Memo from the FBI: Please don't pay ransoms.
"The FBI does not condone payment of ransom, as payment of extortion monies may encourage continued criminal activity, lead to other victimizations, or be used to facilitate serious crimes," Christopher Stangl, section chief of the FBI's Cyber Division, tells me.
"Payment of extortion monies may encourage continued criminal activity."
As a result, victims are faced with the question of whether they should remediate and restore systems - if up-to-date backups have been maintained and stored offline - or take a chance on paying a ransom - which at least in the United States isn't illegal - and potentially being able to immediately restore affected systems. Neither scenario is a zero-sum game, since even restoring from backups will take time and thus potentially impact productivity or profitability (see Ransomware: Is It Ever OK to Pay?).
The number of ransomware infections surged in 2015, and that trend has continued this year, Laurance Dine, managing principal of the investigative response team at Verizon Enterprise Solutions, recently told me (see Ransomware Epidemic Prompts FBI Guidance).
Given that reality, I reached out to the FBI to ask how it's organizing to better battle this surge. In response, officials tell me that the FBI's Cyber Division actively identifies, pursues and attempts to disrupt all known "ransomware actors," and that it tracks all related crime. "The FBI reviews reported ransomware threats regardless of the loss amount," officials at its Cyber Division say. "The vast majority of current ransomware threats originate from a handful of variants. The FBI has dedicated resources to investigate these top ransomware threats. As new threats materialize, the FBI will continue to evolve to address them."
No Magic Bullets
Could the FBI be doing more to battle crypto-locker builders and users? That was the subtext of a letter Sen. Ron Wyden (D-Ore.) wrote in December 2015 to FBI Director James Comey, asking how the bureau was addressing ransomware, and questioning the veracity of a press report suggesting that the bureau sometimes advised victims to "just pay the ransom."
Donald J. Good, the deputy assistant director of the FBI's Cyber Division, responded to Wyden's letter on Feb. 8, 2016, in the form of an unclassified intelligence memo. Good repeated the bureau's admonition to never pay ransoms. He also noted while the FBI wouldn't comment on ongoing investigations, "most of the top cybercriminal actors that we are aware of are located outside of the United States," which obviously makes arresting many of them much more difficult. Regardless, "the FBI is committed to following the money in investigating all crimes with a financial component; ransomware is no exception," he wrote.
Cybercriminals are Lazy Too
Of course, it would help if fewer people suffered a ransomware infection and chose to pay, as numerous victims - and at least one major hospital, to the tune of $17,000 - have been doing (see Hollywood Hospital Pays Ransom to Unlock Data). As Sen. Barbara Boxer (D-Calif.) noted in an April letter to the FBI: "I am concerned that by hospitals paying these ransoms, we are creating a perverse incentive for hackers to continue these dangerous attacks."
Indeed, as Verizon's Dine recently told me, cybercriminals are "just as lazy as the rest of us," and when they find an inexpensive, safe - for them - and easy to execute attack that's also profitable, why would they stop?
The success of ransomware as a cybercrime business model continues to attract more developers - to create new types of ransomware - as well as users with criminal leanings, and has driven many of them to pursue bigger targets and payoffs. "Although the majority of these attacks are based upon phishing at the primary infection vector, the sophistication of these attacks is increasing to include the exploitation of vulnerabilities on a given server," the FBI says, as demonstrated by some recent ransomware infections at hospitals.
Prepare Now, or Pay Later
Meanwhile, organizations and individuals continue to become ransomware victims. On April 29, accordingly, the FBI issued yet another ransomware alert, recommending:
- Prevention: Prepare using both "awareness training for employees and robust technical prevention controls," including access controls, updated anti-malware tools and ensuring admin-level accounts remain locked down.
- Backup/restoration: Create "a solid business continuity plan" for dealing with a ransomware attack, including backup up data, verifying backups' integrity as well as ensuring backups aren't connected to systems or networks that they're backing up.
"Companies can prevent and mitigate malware infection by utilizing appropriate backup and malware detection and prevention systems, and training employees to be skeptical of emails, attachments, and websites they don't recognize," the FBI's Stangl tells me.
The FBI continues to urge all ransomware victims to continue to come forward, to help law enforcement officials identify malware variants being used, budget appropriately, and coordinate with public and private partners around the world to better track and disrupt the gangs behind such attacks. "If you think you or your organization have been the victim of ransomware, contact your local FBI field office and report the incident to the Bureau's Internet Crime Complaint Center," the FBI says.
Better still, prepare now, so you don't have to face potentially having to pay - one way or another - later. Because once you're a ransomware victim, the FBI can't help you.