Paying Ransomware Demands Can Be Illegal

If you are targeted by hackers with ransomware and decide to pay the ransom to get your data back, you might be investigated by the government. The current regulations come from the International Emergency Economic Powers Act and the Trading With the Enemy Act. These essentially make it illegal for companies and individuals to pay the hackers on the Office of Assets Control’s list of cyber terrorists. This also includes people who may pay on behalf of a client, such as a cyber insurance company.

According to a memo released by the OAC, “[organizations] are generally prohibited from engaging in transactions, directly or indirectly, with individuals or entities on OFAC’s Specially Designated Nationals and Blocked Persons List, other blocked persons, and those covered by extensive country or region embargoes.” This includes organizations that may not be on the list.

Cyber criminals started with individuals, but as they made more and more money they were able to refine their process. They are now targeting entities such as banks, hospitals, legal firms, and schools. Some of the cyber criminals have taken it a step further and created ransomware as a service. In these cases, the ransomware variant is rented out to the user and the owner is given a cut of the ransom. It’s very sinister, and it doesn’t seem to be getting better.

In 2020 the total amount paid for ransomware attacks increase more than 300% when compared to the previous year. This amounts to a nearly $350 million payday for the bad guys. To make matters even worse the actual numbers are likely a lot higher due to underreporting.

It may seem important to pay the ransom in order to retrieve your data and/or make sure that it doesn’t get released to the public, but in some cases the sanction you may receive will cost more than the demands. In many cases making payment only escalates the situation. In others the criminals don’t even make good on their promises to return stolen data or provide decryption keys.

Don’t Become a Victim:

Endpoint Security

Most ransomware attacks start with a single workstation or server. All your machines need to be secured with Endpoint Security that can protect your organization from all cyber threats, not just ransomware.

Awareness Training

Having employees that are conscious of their role in an organization’s information security is extremely important. Deploying the right awareness training will help mitigate and even prevent ransomware attacks.  

Backups

Technically, you will still be a victim if ransomware is deployed on your network. Having a solid backup solution can help you avoid major disruptions and keep you from having to negotiate with terrorists.

Policies & Procedures

Almost every single victim of ransomware lacks the proper policies and procedures to secure their organization. This failure to prioritize information security often leads to a damaged reputation, lost revenue, bankruptcy, and, in some cases, organizations have to close their doors for good.

Policies & Procedures

Traditional solutions don’t fit their environment and they aren’t agile enough to keep up with the evolving landscape. This always leads to problems that can be traced back to poor implementation, or lack, of modern policies and procedures. Don’t make the same mistakes. Allow us to connect you with our partner today.

Company Cyber and Security Departments’ Budgets on the Rise

Even though the Corona virus pandemic has resulted in loss of business for many companies, most of them are increasing the budgets for their security departments. This is a direct result of the mounting attacks on businesses by hackers.

Many companies put their tech security departments on the wayside, choosing to instead focus on things that would directly make the company money. However, with preventative costs showing more value than recovery costs, it’s a no-brainer that companies are investing more in information security.

One way that department heads are convincing executives to invest is by showing them directly how the higher security will impact their bottom line. One of the easiest ways to show is by using ransomware as an example of how the company could either pay to secure their information or face paying off a hacker to get their information back. It’s a simple decision to make. However, there are still quite a few companies where they cannot see the value in increased informational security. These issues can only be prevented if the informational security team manages to convince the board that it’s a good idea.

vCISO

Hiring a traditional CISO can be very costly and your organization misses out on many key advantages a virtual CISO has to offer. Click below to learn more about our partner’s annual contract to manage all aspects of your Information Security Program at a fraction of the cost.

Employee Information Not as Protected as Customer Data

H&M Group, a Swedish company specializing in apparel, was recently fined over forty million dollars because they collected excessive personal data on their employees and failed to protect that information. Some of the information collected was medical information, religious affiliation, and asking if there were troubles at home. Besides those questions being completely inappropriate, H&M failed to protect that data once it was put into their system, it being available to numerous managers in the company. What’s even worse is that some of that information directly impacted employee performance reviews.

None of this information would have been known if the company didn’t experience a data breach. The breach, which lasted only several hours, made the information widely available to anyone. This error was caused by a configuration error.

