The U.S Federal Bureau of Investigation (FBI) has alerted of an increase in ransomeware attacks since 2015, particularly against organisations because payoffs are getting higher.
Ransomware is a type of malicious software cyber actors used to deny access to systems or data. The malicious cyber actor holds system or data hostage, until the ransom is paid, the U.S. law enforcement agency warns saying that if the demands are not met, the system or encrypted data remains unavailable or the data may be deleted.
FBI says the first several months of 2016, global ransomware infections were at an all-time high. Within the first weeks of its release, one particular ransomware variant compromised an estimated 100,000 computers a day.
[quote font=”georgia” font_size=”22″ font_style=”italic” align=”left” arrow=”yes”]Section 21 of the Nigerian Cyber Crime Act 2015 stipulates thus: “Any person or institution, who operates a computer system or a network, whether public or private, must immediately inform the National Computer Emergency Response Team (CERT) Coordination Center of any attacks, intrusions and other disruptions liable to hinder the functioning of another computer system or network, so that the National CERT can take the necessary measures to tackle the issues.”[/quote]FBI gathered that the first known ransomware was “AIDS” (also known as “PC Cyborg”), written in 1989 by Joseph Popp. Its payload (that is, that is the actual intended message transmitted) hid the files on the hard drive and encrypted their names, and displayed a message claiming that the user’s license to use a certain piece of software had expired.
The user was asked to pay US$189 to “PC Cyborg Corporation” in order to obtain a repair tool. Popp was declared mentally unfit to stand trial for his actions, but he promised to donate the profits from the malware to fund AIDS research, according to FBI.
The law enforcement agency explains that ransomware attacks are typically carried out using a Trojan, entering a system through, for example, a downloaded file or vulnerability in a network service. The program then runs a payload, which locks the system in some fashion, or claims to lock the system but does not.
Symantec Corporation, an American network security company explains the mode of attack by ransomware attackers: “These aggressive assaults begin in a similar manner to scareware. You’re duped into clicking on an infected popup advertisement or you visit an infected website. However, instead of just trying to trick you into buying fake antivirus software, the bad guys hold your computer hostage and attempt to extort payment.”
The criminals often ask for a nominal payment, figuring that a victim will be more likely to pay to avoid the hassle and heartache of dealing with the virus. “They may ask for as little as $10 to be wired through Western Union, paid through a premium text message or sent through a form of online cash,” Symantec says.
It is on this premise that it has become necessary to enlighten the public on the need to report ransomware incidents in order to help curb the menace.
In Nigeria, The Cyber Crime Act 2015 provides an effective, unified and comprehensive legal, regulatory and institutional framework for the prohibition, prevention, detection, prosecution and punishment of cybercrimes in the country.
This Act also ensures the protection of critical national information infrastructure, and promotes cyber security and the protection of computer systems and networks, electronic communications, data and computer programs, intellectual property and privacy rights.
Hence, every Nigerian has the legal responsibility to report any incident of ransom ware to security operatives so as to reduce the cyber criminal activity to its barest minimum.
Section 21 of the Nigerian Cyber Crime Act 2015 stipulates thus: “Any person or institution, who operates a computer system or a network, whether public or private, must immediately inform the National Computer Emergency Response Team (CERT) Coordination Center of any attacks, intrusions and other disruptions liable to hinder the functioning of another computer system or network, so that the National CERT can take the necessary measures to tackle the issues.”
The Nigerian law further states that “any person or institution who fails to report any such incident to the National CERT within 7 days of its occurrence, commits an offence and shall be liable to denial of internet services. Such persons or institution shall in addition, pay a mandatory fine of N2, 000,000.00 into the National Cyber Security Fund.”
Meanwhile, FBI highlights certain factors that may hinder reporting of ransom-ware incidents by victims: “Victims may not report to law enforcement for a number of reasons, including concerns over not knowing where and to whom to report; not feeling their loss warrants law enforcement attention; concerns over privacy, business reputation, or regulatory data breach reporting requirements; or embarrassment.
Additionally, those who resolve the issue internally either by paying the ransom or by restoring their files from back-ups may not feel a need to contact law enforcement.”
It however explains the value of reporting such incidents, stating that “victim reporting provides law enforcement with a greater understanding of the threat, provides justification for ransomware investigations, and contributes relevant information to ongoing ransomware cases.”
FBI says knowing more about victims and their experiences with ransomware will help the security agencies to determine who is behind the attacks and how they are identifying or targeting victims.
Further explaining, the U.S security agency says if victims fail to report the incidents, the possibility that victims will not obtain full decryption of their files after payment is still there, in addition to the prolonged recovery time.
“Recent victims who have been infected with these types of ransomware variants have not been provided the decryption keys for all their files after paying the ransom, and some have been extorted for even more money after payment,” it says.
“Paying a ransom does not guarantee the victim will regain access to their data; in fact, some individuals or organizations are never provided with decryption keys after paying a ransom. Paying a ransom emboldens the adversary to target other victims for profit, and could provide incentive for other criminals to engage in similar illicit activities for financial gain,” FBI says.
FBI thus enlightened that for security agencies to adequately tackle the cases when reported, victims of ransomware attack should provide the following ransomware infection details when reporting incidents of attack:
- Date of Infection
- Ransomware Variant (identified on the ransom page or by the encrypted file extension)
- Victim Company Information (industry type, business size, etc.)
- How the Infection Occurred (link in e-mail, browsing the Internet, etc.)
- Requested Ransom Amount
- Actor’s Bitcoin Wallet Address (may be listed on the ransom page)
- Ransom Amount Paid (if any)
- Overall Losses Associated with a Ransomware Infection (including the ransom amount)
- Victim Impact Statement
The FBI further recommends certain prevention and continuity measures that users should consider to lessen the risk of a successful ransomware attack. Among which include the following:
- Regularly back up data and verify the integrity of those backups. Backups are critical in ransomware incidents; if you are infected, backups may be the best way to recover your critical data.
- Secure your backups. Ensure backups are not connected to the computers and networks they are backing up. Examples might include securing backups in the cloud or physically storing them offline. It should be noted, some instances of ransomware have the capability to lock cloud-based backups when systems continuously back up in real-time, also known as persistent synchronization.
- Scrutinize links contained in e-mails and do not open attachments included in unsolicited e-mails.
- Only download software – especially free software – from sites you know and trust. When possible, verify the integrity of the software through a digital signature prior to execution.
- Ensure anti-virus and anti-malware solutions are set to automatically update and regular scans are conducted.