Ransomware: A Law Enforcement Perspective

Posted by Mark Greisiger

Ransomware medA Q&A with Benjamin Stone of the FBI
It’s becoming an increasingly common story: Cyber perpetrators lock systems down with malware and then demand payment to release them. I asked Benjamin Stone, Supervisory Special Agent of the FBI’s Cyber Criminal Squad in Philadelphia, about ransomware and current conditions for cyber criminal activity.

What is ransomware?
Ransomware is a type of malware—malicious software—designed to block access to a computer or system until a sum of money is paid. The two most prevalent types I’m seeing now are Cryptowall, which is now in its third version and shows up on Windows operating systems, and the second is ransomware appearing on Android phones. The way ransomware on phones normally presents itself is as a screen which appears to be from the FBI or another law enforcement agency telling the user they have been looking at pornographic websites and they will have to pay to unlock their phone. It usually comes from an app that’s downloaded outside of Google Play. The phone version affects individuals in most cases, while Cryptowall has affected companies, government agencies, and individuals.

What types of organizations are most susceptible to Cryptowall?
A larger organization can segregate machines that have been impacted and take them offline, so it’s just a matter of replacing the affected machines. Cryptowall has had a bigger impact on smaller organizations such as small to medium sized businesses, where it can encrypt networked machines and effectively shut down operations. I’ve also seen it attack police departments. In general, I don’t think these organizations are being targeted; it’s usually an individual that falls prey to a phishing scheme and clicks on an attachment which initiates the malware.

It’s key to filter all emails that contain executable files—often the attachments will masquerade as a PDF, when they are really an .exe.

How might an organization prevent, prepare for, or mitigate this exposure?
The biggest thing is to educate employees about what to look for, making sure they don’t click on any unfamiliar attachments. Organizations should regularly back up data and backups need to be secured off the network in a non-network drive or in the cloud. Cryptowall is insidious and will identify network drives and encrypt them. It’s key to filter all emails that contain executable files—often the attachments will masquerade as a PDF, when they are really an .exe. Make sure all software is patched and updated.

In the case of an actual ransomware incident what steps can an IT team take? How would a company engage the FBI to handle the situation?
If you detect Cryptowall and you can catch it in time and are lucky, disable the folder where it originates; you may save yourself from encryption. If someone is a victim of this crime, they can call their FBI field office. Unfortunately, we are not in a position to unlock the files yet but if you can tell us about your situation—specifically about the instructions you received from the criminals—it will help us build a case and understand how it’s happening, which can help us prevent it in the future. In general I don’t advocate for paying the ransom but that’s an individual decision. I know organizations that have paid the ransom and gotten their files back.

On another note: Might you offer some comment on the recent Kaspersky Report on bank breaches and its implications for companies?
What we see here is that criminals are always looking for the next vulnerability; we have to remain attentive because they are nothing if not inventive and creative. At the FBI we are working with key industry partners to stay ahead of the threat, but we know that once a threat is identified the criminals are on to the next thing so it’s an ongoing battle.

In Summary…
We want to thank SA Stone for his insights into ransomware. This type of threat is more prevalent than many organizations realize, largely because it’s not often publicly reported. Over the past two years we have seen many insured businesses (large and small) fall victim to this attack, and cyber liability insurers are paying for claims as a result. The keys to mitigation are exactly what SA Stone pointed out—having reliable backups and educating/reminding staff about very real-looking phishing emails containing malicious attachments.