Steps were taken to fix the issue, including the replacement of managers, training on data security and labor laws, and the implementation of a data protection coordinator. However, it’s yet to be seen if H&M will continue with these changes or give up once they are out of the spotlight.

Poor information security has real-world impacts and there’s no excuses. Events like this can be easily avoided. Organizations always seem to think that cyber attacks and threats to their data are going to be super complex involving secret techniques. The truth is that almost all of the major data breaches could have been avoided with simple changes to their policies & procedures.

Policies & Procedures

Traditional solutions don’t fit their environment and they aren’t agile enough to keep up with the evolving landscape. This always leads to problems that can be traced back to poor implementation, or lack, of modern policies and procedures. Don’t make the same mistakes. Allow us to connect you with our partner today.

Here’s How Much Your Stuff is Going to Cost to Get Back

Dear Organization,

It was so kind of you to leave your systems so vulnerable. It was very easy for me to grab a few things I thought I wanted. Turns out I don’t really need them, so I’ll be glad to give them back. For a price.

Your Domain

It’s tied to your website and email. It’s on all of your marketing material that you spent quite a bit on. It seems to be a critical part of your brand and reputation. No one suspects anything right now, but rest assured I have full control of your domain. The website and email will be routed to a location of my choosing if you don’t pay up. It’s going to take a lot of time and money to recover from this if you don’t. These domains do have value to me, but you should know by now that I’m lazy. I want the biggest payout for the least amount of work.

Domain renewal: Around $18 Per Year
To get it back: $1,000 – $10,000+
Domain names are typically tied to both email and website. When an attacker gets control of it they can begin to compromise every online account associated with any email address tied to that domain. They can exploit your customers and vendors too. Domains that have been well established are worth a lot of money to the right people too.

Your Phone Numbers

I’ll admit this was a bit trickier. I don’t always get my target’s phone numbers, but when I do they are mine in every way. It’s a process. I’ve got to port the numbers out which has some safeguards in place and takes time. I always give it a try because organizations are very willing to pay me for my trouble.

Phone Contract: Around $35 Per Month Per Line
To get it back: $500 – $5,000 per line
Phone number have been ported for massive profits. For some organizations it would be very difficult to change their phone numbers after a successful attack like this. Your daily operations are going to come to a halt, and again, the cyber criminal has a way to easily exploit customer and vendors.

Your Data

I’m sure you’ve noticed by now that all of your files are misbehaving and look a bit different. Don’t panic, that’s just the ransomware I installed on a unsecured workstation somewhere in your building. This particular version of ransomware is a pet project I’ve been working on named Spike. Spike has likely spread throughout your network and infected every computer. Your files are technically fine. Spike, like most ransomware, just encrypts your files leaving the data intact. It’s that helpless feeling when you’ve locked your keys in your car. The car is still good, you just can’t access it. Don’t bother calling a locksmith though unless you have an infinite amount of time and resources. Encrypted files, not diamonds, are forever.

Data Cost: Usually Priceless. You’ll have to consider all of the time and resources associated with building your company’s data.
To get it back: The current value of 1 Bitcoin and beyond
Have we mentioned criminals are lazy? In some case the hackers deploy automated malware that infects company data. The ransomware that encrypts your files may have preset demands. In other cases the hackers are more directly involved in the deployment of the ransomware on your devices. In either case, paying up may not get you your data back.

Your Personal Files

I also stumbled on those sexy photos and that secret video no one is supposed to see. I’m actually NOT going to give those back. However, for a small fee, I will promise not to release them to the public potentially ruining your career and your personal life.

New Camera: $250
To get it back: $$$$
Blackmail is another serious crime hackers will commit in order to exploit you and your company for cash. We’ve heard horror stories of individuals being trapped in blackmail schemes for years.

How Much?

I’m a realistic cyber criminal. I’m not going to pull a Dr. Evil on you and ask for 1 million dollars. I’m going to evaluate your organization and make some very reasonable offers. After all, I need to get paid for your valuables. Thanks again for all of your hard work building up your organization and making your domain name, phone numbers, data, and personal files worth so much. I’ll be in touch.

