By Det. Trent Koppel
Recently, I read through the following information provide through a Law Enforcement Bulletin issued by the United States Secret Service. It was regarding ransomware. So before submitting information on an article idea, I paused to think how beneficial this particular subject matter would be for this forum, and then it happened! A member of my family’s computer was “held Ransom” until she would pay a large sum of money in order to release her work documents! Documents I might add that she had been working on for months…Hence, my answer quickly changed to YES!
This is what the GIOC (Global Investigative Operations Center) had to say:
The GIOC has recently observed an increase in notifications concerning ransomware events. Ransomware is a type of malicious software cyber actors use to deny access to systems or data. In these events, a malicious cyber actor holds systems or data hostage until a ransom is paid. Frequently, after the initial infection, the ransomware attempts to spread to shared storage drives and other accessible systems. If ransom demands aren’t met, the system or encrypted data remains unavailable or data may be erased. Which was what had happened in the case of my family member.
This type of malware attempts to extort money from victims by displaying an on-screen alert advising the victim that their computer has been locked or that their files have been encrypted (typically using RSA 2048 encryption) and demand that a ransom is paid to restore access. The system remains encrypted until the victim pays the ransom, in exchange for a decryption key, which allows the user to regain access. This can be scary and the threat is ongoing, and unfortunately, once the victim pays, they are usually sought out in the near future for more money!
Recent statistics show the average ransom demand is $522. However, this amount can be substantially higher if the target is a business or organization and not an individual. Increasingly, ransom is demanded via virtual currency, such as payment to a Bitcoin address.
Asking the question “how do they do this?” or “how can they access my computer’s network?” is not always simple, but most of the time for the “average Joe” it is through an open Wi-Fi connection.
The following measures can make a system or network more secure against malware or similar types of attacks:
- Update software and operating systems with the latest patches. This one of the most common vulnerabilities that is easily fixable.
- Restrict users’ permissions to install and run software applications, and apply the principle of “least privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through a network.
- Use application whitelisting to allow only approved programs to run on a network. **(whitelisting is a process by which the user can tell their network which applications running/ coming in are considered “safe”; this also includes emails and domains)
- Enable strong spam filters to prevent phishing emails from reaching the end users and authenticate inbound email to prevent email spoofing.
- Scan all incoming and outgoing emails to detect threats and filter executable files from reaching end users.
- Configure firewalls to block access to known malicious IP addresses.
Any questions relating to this alert can be directed to your local law enforcement agency or the United States Secret Service. If you find that you are already a victim, you are encouraged NOT TO PAY the ransom.
The Secret Service reports that paying a ransom does not guarantee an organization will regain access to their data; in fact, some individuals or organizations were never provided with decryption keys after having paid a ransom while others have been continually extorted by new demands. On average, paying the ransom results in decryption of 77% of the network data.
Lastly, this information and other relevant reports related to a ransomware attack can be sent to the GIOC at firstname.lastname@example.org, to be collected for criminal intelligence purposes. People are also encouraged to file a victim complaint through IC3 complaint at www.ic3.gov/ complaint. Just make sure that when you do go online to make the complaint you check the URL in your search engine to ensure you’re on the right website before submitting any information. Unfortunately, “the bad guys” have also figured out how to disguise these particular sites to gather additional information from you, victimizing you once again. Check twice, to avoid being a victim!
Trent Koppel is a St. Louis-based detective and adjunct professor at Maryville University.