If you are targeted by hackers with ransomware and decide to pay the ransom to get your data back, you might be investigated by the government. The current regulations come from the International Emergency Economic Powers Act and the Trading With the Enemy Act. These essentially make it illegal for companies and individuals to pay the hackers on the Office of Assets Control’s list of cyber terrorists. This also includes people who may pay on behalf of a client, such as a cyber insurance company.
According to a memo released by the OAC, “[organizations] are generally prohibited from engaging in transactions, directly or indirectly, with individuals or entities on OFAC’s Specially Designated Nationals and Blocked Persons List, other blocked persons, and those covered by extensive country or region embargoes.” This includes organizations that may not be on the list.
Cyber criminals started with individuals, but as they made more and more money they were able to refine their process. They are now targeting entities such as banks, hospitals, legal firms, and schools. Some of the cyber criminals have taken it a step further and created ransomware as a service. In these cases, the ransomware variant is rented out to the user and the owner is given a cut of the ransom. It’s very sinister, and it doesn’t seem to be getting better.
In 2020 the total amount paid for ransomware attacks increase more than 300% when compared to the previous year. This amounts to a nearly $350 million payday for the bad guys. To make matters even worse the actual numbers are likely a lot higher due to underreporting.
It may seem important to pay the ransom in order to retrieve your data and/or make sure that it doesn’t get released to the public, but in some cases the sanction you may receive will cost more than the demands. In many cases making payment only escalates the situation. In others the criminals don’t even make good on their promises to return stolen data or provide decryption keys.
Most ransomware attacks start with a single workstation or server. All your machines need to be secured with Endpoint Security that can protect your organization from all cyber threats, not just ransomware.
Having employees that are conscious of their role in an organization’s information security is extremely important. Deploying the right awareness training will help mitigate and even prevent ransomware attacks.
Technically, you will still be a victim if ransomware is deployed on your network. Having a solid backup solution can help you avoid major disruptions and keep you from having to negotiate with terrorists.
Policies & Procedures
Almost every single victim of ransomware lacks the proper policies and procedures to secure their organization. This failure to prioritize information security often leads to a damaged reputation, lost revenue, bankruptcy, and, in some cases, organizations have to close their doors for good.
Traditional solutions don’t fit their environment and they aren’t agile enough to keep up with the evolving landscape. This always leads to problems that can be traced back to poor implementation, or lack, of modern policies and procedures. Don’t make the same mistakes. Allow us to connect you with our partner today.
Dear Users at XYZ Corp,
I really appreciate all of those colorful sticky notes on your desks. First, I would like to thank Susie from accounting. That office party photo on social media with the door code stuck to someone’s monitor was picture perfect. After using that code to access the building, I found many more users to thank. No one suspects a thing when you come through a coded employee entrance dressed like an IT professional. Everyone did a great job at locking their computers when they left for lunch. I want to thank Gary for leaving his password stuck to the bottom of his keyboard. With my remote access software installed, I don’t even need to come back later. Jill, the office manager, was kind of enough to leave her email credentials on a bright green sticky note. That gave me the green light to email everyone letting them know I’d be stopping by their desk to make the network run faster. The HR Director’s secretary deserves some appreciation as well. I’m sure she spent a lot of time converting her boss’s entire company and personal schedule into a beautiful sticky note rainbow. This will be a big help when I need to know where her boss is.
Later that evening that remote access really paid off. After getting access to all of the company’s employee records, I now know the HR Director’s home address and it looks like there’s a family vacation scheduled next week. Again, I want to thank you all for making it so easy for me to exploit XYZ Corp. I couldn’t have done it without your lovely sticky notes.
The Cyber Criminal
It’s time for a training solution that is easy to understand, deeply engaging, remarkably consistent, and to-the-point. You’ll maintain productivity while keeping information security top-of-mind. Click on the button below to get started with our partner providing awareness training with an unmatched value.
We send out new articles every week. They'll help keep you informed about important information security topics and news.