This week the federal government dropped a bombshell on businesses. They interpreted existing rules and applied them to businesses that have had their files encrypted and held ransom by cyber criminals. These existing rules are designed to stop US businesses from doing business with knowing international criminals and certain nations. This now includes paying ransom to release your files from cyber criminals.
The people that we used to call hackers and imagined as some kid in their mom’s basement messing with people aren’t that anymore. They are organized criminal enterprises making billions of dollars and attracting the world’s top talent to make bad things happen to good people. Apparently the money is irresistible to many people. The Office of Foreign Asset Control published the following information as seen in the PDF linked above.
OFAC has designated numerous malicious cyber actors under its cyber-related sanctions program and other sanctions programs, including perpetrators of ransomware attacks and those who facilitate ransomware transactions.
For example, starting in 2013, a ransomware variant known as Cryptolocker was used to infect more than 234,000 computers, approximately half of which were in the United States.4 OFAC designated the developer of Cryptolocker, Evgeniy Mikhailovich Bogachev, in December 2016.5
Starting in late 2015 and lasting approximately 34 months, SamSam ransomware was used to target mostly U.S. government institutions and companies, including the City of Atlanta, the Colorado Department of Transportation, and a large healthcare company.
In November 2018, OFAC designated two Iranians for providing material support to a malicious cyber activity and identified two digital currency addresses used to funnel SamSam ransomware proceeds.6 In May 2017, a ransomware known as WannaCry 2.0 infected approximately 300,000 computers in at least 150 countries. This attack was linked to the Lazarus Group, a cybercriminal organization sponsored by North Korea. OFAC designated the Lazarus Group and two subgroups, Bluenoroff and Andariel, in September 2019.7
Beginning in 2015, Evil Corp, a Russia-based cybercriminal organization, used the Dridex malware to infect computers and harvest login credentials from hundreds of banks and financial institutions in over 40 countries, causing more than $100 million in theft. In December 2019, OFAC designated Evil Corp and its leader, Maksim Yakubets, for their development and distribution of the Dridex malware.
OFAC has imposed, and will continue to impose, sanctions on these actors and others who materially assist, sponsor, or provide financial, material, or technological support for these activities.
This is where you and Harbor come in. Paying the ransom to get your files released from encryption is materially assisting and providing financial support to these criminal organizations. I will let you read the remainder of the advisory, but the bottom line is that paying the ransom to get your files back is no longer a viable option. Further your insurance company, and financial institution can’t help you recover either.
While we’ve never encouraged anyone to pay the ransom and we’ve worked to help you prevent ransomware events from occurring., we can’t prevent every scenario where this might occur. The criminals are always a step ahead. They have teams of the greatest minds working tirelessly to find ways around anything. One wrong click by one of your employees and they could be in. The best solution is employee training. We’ve offered 6 months of free security training to all of our customers – not all of you have taken us up on it. We offer custom training too. Your employees must be security savvy and have a high degree of computer and internet literacy. Training has to be a regularly scheduled mandatory occurrence.
The other part of this is backup. Even the cloud needs backup. Not all of our customers are backing up their 365 environments. Without a backup, there’s no good recovery option.
Insurance is also a protective component of this. While they’ll no longer be able to pay the ransom for you, they can provide business recovery funding and assistance. We can help you obtain cyber insurance through our carrier. Let us know if you want a quote from them.
Of course, we need to start from good implementation of security features in your software. This means constant updating of settings. Every day the criminals come up with some new way to circumvent security settings. These settings have to be tweaked and new ones implemented on a regular basis. You’ll see this happening in the maintenance that we perform. But here again, some of it is very invasive and means our customers can’t do everything they same way they’ve been doing them. Change is here; change is protective. We get a lot of push back on change. Microsoft makes changes to 365 daily, some feature related but most are security related. The volume of change is incredible. We’ll do our best but as I said the criminals are always ahead.
Bottom lines to keep your company from experiencing a serious costly ransom event:
- Employee training
- employee training
- employee training
- security settings maintenance
- business process modernization
- don’t click
- employee training
About Harbor Computer Services
Harbor Computer Services is an IT firm servicing Southeastern Michigan. We work exclusively under contract with our clients to provide technology direction and either become the IT department or provide assistance to the internal IT they already have. We have won many awards for our work over the years, including the worldwide Microsoft Partner of the Year in 2010. Most recently we were recognized as one of the top MSP’s in the nation by ChannelFutures coming in at #40 nationwide. And in 2016 as the top Michigan IT firm for Manufacturing. There are a few simple things that make Harbor Computer Services the best choice for your business. •We are Professionals •We are Responsible •We care about your business