Paying Ransomware Demands Can Be Illegal

If you are targeted by hackers with ransomware and decide to pay the ransom to get your data back, you might be investigated by the government. The current regulations come from the International Emergency Economic Powers Act and the Trading With the Enemy Act. These essentially make it illegal for companies and individuals to pay the hackers on the Office of Assets Control’s list of cyber terrorists. This also includes people who may pay on behalf of a client, such as a cyber insurance company.

According to a memo released by the OAC, “[organizations] are generally prohibited from engaging in transactions, directly or indirectly, with individuals or entities on OFAC’s Specially Designated Nationals and Blocked Persons List, other blocked persons, and those covered by extensive country or region embargoes.” This includes organizations that may not be on the list.

Cyber criminals started with individuals, but as they made more and more money they were able to refine their process. They are now targeting entities such as banks, hospitals, legal firms, and schools. Some of the cyber criminals have taken it a step further and created ransomware as a service. In these cases, the ransomware variant is rented out to the user and the owner is given a cut of the ransom. It’s very sinister, and it doesn’t seem to be getting better.

In 2020 the total amount paid for ransomware attacks increase more than 300% when compared to the previous year. This amounts to a nearly $350 million payday for the bad guys. To make matters even worse the actual numbers are likely a lot higher due to underreporting.

It may seem important to pay the ransom in order to retrieve your data and/or make sure that it doesn’t get released to the public, but in some cases the sanction you may receive will cost more than the demands. In many cases making payment only escalates the situation. In others the criminals don’t even make good on their promises to return stolen data or provide decryption keys.

Don’t Become a Victim:

Endpoint Security

Most ransomware attacks start with a single workstation or server. All your machines need to be secured with Endpoint Security that can protect your organization from all cyber threats, not just ransomware.

Awareness Training

Having employees that are conscious of their role in an organization’s information security is extremely important. Deploying the right awareness training will help mitigate and even prevent ransomware attacks.  

Backups

Technically, you will still be a victim if ransomware is deployed on your network. Having a solid backup solution can help you avoid major disruptions and keep you from having to negotiate with terrorists.

Policies & Procedures

Almost every single victim of ransomware lacks the proper policies and procedures to secure their organization. This failure to prioritize information security often leads to a damaged reputation, lost revenue, bankruptcy, and, in some cases, organizations have to close their doors for good.

Policies & Procedures

Traditional solutions don’t fit their environment and they aren’t agile enough to keep up with the evolving landscape. This always leads to problems that can be traced back to poor implementation, or lack, of modern policies and procedures. Don’t make the same mistakes. Allow us to connect you with our partner today.

Phishing Sites Use CAPTCHA to Avoid Detection

There is an increasing number of phishing websites that are using CAPTCHA product in order to appear legitimate. For those of us who are unaware, a CAPTCHA is a security feature that helps identify the user as human (compared to a bot). This helps websites avoid getting hundreds to thousands of automated user requests. It seems that because so many major brands use them on their websites they are becoming synonymous with legitimacy.

There are two reasons why the phishing sites may be doing this. Not only can adding a CAPTCHA help evade systems that are designed to detect phishing websites, but it also makes the website seem like a legitimate website, as most websites that have a CAPTCHA are secure websites. This can lead to users creating accounts on fraudulent websites and risks them losing their personal information.

Seems difficult to do, right? Google makes it easy to get a reCAPTCHA (Google’s version of CAPTCHA), requiring only that the user sign up with Google. They then get an API key, which they can then add onto their websites. Until Google analyzes requests more closely, it’s easy for scammers to use these to create a false sense of security.

Having the right awareness training program can help employees identify phishing sites and emails. Many data breaches are a direct result of a simple phishing attack.

Awareness Training

It’s time for a training solution that is easy to understand, deeply engaging, remarkably consistent, and to-the-point. You’ll maintain productivity while keeping information security top-of-mind.  Click on the button below to get started with our partner providing awareness training with an unmatched value. 

Here’s How Much Your Stuff is Going to Cost to Get Back

Dear Organization,

It was so kind of you to leave your systems so vulnerable. It was very easy for me to grab a few things I thought I wanted. Turns out I don’t really need them, so I’ll be glad to give them back. For a price.

