Admitting it needs more information about the recent surge in ransomware attacks, the FBI issued a ransomware alert,...
urging victims to provide details of the attacks -- and, if at all possible, to avoid paying off the attackers.
The FBI ransomware alert included a list of nine key pieces of information to include in reports of attacks. In addition to urging victims not to pay ransoms, the FBI offered advice on best practices to defend against ransomware attacks.
"Victims may not report to law enforcement for a number of reasons, including concerns over not knowing where and to whom to report; not feeling their loss warrants law enforcement attention; concerns over privacy, business reputation or regulatory data breach reporting requirements; or embarrassment. Additionally, those who resolve the issue internally, either by paying the ransom or by restoring their files from backups, may not feel a need to contact law enforcement."
However, noting the need for a greater understanding of the threat, the FBI ransomware alert urged victims to report any incidents to give law enforcement agencies the data they need to understand the threat, as well as to justify further investigations and, in some cases, provide information related to ongoing cases. "Knowing more about victims and their experiences with ransomware will help the FBI to determine who is behind the attacks and how they are identifying or targeting victims."
The FBI ransomware alert encourages victims to contact their local FBI office, and/or file a complaint with the Internet Crime Complaint Center, with nine pieces of information about the attack, including the date of infection; the ransomware variant; information about the victim company; how the infection occurred; the requested ransom amount; the attacker's bitcoin address; ransom paid, if any; overall cost of the infection, including the ransom; and a "victim impact statement."
As for whether to pay ransoms, the message was clear: "The FBI does not support paying a ransom to the adversary. Paying a ransom does not guarantee the victim will regain access to their data; in fact, some individuals or organizations are never provided with decryption keys after paying a ransom. Paying a ransom emboldens the adversary to target other victims for profit, and could provide incentive for other criminals to engage in similar illicit activities for financial gain."
However, the FBI acknowledged refusing to pay ransoms isn't always feasible. "While the FBI does not support paying a ransom, it recognizes executives, when faced with inoperability issues, will evaluate all options to protect their shareholders, employees and customers."
The alert included a list of recommended defenses against ransomware attacks, including regular and verified backups using offline storage. When using cloud storage for backups, the alert warned, "Some instances of ransomware have the capability to lock cloud-based backups when systems continuously back up in real time, also known as persistent synchronization."
In other news
- Mozilla patched a flaw in its implementation of certificate key pinning that enabled remote code execution on Firefox and Tor browsers, and would enable the unmasking of Tor users. Mozilla's implementation of key pinning, used to secure connections with its software update servers, did not use the HTTP Public Key Pinning protocol. The implementation mishandled pinned certificate expirations and created windows of vulnerability between the time Mozilla's key pinning certificates expired and the time the new certificates were updated. The bug was first described by security researcher Movrcx, who wrote that the vulnerability, when chained with other flaws, "allows a malicious exit node operator or global adversary to conduct a silent remote code execution attack on all platforms of the Tor Browser." Movrcx estimated the cost to launch an attack based on the flaw at roughly $100,000. The Tor Project wrote in a blog post about the extension update vulnerability that it "allows an attacker who is able to obtain a valid certificate for addons.mozilla.org to impersonate Mozilla's servers and to deliver a malicious extension update -- e.g., for NoScript. This could lead to arbitrary code execution. Moreover, other built-in certificate pinnings are affected as well. Obtaining such a certificate is not an easy task, but it's within reach of powerful adversaries (e.g., nation states)."
- Microsoft will soon open its third Transparency Center in Beijing. Scott Charney, corporate vice president for Microsoft's trustworthy computing group, wrote, "Our new facility in Asia enables government IT experts to test and analyze our products closely and gain confidence that our software will stand up to their security needs when deployed broadly. These facilities are designed to provide deep ability to understand the security we deploy, and do so in an environment that ensures our products remain proprietary and protected. Simply put, governments have the ability to review our products and services, both manually and by running tools, but they cannot alter what is delivered to customers." The first Transparency Center was opened in July 2014 at Microsoft's Redmond, Wash., campus, and the second opened a year later in Brussels; the Beijing center will not be the last. "We plan to bring this capability to even more government customers through the addition of other new Microsoft Transparency Centers that will be announced in the coming weeks," Charney wrote.
- Three news organizations sued the FBI for details of the hack purchased to gain access to the iPhone connected to last year's mass shooting in San Bernardino, Calif. The Associated Press, Gannett Co., which owns USA Today, and Vice Media filed a suit under the Freedom of Information Act "to learn who the government paid and how much it spent to hack into an iPhone in its investigation into last year's San Bernardino, California, massacre," according to the AP report. "The lawsuit seeks records about the FBI's contract with an unidentified vendor who provided a tool to unlock the phone used by Syed Rizwan Farook, who, with his wife, killed 14 people at a holiday gathering of county workers in December 2015."
Find out more about why businesses are unprepared for the next wave of ransomware.
Learn about ransomware attacks in the cloud.