Skip to main content

Forbes Oct 3, 2019, 06:00am
Davey Winder Cybersecurity

Be it the prohibition-era gangsters of the 1920s or the global war on terrorism, the Federal Bureau of Investigation (FBI) has been the primary U.S. investigative agency of the federal government with a responsibility to protect the nation. As part of what the FBI describes as being “a unique dual responsibility, to prevent harm to national security as the nation’s domestic intelligence agency and to enforce federal laws as the nation’s principal law enforcement agency,” it has increasingly had to deal with the cyber threat. One “high impact” and ongoing cyber threat has become such a critical concern that on October 2, the FBI issued a warning to U.S businesses and organizations.

What is the high-impact threat to U.S. business?

The FBI’s Internet Crime Complaint Center (IC3) last posted a warning about ransomware on September 15, 2016. Then it was urging victims to report ransomware incidents to federal law enforcement to help paint a detailed picture of the threat. The threat landscape revealed has been a constantly changing one. The frequency of attacks has remained relatively consistent, but the nature of them has not. The FBI reports that the incidence of indiscriminate ransomware campaigns, such as evidenced by WannaCry on May 2017, has “sharply declined.” However, losses from ransomware have increased significantly as the attacks become “more targeted, sophisticated and costly.”

Ransomware attacks against state and local governments have been hitting the headlines a lot of late. Take the case of the State of Texas which came under a coordinated ransomware attack, with 23 government agencies taken offline as a consequence, for example. Schools have also come under attack as they are increasingly seen as a soft target by the criminal enterprises behind the ransomware campaigns.

Now the FBI has warned that “health care organizations, industrial companies, and the transportation sector,” are also being targeted. Although the attack methodologies continue to evolve, with cyber-criminals doing all they can to avoid detection, the FBI highlights three attack techniques that are being observed: email phishing campaigns, remote desktop protocol vulnerabilities and software vulnerabilities. Mitigation includes ensuring operating systems, software and device firmware are all updated with the latest security patches. Data should also be backed up regularly, and the integrity of these backups verified.

After three hospitals in Alabama were forced to turn away non-critical patients after a ransomware attack on October 1, Javvad Malik, security awareness advocate at KnowBe4, said “companies of all sizes across all verticals need to be prepared for ransomware and have in place not only technical controls to prevent, detect, and respond to it, but also raise security awareness among staff so that any attempts to install ransomware via phishing or other social engineering attacks can be thwarted.”

The FBI public service announcement also makes clear the stance of the Bureau when it comes to ransom payments: don’t. While the FBI sees the need for organizations to evaluate all options to protect the business from continued disruption and financial loss, it warns that “paying ransoms emboldens criminals to target other organizations and provides an alluring and lucrative enterprise to other criminals.”

There is never a guarantee that paying a ransom will secure a working decryption key to unlock your data, and in some cases, it is possible to turn to freely available ransomware decryption tools instead anyway. An excellent example of where a victim didn’t pay up can be found in the city of New Bedford, Massachusetts, which was hit by a ransomware attack in July. City data was held hostage with a $5.3 million (£4.3 million) ransom, but officials decided against paying. Instead, the city deployed delaying tactics against the attacker and rebuilt systems to regain control of the locked-down data.

The FBI adds that, regardless of whether a ransom has been paid or not, victims should always report ransomware to law enforcement to provide the kind of critical information required to hold attackers accountable under the law.