Regards,
The Cyber Criminal


If you can imagine this scenario, it may seem like an absolute nightmare. Trust us, it is. It happens time and time again. In whole, or in part. Cyber and information security play a huge role in stopping these kind of incidents. Your organization needs to consider having strong policies and procedures in place along with some solid endpoint security. Together, these will help put cyber criminals out of business.

Policies & Procedures

Traditional solutions don’t fit their environment and they aren’t agile enough to keep up with the evolving landscape. This always leads to problems that can be traced back to poor implementation, or lack, of modern policies and procedures. Don’t make the same mistakes. Allow us to connect you with our partner today.

Phone Scams are Costing Americans Millions

Phone scams are getting very expensive. A new report claims that victims were swindled out of hundreds of millions of dollars in 2020. Some phone scammers are using simple social engineering tactics while others are using sophisticated strategies to target individual organizations. Their frequency and success are increasing at an alarming rate.

Phone Scams

I’m pretty sure I’ll be arrested after I finish this article. I got a call from some government agency and there are several warrants for my arrest because I didn’t pay my taxes. They said I could pay up and make it all go away, but I think I ‘ll take my chances. The taxes I owe are probably for that luxury vacation I won. I didn’t even know I was in the running for that one, but the caller last week reassured me I was.

The worst and most common phone scams aren’t calls out of the blue about how you’ve been “selected” for a special prize. They start with an email or a specially crafted webpage. These webpages are the worst, and they are very difficult to prevent. They usually have an audible warning about how your computer is infected with a virus and you need to call. All attempts to close the window or navigate away are blocked. It is very similar to a virus and scares a lot of people into calling the number. Calling starts the tech support scam. After gaining remote access to your computer the cyber criminals will try many tactics to scam you or, more accurately, your older relatives, out of their life savings. Roughly 65% of all victims are over the age of sixty.

Phone Scams: An Origin Story

This is not the origin story of a quirky superhero named “Phones Scams”.  I want to discuss where the vast majority of these calls come from. According to IC3’s 2020 Internet Crime Report and many other sources, India is the epicenter for these cyber criminals. It’s very unfortunate. I’ve worked with many honest and hard-working contractors from the region. These scammers are creating a lot of mistrust and ruining their nation’s reputation. India’s government is cracking down and they’ve successfully shut down many criminal operations in 2020. For some, the foreign accents or poorly worded emails are a red flag, but soon these giveaways may dissappear.

The Future is, Unfortunately, Now

Jason and I are great pals. He calls me at least once a day to see how I’m doing. Jason is a full-fledged marketing robot that is eerily convincing. It took me a moment the first time he called. This sophisticated software does everything; capable of thousands of calls an hour. It’s incredibly efficient and cost effective. Earlier systems used bots to dial numbers and serve the answered calls to human representatives. Now Jason and his friends (Greg and Samantha) can dial your number and get you scheduled for an appointment all without human intervention. These appear to be, though unethical, legitimate marketing campaigns. It’s only a matter of time before these realistic robots become readily available to phone scammers.

*Pro Tip: At the beginning of these calls there is a recognizable “bloop” noise. When I hear this I just hang up.

To save these legitimate marketers more time, innovative companies have developed software to generate the entire email for them. These emails easily pass as human generated messages. There are even A.I.s that can write entire blog articles and respond to live chats as with impressive human-like results. We will see phone scammers adopting these technologies more regularly to increase the authenticity of their scams.

Protection

“Knowing is approximately 50% of the battle.”

If you want to help protect your friends and loved ones, I urge you to share the link below. It’s a great article by the FTC that could help protect them against these disgusting criminals.

https://www.consumer.ftc.gov/articles/0208-phone-scams

While most of the victims are elderly individuals, businesses are in no way safe from phone scams. In many cases these can be much worst leading to events like ransomware installation and data breaches. IL Group’s cyber security division is currently providing a limited number of businesses with a free trial of their very affordable Awareness Training.

Designed to focus on each client’s individual needs, the training sessions identify and raise awareness on baseline and trending threats, as well as educate on mitigation strategies. IL Group’s continuing education philosophy is that security training needs to be distributed to employees in easy to understand, engaging, monthly, short (5 to 10 minutes) sessions. It’s best way to keep information security top of mind and prevent your organization from becoming a victim.

