From the FBI’s Cyber Division: Incidents on the rise, protect yourself and your organization
Hospitals, school districts, state and local governments, law enforcement agencies, small businesses, large businesses—these are just some of the entities impacted recently by ransomware, an insidious type of malware that encrypts, or locks, valuable digital files and demands a ransom to release them.
The inability to access the important data these kinds of organizations keep can be catastrophic in terms of the loss of sensitive or proprietary information, the disruption to regular operations, financial losses incurred to restore systems and files, and the potential harm to an organization’s reputation.
And, of course, home computers are just as susceptible to ransomware, and the loss of access to personal and often irreplaceable items—including family photos, videos, and other data—can be devastating for individuals as well.
Ransomware has been around for a few years, but during 2015, law enforcement saw an increase in these types of cyber attacks, particularly against organizations because the payoffs are higher. And if the first three months of this year are any indication, the number of ransomware incidents—and the ensuing damage they cause—will grow even more in 2016 if individuals and organizations don’t prepare for these attacks in advance.
While the below tips are primarily aimed at organizations and their employees, some are also applicable to individual users.
Tips for Dealing with the Ransomware Threat
Business Continuity Efforts
How does it work?
In a ransomware attack, victims—upon seeing an e-mail addressed to them—will open it and may click on an attachment that appears legitimate, like an invoice or an electronic fax, but which actually contains the malicious ransomware code. Or the e-mail might contain a legitimate-looking URL, but when a victim clicks on it, they are directed to a website that infects their computer with malicious software.
One the infection is present, the malware begins encrypting files and folders on local drives, any attached drives, backup drives, and potentially other computers on the same network that the victim computer is attached to. Users and organizations are generally not aware they have been infected until they can no longer access their data or until they begin to see computer messages advising them of the attack and demands for a ransom payment in exchange for a decryption key. These messages include instructions on how to pay the ransom, usually with bitcoins because of the anonymity this virtual currency provides.
Ransomware attacks are not only proliferating, they’re becoming more sophisticated. Several years ago, ransomware was normally delivered through spam e-mails, but because e-mail systems got better at filtering out spam, cyber criminals turned to spear phishing e-mails targeting specific individuals.
And in newly identified instances of ransomware, some cyber criminals aren’t using e-mails at all. According to FBI Cyber Division Assistant Director James Trainor, “These criminals have evolved over time and now bypass the need for an individual to click on a link. They do this by seeding legitimate websites with malicious code, taking advantage of unpatched software on end-user computers.”
The FBI doesn’t support paying a ransom in response to a ransomware attack. Said Trainor, “Paying a ransom doesn’t guarantee an organization that it will get its data back—we’ve seen cases where organizations never got a decryption key after having paid the ransom. Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity. And finally, by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”
So what does the FBI recommend?
As ransomware techniques and malware continue to evolve—and because it’s difficult to detect a ransomware compromise before it’s too late—organizations in particular should focus on two main areas:
Prevention efforts—both in both in terms of awareness training for employees and robust technical prevention controls; and
The creation of a solid business continuity plan in the event of a ransomware attack. (See sidebar for more information.)
“There’s no one method or tool that will completely protect you or your organization from a ransomware attack,” said Trainor. “But contingency and remediation planning is crucial to business recovery and continuity—and these plans should be tested regularly.” In the meantime, according to Trainor, the FBI will continue working with its local, federal, international, and private sector partners to combat ransomware and other cyber threats.
If you think you or your organization have been the victim of ransomware, contact your local FBI field office and report the incident to the Bureau’s Internet Crime Complaint Center.
Emergency Planning for Private Schools Workshop
Tuesday, May 3, 2016
9:00 AM – 5:00 PM
(Registration begins at 8:30AM)
Manhattan Municipal Building
1 Centre St, New York, NY 10007
This workshop is intended to provide guidance on emergency planning for private schools. Participants will receive training in the basic fundamentals of emergency planning and how to develop their school’s Emergency Operations Plans (EOPs). They will hear from subject matter experts from the NYPD, FDNY, New York State Police and the US Department of Education on available tools to support school emergency planning efforts.
