The Federal Bureau of Investigation issued a public service announcement last week urging victims to report ransomware attacks to law enforcement to help the FBI gain a more comprehensive view of the current threat.
According to the FBI notice, new ransomware variants are emerging regularly and cybersecurity companies reported in the first several months of 2016 that global ransomware infections were at an all-time high. “Within the first weeks of its release, one particular ransomware variant compromised an estimated 100,000 computers a day,” FBI officials stated.
Ransomware is a type of malware installed on a computer or server that encrypts the files, making them inaccessible until a specified ransom is paid. According to the FBI, ransomware is typically installed when a user clicks on a malicious link, opens a file in an e-mail that installs the malware, or through drive-by downloads (which does not require user-initiation) from a compromised Web site.
“While ransomware infection statistics are often highlighted in the media and by computer security companies, it has been challenging for the FBI to ascertain the true number of ransomware victims as many infections go unreported to law enforcement,” the FBI stated in the notice.
The FBI also stated that ransomware victims may not report to law enforcement for a number of reasons, “including concerns over not knowing where and to whom to report; not feeling their loss warrants law enforcement attention; concerns over privacy, business reputation, or regulatory data breach reporting requirements; or embarrassment.” Additionally, those who resolve the issue internally either by paying the ransom or by restoring their files from back-ups may not feel a need to contact law enforcement.
The FBI encourages victims to report ransomware incidents regardless of the outcome. “Victim reporting provides law enforcement with a greater understanding of the threat, provides justification for ransomware investigations, and contributes relevant information to ongoing ransomware cases. Knowing more about victims and their experiences with ransomware will help the FBI to determine who is behind the attacks and how they are identifying or targeting victims,” the FBI stated in the public service announcement.
The FBI is requesting victims reach out to their local FBI office and/or file a complaint with the Internet Crime Complaint Center with a number of infection details, including date of infection; ransomware variant (identified on the ransom page or by the encrypted file extension); victim company information (industry type, business size); how the infection occurred (link in e-mail, browsing the Internet); requested ransom amount; actor’s bitcoin wallet address (may be listed on the ransom page); ransom amount paid (if any); overall losses associated with a ransomware infection (including the ransom amount) and victim impact statement.
In the notice, the FBI reiterated that the agency does not support paying a ransom to hackers. “Paying a ransom does not guarantee the victim will regain access to their data; in fact, some individuals or organizations are never provided with decryption keys after paying a ransom. Paying a ransom emboldens the adversary to target other victims for profit, and could provide incentive for other criminals to engage in similar illicit activities for financial gain. While the FBI does not support paying a ransom, it recognizes executives, when faced with inoperability issues, will evaluate all options to protect their shareholders, employees, and customers,” the FBI officials stated.
The FBI also offered recommended prevention and continuity measures to lessen the risk of a successful ransomware attack. Organizations should regularly back up data and verify the integrity of those backups as well as secure backups.
The FBI also recommends that organizations scrutinize links contained in e-mails and do not open attachments included in unsolicited e-mails. In addition, the FBI also suggests organizations ensure application patches for the operating system, software, and firmware are up to date, including Adobe Flash, Java and Web browsers and ensure anti-virus and anti-malware solutions are set to automatically update and regular scans are conducted.
And, the agency recommends organizations implement software restrictions or other controls to prevent the execution of programs in common ransomware locations, such as temporary folders supporting popular Internet browsers, or compression/decompression programs, including those located in the AppData/LocalAppData folder.
Organizations also should focus on awareness and training. “Because end users are often targeted, employees should be made aware of the threat of ransomware, how it is delivered, and trained on information security principles and techniques,” the FBI stated.