Premium Awareness Training – Free Trial


Cyber Criminals Really Like When You Use Sticky Notes

Dear Users at XYZ Corp,

I really appreciate all of those colorful sticky notes on your desks. First, I would like to thank Susie from accounting. That office party photo on social media with the door code stuck to someone’s monitor was picture perfect. After using that code to access the building, I found many more users to thank. No one suspects a thing when you come through a coded employee entrance dressed like an IT professional. Everyone did a great job at locking their computers when they left for lunch. I want to thank Gary for leaving his password stuck to the bottom of his keyboard. With my remote access software installed, I don’t even need to come back later. Jill, the office manager, was kind of enough to leave her email credentials on a bright green sticky note. That gave me the green light to email everyone letting them know I’d be stopping by their desk to make the network run faster. The HR Director’s secretary deserves some appreciation as well. I’m sure she spent a lot of time converting her boss’s entire company and personal schedule into a beautiful sticky note rainbow. This will be a big help when I need to know where her boss is.

Later that evening that remote access really paid off. After getting access to all of the company’s employee records, I now know the HR Director’s home address and it looks like there’s a family vacation scheduled next week. Again, I want to thank you all for making it so easy for me to exploit XYZ Corp. I couldn’t have done it without your lovely sticky notes.

Sincerely,
The Cyber Criminal

Thank You Sticky Note on Keyboard

Awareness Training

It’s time for a training solution that is easy to understand, deeply engaging, remarkably consistent, and to-the-point. You’ll maintain productivity while keeping information security top-of-mind.  Click on the button below to get started with our partner providing awareness training with an unmatched value. 

Is My Business a Target for Hackers

Unfortunately, the answer is never going to be no. This article will help explain what makes businesses a more likely target and other’s not.

What are hackers looking for?

  • Customer Lists
  • Price Lists
  • Proprietary Information
  • Schedules
  • Personal Information
  • Blackmail Opportunities
  • Schematics/Plans
  • Policies & Procedures
  • Credentials
  • Opportunities to Deploy Ransomware
  • Payment Information

If your in business you have data that has value.

Who are they?

In the majority of cyber crimes the hackers are:

  • Current Employees
  • Ex-Employees
  • Cyber Criminals
  • Friends
  • Neighbors
  • Family

When asked to explain replacing the janitorial staff with robots:

“What I’m saying is that the human element of human resources is our biggest point of vulnerability. We should start phasing it out immediately.” Happy Hogan “Forehead of Security” – Happy Hogan: Iron Man 3

Robot vacuum cleaner on the floor

The list above isn’t meant to make you paranoid or fuel any existing paranoia. Please don’t fire all of your employees and do not stop talking to your friends and family. We just want to make you aware that cyber crimes statistically come from those closest to the data. The reason for this is quite simple. Most criminals are lazy and cyber crime can be very challenging. When detectives start looking for suspects in any crime, it’s always best to start with those that had access in the first place.

Is My Business a Target?

The vast majority of hackers are lazy. In fact, I would argue they aren’t very smart. In the Matrix, anytime you needed expert knowledge it would just be downloaded directly into your brain. It’s not much different today. If you need to pick a lock, hot-wire a car, or hack into a company’s enterprise server it’s extremely likely that there is a video on YouTube.

“A while back, we were taking over IT operations for a business and the previous IT company was anything but friendly. They gave us a very long password for the server that did not work. After a quick search we found a video on YouTube that showed us how to exploit the system and gain access with nothing more than a laptop connected to the office WiFi.”

The vast majority of hackers that pose a threat to your organization will be looking for easy targets.

Don’t Make Your Business A Target?

The common thief may be stopped by a those cute little security signs, but they don’t work so well when it comes to cyber crime. You’ll have to work a little harder to deter most of the hackers that are coming for your data. The goal here is to make it difficult for them. You’ll want to make sure you organization, at the least, has:

  • Effective Awareness Training
  • Proper Policies & Procedures
  • A Secure Website
  • Top-Notch Email Security
  • Enterprise Endpoint Security
  • A Virtual CISO is a must for larger organizations

It’s Time to Get Secure

You’re ready to take the next step and start taking information security seriously. Let’s get you started with a free evaluation of your current setup and go from there.


Subscribe to Our Newsletter

We send out new articles every week. They'll help keep you informed about important information security topics and news.