Your Domain

It’s tied to your website and email. It’s on all of your marketing material that you spent quite a bit on. It seems to be a critical part of your brand and reputation. No one suspects anything right now, but rest assured I have full control of your domain. The website and email will be routed to a location of my choosing if you don’t pay up. It’s going to take a lot of time and money to recover from this if you don’t. These domains do have value to me, but you should know by now that I’m lazy. I want the biggest payout for the least amount of work.

Domain renewal: Around $18 Per Year
To get it back: $1,000 – $10,000+
Domain names are typically tied to both email and website. When an attacker gets control of it they can begin to compromise every online account associated with any email address tied to that domain. They can exploit your customers and vendors too. Domains that have been well established are worth a lot of money to the right people too.

Your Phone Numbers

I’ll admit this was a bit trickier. I don’t always get my target’s phone numbers, but when I do they are mine in every way. It’s a process. I’ve got to port the numbers out which has some safeguards in place and takes time. I always give it a try because organizations are very willing to pay me for my trouble.

Phone Contract: Around $35 Per Month Per Line
To get it back: $500 – $5,000 per line
Phone number have been ported for massive profits. For some organizations it would be very difficult to change their phone numbers after a successful attack like this. Your daily operations are going to come to a halt, and again, the cyber criminal has a way to easily exploit customer and vendors.

Your Data

I’m sure you’ve noticed by now that all of your files are misbehaving and look a bit different. Don’t panic, that’s just the ransomware I installed on a unsecured workstation somewhere in your building. This particular version of ransomware is a pet project I’ve been working on named Spike. Spike has likely spread throughout your network and infected every computer. Your files are technically fine. Spike, like most ransomware, just encrypts your files leaving the data intact. It’s that helpless feeling when you’ve locked your keys in your car. The car is still good, you just can’t access it. Don’t bother calling a locksmith though unless you have an infinite amount of time and resources. Encrypted files, not diamonds, are forever.

Data Cost: Usually Priceless. You’ll have to consider all of the time and resources associated with building your company’s data.
To get it back: The current value of 1 Bitcoin and beyond
Have we mentioned criminals are lazy? In some case the hackers deploy automated malware that infects company data. The ransomware that encrypts your files may have preset demands. In other cases the hackers are more directly involved in the deployment of the ransomware on your devices. In either case, paying up may not get you your data back.

Your Personal Files

I also stumbled on those sexy photos and that secret video no one is supposed to see. I’m actually NOT going to give those back. However, for a small fee, I will promise not to release them to the public potentially ruining your career and your personal life.

New Camera: $250
To get it back: $$$$
Blackmail is another serious crime hackers will commit in order to exploit you and your company for cash. We’ve heard horror stories of individuals being trapped in blackmail schemes for years.

How Much?

I’m a realistic cyber criminal. I’m not going to pull a Dr. Evil on you and ask for 1 million dollars. I’m going to evaluate your organization and make some very reasonable offers. After all, I need to get paid for your valuables. Thanks again for all of your hard work building up your organization and making your domain name, phone numbers, data, and personal files worth so much. I’ll be in touch.

Regards,
The Cyber Criminal


If you can imagine this scenario, it may seem like an absolute nightmare. Trust us, it is. It happens time and time again. In whole, or in part. Cyber and information security play a huge role in stopping these kind of incidents. Your organization needs to consider having strong policies and procedures in place along with some solid endpoint security. Together, these will help put cyber criminals out of business.

Policies & Procedures

Traditional solutions don’t fit their environment and they aren’t agile enough to keep up with the evolving landscape. This always leads to problems that can be traced back to poor implementation, or lack, of modern policies and procedures. Don’t make the same mistakes. Allow us to connect you with our partner today.

Phone Scams are Costing Americans Millions

Phone scams are getting very expensive. A new report claims that victims were swindled out of hundreds of millions of dollars in 2020. Some phone scammers are using simple social engineering tactics while others are using sophisticated strategies to target individual organizations. Their frequency and success are increasing at an alarming rate.

