In early October of 2019, the Department of Justice issued FBI Ransomware Guidance. The FBI Ransomware Guidance is a public service announcement that contains updated information about the ransomware threat. This FBI Ransomware Guidance updates and is a companion to to Ransomware PSA I-091516-PSA posted on www.ic3.gov in 2016.
What is Included in Latest FBI Ransomware Guidance?
The FBI Ransomware Guidance begins with the definition of ransomware. Ransomware is a form of malware that encrypts files on a victim’s computer or server, making them unusable. Cybercriminals demand a ransom in exchange for providing a key to decrypt the victim’s files.
The guidance further notes that ransomware attacks are becoming more targeted, sophisticated, and costly, even as the overall frequency of attacks remains consistent. According to the guidance, since early 2018, the number of broad, indiscriminate ransomware “campaigns” has gone down. However, the financial losses sustained from ransomware attacks have gone up significantly, according to complaints received by the Internet Crime Complaint Center (IC3) and FBI case information.
How Does Ransomware Work?
As noted in the guidance, the FBI has observed cybercriminals using the following techniques to infect victims with ransomware:
- Email Phishing Campaigns: In a phishing campaign, the cybercriminal sends an email containing a malicious file or link, which deploys malware when clicked by a recipient. While cybercriminals previously used generic spamming strategies to deploy the malware, recent ransomware attacks have been more targeted.
- A specific type of malware known as precursor malware compromises a victim’s email account, allowing the cyberattacker to use that account to further expand the infection.
- Remote Desktop Protocol Vulnerabilities: RDP is a proprietary network protocol. RDP allows individuals to control the resources and data of a computer over the Internet. Cybercriminals have used “brute force” methods to gain unauthorized RDP access. A “brute force” attack consists of successive attempts of trying various password combinations to break into a website. Cyberattackers also use credentials purchased on darknet marketplaces to gain unauthorized RDP access to victim systems. Once a cybercriminal has gained RDP access, the cybercriminal can then deploy a range of malware – including ransomware – to target systems.
- Software vulnerabilities: Cyber criminals can take advantage of security weaknesses in widely used software programs to gain control of victim systems and deploy ransomware. For example, cyber criminals recently exploited vulnerabilities in two remote management tools used by managed service providers (MSPs) to deploy ransomware on the networks of customers of at least three MSPs.
Should Organizations Pay the Ransom?
The FBI Ransomware Guidance does not advocate paying a ransom, in part because payment is no guarantee that an organization will regain access to its data. This point is not just theoretical; in the FBI’s experience in several cases, victims who paid a ransom were never given promised decryption keys.
Moreover, as noted in the FBI Ransomware Guidance, due to flaws in the encryption algorithms of certain variants of malware, victims may be unable to recover some or all of their data even with a valid decryption key.