The first half of the workshop will be a presentation from the US Department of Education Readiness and Emergency Management for Schools Technical Assistance Team (REMS). This portion of the program will provide an overview of the recommended six step planning process to create a high-quality school emergency operations plan.
The second half of the day will feature presentations by:
- NYPD: They will discuss the Shield Program and other NYPD services available to schools.
- New York State Police: They will demonstrate their school emergency operations planning template.
- FDNY: They will cover fire safety and school evacuation plans.
Private school administrators and security personnel interested in creating, revising, or enhancing school emergency operations plans.
Registration for this event closes on Tuesday, April 26, 2016 at 5:00 pm Eastern Standard Time.
Cancellations must be received no later than three business days in advance.
NYCEM Academy provides reasonable accommodations. If you are in need of a disability accommodation, please send your request to email@example.com.
Last week’s attack and sorting through the information overload is daunting. We regularly turn to a few knowledgeable sources to help to guide us when we’re perplexed. Here are a few examples:
Founded in 1996, the International Institute for Counter-Terrorism (ICT) is one of the leading academic institutes for counter-terrorism in the world, facilitating international cooperation in the global struggle against terrorism. It is based at the Interdisciplinary Center (IDC), Herzliya and includes some of the top experts in terrorism, counter-terrorism, homeland security, threat vulnerability, risk assessment, intelligence analysis, national security and defense policy. See their The Brussels Attacks – What do we know? & Insights from ICT Experts.
- The National Consortium for the Study of Terrorism and Responses to Terrorism—better known as START—is a Department of Homeland Security Center of Excellence headquartered at the University of Maryland comprised of an international network of scholars committed to the scientific study of the causes and human consequences of terrorism in the United States and around the world. See their Terrorism in Belgium and Western Europe; Attacks against Transportation Targets; Coordinated Terrorist Attacks.
- The U.S. State Department issued a Travel Alert for Europe cautioning that terrorist groups continue to plan near-term attacks throughout Europe, targeting sporting events, tourist sites, restaurants, and transportation. The State Department also maintains a Worldwide Caution which highlights that all European countries remain vulnerable to attacks from transnational terrorist organizations.
- Stratfor is a geopolitical intelligence firm that provides strategic analysis and forecasting to individuals and organizations around the world. One of their recent analyses observes, “The Brussels blasts are a striking reminder of the difficulty of preventing attacks against soft targets. Unlike hard targets, which tend to require attackers to use large teams of operatives with elaborate attack plans or large explosive devices to breach defenses, soft targets offer militant planners an advantage in that they can frequently be attacked by a single operative or small team using a simple attack plan. In addition, attacks against transportation-related targets such as metro stations and airports allow attackers to kill large groups of people and attract significant media attention.” Alongside transportation hubs, hotels and restaurants, institutions — such as houses of worship and schools — are classic soft targets. See Brussels Blasts: The Struggle to Secure Soft Targets.
- Scott Atran is an anthropologist at France’s National Center for Scientific Research, Oxford University, John Jay College and the University of Michigan and author of Talking to the Enemy and In Gods We Trust. His research specialty is terrorists: how they are recruited, how they think, why are they so effective. He and his team are quite busy these days: he’s embedded with the Peshmerga outside of Mosul interviewing captured (and soon to be executed) ISIL fighters; his team is running experiments in neighborhoods like Molenbeek and around the Bataclan, and tracing out the networks of the friends, family and disciples of the Paris and Brussels terrorists. His, often raw, Facebook posts from the battlefield carry a surrealistic quality. He recently addressed the UN Security Council on The Role of Youth in Countering Violent Extremism and Promoting Peace. We do not necessarily agree with every one of his conclusions, but he is consistently thoughtful and incisive.
WASHINGTON — The Internal Revenue Service today issued an alert to payroll and human resources professionals to beware of an emerging phishing email scheme that purports to be from company executives and requests personal information on employees.
The IRS has learned this scheme — part of the surge in phishing emails seen this year — already has claimed several victims as payroll and human resources offices mistakenly email payroll data including Forms W-2 that contain Social Security numbers and other personally identifiable information to cybercriminals posing as company executives.