Phone Scams

I’m pretty sure I’ll be arrested after I finish this article. I got a call from some government agency and there are several warrants for my arrest because I didn’t pay my taxes. They said I could pay up and make it all go away, but I think I ‘ll take my chances. The taxes I owe are probably for that luxury vacation I won. I didn’t even know I was in the running for that one, but the caller last week reassured me I was.

The worst and most common phone scams aren’t calls out of the blue about how you’ve been “selected” for a special prize. They start with an email or a specially crafted webpage. These webpages are the worst, and they are very difficult to prevent. They usually have an audible warning about how your computer is infected with a virus and you need to call. All attempts to close the window or navigate away are blocked. It is very similar to a virus and scares a lot of people into calling the number. Calling starts the tech support scam. After gaining remote access to your computer the cyber criminals will try many tactics to scam you or, more accurately, your older relatives, out of their life savings. Roughly 65% of all victims are over the age of sixty.

Phone Scams: An Origin Story

This is not the origin story of a quirky superhero named “Phones Scams”.  I want to discuss where the vast majority of these calls come from. According to IC3’s 2020 Internet Crime Report and many other sources, India is the epicenter for these cyber criminals. It’s very unfortunate. I’ve worked with many honest and hard-working contractors from the region. These scammers are creating a lot of mistrust and ruining their nation’s reputation. India’s government is cracking down and they’ve successfully shut down many criminal operations in 2020. For some, the foreign accents or poorly worded emails are a red flag, but soon these giveaways may dissappear.

The Future is, Unfortunately, Now

Jason and I are great pals. He calls me at least once a day to see how I’m doing. Jason is a full-fledged marketing robot that is eerily convincing. It took me a moment the first time he called. This sophisticated software does everything; capable of thousands of calls an hour. It’s incredibly efficient and cost effective. Earlier systems used bots to dial numbers and serve the answered calls to human representatives. Now Jason and his friends (Greg and Samantha) can dial your number and get you scheduled for an appointment all without human intervention. These appear to be, though unethical, legitimate marketing campaigns. It’s only a matter of time before these realistic robots become readily available to phone scammers.

*Pro Tip: At the beginning of these calls there is a recognizable “bloop” noise. When I hear this I just hang up.

To save these legitimate marketers more time, innovative companies have developed software to generate the entire email for them. These emails easily pass as human generated messages. There are even A.I.s that can write entire blog articles and respond to live chats as with impressive human-like results. We will see phone scammers adopting these technologies more regularly to increase the authenticity of their scams.

Protection

“Knowing is approximately 50% of the battle.”

If you want to help protect your friends and loved ones, I urge you to share the link below. It’s a great article by the FTC that could help protect them against these disgusting criminals.

https://www.consumer.ftc.gov/articles/0208-phone-scams

While most of the victims are elderly individuals, businesses are in no way safe from phone scams. In many cases these can be much worst leading to events like ransomware installation and data breaches. IL Group’s cyber security division is currently providing a limited number of businesses with a free trial of their very affordable Awareness Training.

Designed to focus on each client’s individual needs, the training sessions identify and raise awareness on baseline and trending threats, as well as educate on mitigation strategies. IL Group’s continuing education philosophy is that security training needs to be distributed to employees in easy to understand, engaging, monthly, short (5 to 10 minutes) sessions. It’s best way to keep information security top of mind and prevent your organization from becoming a victim.

Premium Awareness Training – Free Trial


Is My Business a Target for Hackers

Unfortunately, the answer is never going to be no. This article will help explain what makes businesses a more likely target and other’s not.

What are hackers looking for?

  • Customer Lists
  • Price Lists
  • Proprietary Information
  • Schedules
  • Personal Information
  • Blackmail Opportunities
  • Schematics/Plans
  • Policies & Procedures
  • Credentials
  • Opportunities to Deploy Ransomware
  • Payment Information

If your in business you have data that has value.

Who are they?

