October 4, 2019 – The FBI issued a warning on Wednesday in the form of a Public Service Announcement. The Announcement was posted on the Internet Crime and Complant Center. The following is an excerpt.
WHAT IS RANSOMWARE?
Ransomware is a form of malware. It encrypts files on a victim’s computer or server, making them unusable. Cyber criminals demand a ransom in exchange for providing a key to decrypt the victim’s files.
Ransomware attacks are becoming more targeted, sophisticated, and costly, even as the overall frequency of attacks remains consistent. Since early 2018, the incidence of broad, indiscriminant ransomware campaigns has sharply declined, but the losses from ransomware attacks have increased significantly, according to complaints received by IC3 and FBI case information.
Although state and local governments have been particularly visible targets for ransomware attacks, ransomware actors have also targeted health care organizations, industrial companies, and the transportation sector.
HOW DOES RANSOMWARE INFECT ITS VICTIMS?
Cyber criminals use a variety of techniques to infect victim systems with ransomware. Cyber criminals upgrade and change their techniques to make their attacks more effective and to prevent detection.
The FBI has observed cyber criminals using the following techniques to infect victims with ransomware:
- Email phishing campaigns: The cyber criminal sends an email containing a malicious file or link. The link then downloads and deploys malware when clicked by a recipient. Cyber criminals historically used generic, broad-based spamming strategies to deploy their malware. Recent ransomware campaigns have been more targeted. Criminals may also compromise a victim’s email account by using precursor malware. This enables the cyber criminal to use a victim’s email account to further spread the infection.
- Remote Desktop Protocol vulnerabilities: RDP is a proprietary network protocol that allows individuals to control the resources and data of a computer over the internet. Cyber criminals have used both brute-force methods, a technique using trial-and-error to obtain user credentials, and credentials purchased on darknet marketplaces to gain unauthorized RDP access to victim systems. Once they have RDP access, criminals can deploy a range of malware—including ransomware—to victim systems.
- Software vulnerabilities: Cyber criminals can take advantage of security weaknesses in widely used software programs. They then gain control of victim systems and deploy ransomware. For example, cyber criminals recently exploited vulnerabilities in two remote management tools used by managed service providers (MSPs) to deploy ransomware on the networks of customers of at least three MSPs.
IF MY SYSTEM IS INFECTED, SHOULD I PAY THE RANSOM? SHOULD I CONTACT THE FBI?
The FBI does not advocate paying a ransom. The FBI does not guarantee an organization will regain access to its data. In some cases, victims who paid a ransom were never provided with decryption keys.
In addition, due to flaws in the encryption algorithms of certain malware variants, victims may not be able to recover some or all of their data even with a valid decryption key.
Paying ransoms emboldens criminals to target other organizations and provides an alluring and lucrative enterprise to other criminals. Businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers.
Regardless of whether you or your organization have decided to pay the ransom, the FBI urges you to report ransomware incidents to law enforcement. Doing so provides investigators with the critical information they need to track ransomware attackers, hold them accountable under U.S. law, and prevent future attacks.
The announcement can be found here.0