only need read specific information, they don’t need write-access to those files or directories.
- Disable macro scripts from office files transmitted over e-mail.
- Implement software restriction policies or other controls to prevent programs from executing from common ransomware locations (e.g., temporary folders supporting popular Internet browsers, compression/decompression programs).
Business Continuity Efforts
- Back up data regularly and verify the integrity of those backups regularly.
- Secure your backups. Make sure they aren’t connected to the computers and networks they are backing up.