“This is a new twist on an old scheme using the cover of the tax season and W-2 filings to try tricking people into sharing personal data. Now the criminals are focusing their schemes on company payroll departments,” said IRS Commissioner John Koskinen. “If your CEO appears to be emailing you for a list of company employees, check it out before you respond. Everyone has a responsibility to remain diligent about confirming the identity of people requesting personal information about employees.”
IRS Criminal Investigation already is reviewing several cases in which people have been tricked into sharing SSNs with what turned out to be cybercriminals. Criminals using personal information stolen elsewhere seek to monetize data, including by filing fraudulent tax returns for refunds.
This phishing variation is known as a “spoofing” email. It will contain, for example, the actual name of the company chief executive officer. In this variation, the “CEO” sends an email to a company payroll office employee and requests a list of employees and information including SSNs.
The following are some of the details contained in the e-mails:
- Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.
- Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).
- I want you to send me the list of W-2 copy of employees wage and tax statement for 2015, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.
The IRS recently renewed a wider consumer alert for e-mail schemes after seeing an approximate 400 percent surge in phishing and malware incidents so far this tax season and other reports of scams targeting others in a wider tax community.
The emails are designed to trick taxpayers into thinking these are official communications from the IRS or others in the tax industry, including tax software companies. The phishing schemes can ask taxpayers about a wide range of topics. E-mails can seek information related to refunds, filing status, confirming personal information, ordering transcripts and verifying PIN information.
The IRS, state tax agencies and tax industry are engaged in a public awareness campaign — Taxes. Security. Together. — to encourage everyone to do more to protect personal, financial and tax data. See IRS.gov/taxessecuritytogether or Publication 4524 for additional steps you can take to protect yourself.
The U.S. Department of Homeland Security released its guidance on Tuesday for the $20 million Nonprofit Security Grant Program. The grant is competitive and awardees can qualify for up to $75,000 in equipment approved for target hardening.
- The NYS Division of Homeland Security and Emergency Services (DHSES) 2016 RFA (application package) at http://www.dhses.ny.gov/grants/nonprofit.cfm is live. The deadline for submission will be March 28, 2016. (Applicants will still have 6 weeks to complete their application package and will be finished before Passover.) If you have any questions regarding this announcement, please contact DHSES via email at: firstname.lastname@example.org.
- In New York, nonprofits located in NYC, Long Island and Westchester are eligible. Outside of NY, check here.
- JCRC scheduled its assistance webinar on Monday, February 22, 2016 from 11AM to 12:30PM. Click here to reserve and receive the instructions to connect to the webinar.
- We are busily updating our help webpage at www.jcrcny.org/securitygrants. We plan to include the webinar presentations and a recording of the webinar on the page. Check back often.
- Click here to subscribe to the JCRC-NY Security and Emergency Preparedness Alert list. Subscribers will receive updates on the security grant program and other alerts.
|NSGP 2016: Here’s what you can do now|
|Prequalification||NY nonprofits should register at https://grantsgateway.ny.gov/ &
complete their Document Vault . See JCRC-NY’s additional
information at: http://www.jcrcny.org/document-vault-faqs/ .If your nonprofit was previously prequalified, you will still have to update certain documents or your document vault is expired. Check our your document vault for more information.
|E-Grant registration||If you have an existing account (and remember the
username/password), you’re fine; to register for the DHSES E-Grant system, email: email@example.com
|Risk assessment||Find guidance and contacts at:
|Investment Justification||Download the 2016 Investment Justification here.|
|For the most up-to-date info||http://www.jcrcny.org/securitygrants|
JCRC-NY and UJA-Federation worked closely with JFNA and its partners worked very hard to bolster the NSGP program allocation this year, and the roles of the Orthodox Union and Agudath Israel were critical.
Working on our behalf were Senators Charles Schumer and Kirsten Gillibrand and members of Congress who signed onto Congressman Peter King’s letter urging an increase in the allocation this year: Dan Donovan, Elliot Engel, Carolyn Maloney, Grace Meng, Jerry Nadler, Kathleen Rice and Lee Zeldin.