In the majority of cyber crimes the hackers are:

  • Current Employees
  • Ex-Employees
  • Cyber Criminals
  • Friends
  • Neighbors
  • Family

When asked to explain replacing the janitorial staff with robots:

“What I’m saying is that the human element of human resources is our biggest point of vulnerability. We should start phasing it out immediately.” Happy Hogan “Forehead of Security” – Happy Hogan: Iron Man 3

Robot vacuum cleaner on the floor

The list above isn’t meant to make you paranoid or fuel any existing paranoia. Please don’t fire all of your employees and do not stop talking to your friends and family. We just want to make you aware that cyber crimes statistically come from those closest to the data. The reason for this is quite simple. Most criminals are lazy and cyber crime can be very challenging. When detectives start looking for suspects in any crime, it’s always best to start with those that had access in the first place.

Is My Business a Target?

The vast majority of hackers are lazy. In fact, I would argue they aren’t very smart. In the Matrix, anytime you needed expert knowledge it would just be downloaded directly into your brain. It’s not much different today. If you need to pick a lock, hot-wire a car, or hack into a company’s enterprise server it’s extremely likely that there is a video on YouTube.

“A while back, we were taking over IT operations for a business and the previous IT company was anything but friendly. They gave us a very long password for the server that did not work. After a quick search we found a video on YouTube that showed us how to exploit the system and gain access with nothing more than a laptop connected to the office WiFi.”

The vast majority of hackers that pose a threat to your organization will be looking for easy targets.

Don’t Make Your Business A Target?

The common thief may be stopped by a those cute little security signs, but they don’t work so well when it comes to cyber crime. You’ll have to work a little harder to deter most of the hackers that are coming for your data. The goal here is to make it difficult for them. You’ll want to make sure you organization, at the least, has:

  • Effective Awareness Training
  • Proper Policies & Procedures
  • A Secure Website
  • Top-Notch Email Security
  • Enterprise Endpoint Security
  • A Virtual CISO is a must for larger organizations

It’s Time to Get Secure

You’re ready to take the next step and start taking information security seriously. Let’s get you started with a free evaluation of your current setup and go from there.

Bitcoin – A Criminal Currency?

The Italian mobsters in organized crime syndicates didn’t carry around briefcases full of cash because it was cool (ok it was very cool). Cash was king because of the difficulties in tracing the transactions that paid for illegal products or criminal activity. A lot has changed since the days of Capone and Bitcoin has become the currency of choice in the criminal underworld.

Bitcoin is a complex technology that can be difficult to understand. Now, I want you to consider what gives gold and diamonds their value. They are both rare and difficult to extract from the earth. You’ll usually here the term mining associated with Bitcoin. Like diamonds and gold, bitcoin is mined and there are only a limited number of Bitcoins that can be mined. The gold rush had everyone heading west where there were huge deposits of gold ripe for the taking. Back then you didn’t need much more than pan and a stream of water to strike it rich. I’m sorry to report that the Bitcoin gold rush is over. In the early days of Bitcoin it was easy to mine. Now Bitcoin requires large and expensive operations to get a decent return. Bitcoin is a digital commodity just like physical gold, and Bitcoin is one of many Cryptocurrencies.

In all cash transactions between criminals there’s very little risk. There’s a much greater risk when it comes to bitcoin though. Cryptocurrencies like Bitcoin have a public blockchain that acts as a record for all transactions. That’s right, you can see all of transactions that take place with Bitcoin. The trick is in figuring out the person behind the Bitcoin transaction.

When criminals need cash for more “legal” purchases, they can’t just use the same cash they got from their “less legal” operations. Let’s say Capone just sold twenty thousand dollars’ worth of illegal alcohol. Then he goes and spends that exact amount on a new house for his sweetheart. It’s not going to take local law enforcement very long to put two and two together. This is where money laundering comes. If you run all of your cash through a “respectable” business then who can say that the twenty large didn’t come from a legal source.

Unfortunately, not much has changes since then. Digital money laundering operations and a degree of anonymity make it easy for criminals to get paid for your data. We would argue that Cryptocurrency is a wonderful technology and that it should remain a part of our society. There is a glimmer of hope on the digital front. If cyber criminals don’t have any data to sell the market might disappear. Please do your part and make sure your data is secure.

It’s Time to Get Secure

You’re ready to take the next step and start taking information security seriously. Let’s get you started with a free evaluation of your current setup and go from there.


Subscribe to Our Newsletter

We send out new articles every week. They'll help keep you informed about important information security topics and news.