- Oct 23, 2012
- 12,527
The FBI has published an official statement on its stance on ransomware infections, urging any victims, company or individual, to report such incidents to federal law enforcement.
The FBI has been under a lot of criticism after one of its agents disclosed to members of the press that, in many situations, they advise companies to pay the ransom.
The FBI agent's advice was not only taken out of context by many media agencies but also considered an official policy when it was clearly not.
Following the dissemination of these news stories and some high-profile ransomware infections, the FBI was called to answer for its "official stance" on ransomware infections in front of the US Senate, with FBI Director James Comey answering an official inquiry back in April.
FBI wants complaints for every ransomware infection that takes place in the US
The Bureau dispelled any confusion regarding its position on ransomware today when it published a public statement announcement (PSA) regarding what companies or US citizens should do.
The PSA, posted on the website of the FBI's Internet Crime Complaint Center (IC3), makes it clear that the FBI wants victims to contact the IC3 and make a formal complaint.
The FBI has been under a lot of criticism after one of its agents disclosed to members of the press that, in many situations, they advise companies to pay the ransom.
The FBI agent's advice was not only taken out of context by many media agencies but also considered an official policy when it was clearly not.
Following the dissemination of these news stories and some high-profile ransomware infections, the FBI was called to answer for its "official stance" on ransomware infections in front of the US Senate, with FBI Director James Comey answering an official inquiry back in April.
FBI wants complaints for every ransomware infection that takes place in the US
The Bureau dispelled any confusion regarding its position on ransomware today when it published a public statement announcement (PSA) regarding what companies or US citizens should do.
The PSA, posted on the website of the FBI's Internet Crime Complaint Center (IC3), makes it clear that the FBI wants victims to contact the IC3 and make a formal complaint.
The FBI wants victims to tell it the date of the infection, the ransomware variant that infected their systems, company data (business size, industry vertical), how the infection occurred (email, browser, USB), the amount of the ransom fee, the Bitcoin wallet to which the payment was requested, if the victim paid the ransom, and overall losses associated with the infection.
The FBI even wants victims to add a short personal statement in which they describe in their own words the impact this infection had on them and their business.
The agency is encouraging users to make the complaints even if they paid or recovered the data from backups. They say they need even this information to form a bigger picture of the ransomware infections across the US.
FBI makes its position clear, once and for all
The Bureau also finally made its position clear on paying the ransom, something that had caused many problems since last year.
“ The FBI does not support paying a ransom to the adversary. Paying a ransom does not guarantee the victim will regain access to their data; in fact, some individuals or organizations are never provided with decryption keys after paying a ransom. Paying a ransom emboldens the adversary to target other victims for profit, and could provide incentive for other criminals to engage in similar illicit activities for financial gain. While the FBI does not support paying a ransom, it recognizes executives, when faced with inoperability issues, will evaluate all options to protect their shareholders, employees, and customers. ”
The PSA also contained a series of recommendations and defenses to prevent ransomware infections in the future, which you can read by pressing the button below.
Defense
The FBI recommends users consider implementing the following prevention and continuity measures to lessen the risk of a successful ransomware attack.
The FBI recommends users consider implementing the following prevention and continuity measures to lessen the risk of a successful ransomware attack.
- Regularly back up data and verify the integrity of those backups. Backups are critical in ransomware incidents; if you are infected, backups may be the best way to recover your critical data.
- Secure your backups. Ensure backups are not connected to the computers and networks they are backing up. Examples might include securing backups in the cloud or physically storing them offline. It should be noted, some instances of ransomware have the capability to lock cloud-based backups when systems continuously back up in real-time, also known as persistent synchronization.
- Scrutinize links contained in e-mails and do not open attachments included in unsolicited e-mails.
- Only download software – especially free software – from sites you know and trust. When possible, verify the integrity of the software through a digital signature prior to execution.
- Ensure application patches for the operating system, software, and firmware are up to date, including Adobe Flash, Java, Web browsers, etc.
- Ensure anti-virus and anti-malware solutions are set to automatically update and regular scans are conducted.
- Disable macro scripts from files transmitted via e-mail. Consider using Office Viewer software to open Microsoft Office files transmitted via e-mail instead of full Office Suite applications.
- Implement software restrictions or other controls to prevent the execution of programs in common ransomware locations, such as temporary folders supporting popular Internet browsers, or compression/decompression programs, including those located in the AppData/LocalAppData folder.
- Focus on awareness and training. Because end users are often targeted, employees should be made aware of the threat of ransomware, how it is delivered, and trained on information security principles and techniques.
- Patch all endpoint device operating systems, software, and firmware as vulnerabilities are discovered. This precaution can be made easier through a centralized patch management system.
- Manage the use of privileged accounts by implementing the principle of least privilege. No users should be assigned administrative access unless absolutely needed. Those with a need for administrator accounts should only use them when necessary; they should operate with standard user accounts at all other times.
- Configure access controls with least privilege in mind. If a user only needs to read specific files, he or she should not have write access to those files, directories, or shares.
- Use virtualized environments to execute operating system environments or specific programs.
- Categorize data based on organizational value, and implement physical/logical separation of networks and data for different organizational units. For example, sensitive research or business data should not reside on the same server and/or network segment as an organization’s e-mail environment.
- Require user interaction for end user applications communicating with Web sites uncategorized by the network proxy or firewall. Examples include requiring users to type in information or enter a password when the system communicates with an uncategorized Web site.
- Implement application whitelisting. Only allow systems to execute programs known and permitted by security policy.