News Stay informed about the latest enterprise technology news and product updates.

FBI ransomware alert: Don't pay; report, defend against attacks

A new FBI ransomware alert urges victims to report incidents to federal law enforcement, gives defense tips and urges victims to avoid paying a ransom, if possible.

Admitting it needs more information about the recent surge in ransomware attacks, the FBI issued a ransomware alert,...

urging victims to provide details of the attacks -- and, if at all possible, to avoid paying off the attackers.

The FBI ransomware alert included a list of nine key pieces of information to include in reports of attacks. In addition to urging victims not to pay ransoms, the FBI offered advice on best practices to defend against ransomware attacks.

"The FBI urges victims to report ransomware incidents to federal law enforcement to help us gain a more comprehensive view of the current threat and its impact on U.S. victims," the alert stated.

"Victims may not report to law enforcement for a number of reasons, including concerns over not knowing where and to whom to report; not feeling their loss warrants law enforcement attention; concerns over privacy, business reputation or regulatory data breach reporting requirements; or embarrassment. Additionally, those who resolve the issue internally, either by paying the ransom or by restoring their files from backups, may not feel a need to contact law enforcement."

However, noting the need for a greater understanding of the threat, the FBI ransomware alert urged victims to report any incidents to give law enforcement agencies the data they need to understand the threat, as well as to justify further investigations and, in some cases, provide information related to ongoing cases. "Knowing more about victims and their experiences with ransomware will help the FBI to determine who is behind the attacks and how they are identifying or targeting victims."

The FBI ransomware alert encourages victims to contact their local FBI office, and/or file a complaint with the Internet Crime Complaint Center, with nine pieces of information about the attack, including the date of infection; the ransomware variant; information about the victim company; how the infection occurred; the requested ransom amount; the attacker's bitcoin address; ransom paid, if any; overall cost of the infection, including the ransom; and a "victim impact statement."

As for whether to pay ransoms, the message was clear: "The FBI does not support paying a ransom to the adversary. Paying a ransom does not guarantee the victim will regain access to their data; in fact, some individuals or organizations are never provided with decryption keys after paying a ransom. Paying a ransom emboldens the adversary to target other victims for profit, and could provide incentive for other criminals to engage in similar illicit activities for financial gain."

However, the FBI acknowledged refusing to pay ransoms isn't always feasible. "While the FBI does not support paying a ransom, it recognizes executives, when faced with inoperability issues, will evaluate all options to protect their shareholders, employees and customers."

The alert included a list of recommended defenses against ransomware attacks, including regular and verified backups using offline storage. When using cloud storage for backups, the alert warned, "Some instances of ransomware have the capability to lock cloud-based backups when systems continuously back up in real time, also known as persistent synchronization."

In other news

  • Mozilla patched a flaw in its implementation of certificate key pinning that enabled remote code execution on Firefox and Tor browsers, and would enable the unmasking of Tor users. Mozilla's implementation of key pinning, used to secure connections with its software update servers, did not use the HTTP Public Key Pinning protocol. The implementation mishandled pinned certificate expirations and created windows of vulnerability between the time Mozilla's key pinning certificates expired and the time the new certificates were updated. The bug was first described by security researcher Movrcx, who wrote that the vulnerability, when chained with other flaws, "allows a malicious exit node operator or global adversary to conduct a silent remote code execution attack on all platforms of the Tor Browser." Movrcx estimated the cost to launch an attack based on the flaw at roughly $100,000. The Tor Project wrote in a blog post about the extension update vulnerability that it "allows an attacker who is able to obtain a valid certificate for addons.mozilla.org to impersonate Mozilla's servers and to deliver a malicious extension update -- e.g., for NoScript. This could lead to arbitrary code execution. Moreover, other built-in certificate pinnings are affected as well. Obtaining such a certificate is not an easy task, but it's within reach of powerful adversaries (e.g., nation states)."
  • Microsoft will soon open its third Transparency Center in Beijing. Scott Charney, corporate vice president for Microsoft's trustworthy computing group, wrote, "Our new facility in Asia enables government IT experts to test and analyze our products closely and gain confidence that our software will stand up to their security needs when deployed broadly. These facilities are designed to provide deep ability to understand the security we deploy, and do so in an environment that ensures our products remain proprietary and protected. Simply put, governments have the ability to review our products and services, both manually and by running tools, but they cannot alter what is delivered to customers." The first Transparency Center was opened in July 2014 at Microsoft's Redmond, Wash., campus, and the second opened a year later in Brussels; the Beijing center will not be the last. "We plan to bring this capability to even more government customers through the addition of other new Microsoft Transparency Centers that will be announced in the coming weeks," Charney wrote.
  • Three news organizations sued the FBI for details of the hack purchased to gain access to the iPhone connected to last year's mass shooting in San Bernardino, Calif. The Associated Press, Gannett Co., which owns USA Today, and Vice Media filed a suit under the Freedom of Information Act "to learn who the government paid and how much it spent to hack into an iPhone in its investigation into last year's San Bernardino, California, massacre," according to the AP report. "The lawsuit seeks records about the FBI's contract with an unidentified vendor who provided a tool to unlock the phone used by Syed Rizwan Farook, who, with his wife, killed 14 people at a holiday gathering of county workers in December 2015."

Next Steps

Find out more about why businesses are unprepared for the next wave of ransomware.

Learn about ransomware attacks in the cloud.

Read about 10 ways to stop ransomware targeting healthcare data.

Dig Deeper on Information security laws, investigations and ethics

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

3 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Does the FBI ransomware alert go far enough? Why or why not?
Cancel
What incentive is there for an individual company to report rather than pay the ransom?  Is the Fbi going to help solve these crimes,  or are they just collecting information? 
Cancel
@Sharon: the FBI is asking people and companies to report any instance of ransomware, whether the ransom is paid or not.

The FBI is urging people to *not* pay, but whether victims pay or not, the FBI wants to know more about as many incidents as possible, so they can learn more about the scope and nature of the criminal threat.

They give two reasons to not pay: first, because it rewards the attackers and encourages them to keep up their attacks, but the second reason is that not all attackers are going to send decryption keys even if they get paid.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close