Don’t Blame the Victim, Blame the Game: The OFAC’s Misstep in Fining Ransomware Payers

Young male frustrated by ransomware attack on desktop screen.

Ransomware attacks have always been a large issue in the cybersecurity world. The victims of ransomware attacks may also be blamed along with hackers.

The Treasury Department’s Office of Foreign Assets Control (OFAC) recently came out with an advisory stating that those who pay the ransom of a ransomware attack may themselves be subject to fines. While this may sound good on paper, in practice this black-and-white approach to a growing cybersecurity problem can be detrimental to all involved.

Popular in many an action movie, the “we don’t negotiate with terrorists” mantra may be thought of as appropriate dogma to cyberattacks. If one pays a bad actor the demanded ransom, then it incentivizes future attacks on others. If everyone refused to pay these ransoms, the method of attack would no longer be a profitable one, and they would move on to another cybercrime. Of course, in the movies, Harrison Ford always gets his plane back and the girl; companies who are unprepared victims of ransomware are seldom that lucky.

What makes ransomware such an effective method of attack is precisely why paying that ransom is not always a bad idea. For most attacks, the ransom is pennies on the dollar compared to what the cost of a recovery would be. For all the ethical debate about rewarding someone for their crime, the reality is that not doing so may cause the most possible damage to the company or individual attacked. The city of Atlanta is an excellent example.

Atlanta was the victim of the SamSam Ransomware in January of 2018. The requested ransom for this attack was $6,800 to unlock a single computer or $51,000 for all the decrypt keys needed to restore the city’s entire system. This attack was the largest successful cyber attack on a U.S. city in history. The attack affected around six million people, interrupting activities such as paying bills and fines, some court-related processing, as well as several internal systems for the city itself. Atlanta decided not to pay the $6,800 or the $51,000 ransom. They did not reward the bad actors for their bad actions and decided to take on the recovery themselves. To do this, Atlanta initially put in $2.7 million to recover everything, but once their systems were finally set back into place, the actual costs to the city were nearly $10 million. Atlanta didn’t let the bad guys win, but at what cost?

$10 million suddenly stripped from a city’s budget does not just mean the problem was fixed, it meant that they were now short of $10 million originally set for other things like salaries, school budgets, road repairs, etc. What could have been a negligible expense ended up costing millions and impacting the city for years to come. The question is what impact does the OFAC advisory really have on protecting U.S. cities and companies from these types of ransom attacks?

The answer unfortunately is, not much. For one thing, this advisory punishes the victim of the attacks. Instead of having to consider the cost of paying the ransom versus the cost of not, they now have to factor in the ransom plus the fine. This makes for some very fuzzy math. Either the fine is so high that it costs a company more to go through a very expensive recovery phase or the fine plus ransom is still less than the cost of recovery.

If the cost of the fine plus ransom is greater than the cost of recovery, under the government’s guidance all ransomware attacks would be exponentially more expensive for the victims. In many cases, it may actually shut down a company that is unable to pay thousands or millions of dollars to recover.

If the cost of the fine and ransom ends up being less than the cost of recovery, then the government is essentially profiting from ransomware attacks. The fiscally responsible move will still be to pay the ransom, but now the government will get a little cut of every attack. Under this model what is the government’s motive to end such attacks?

In both scenarios, the only party to actually suffer is the victim. The government either profits or keeps the status quo, the hacker either gets paid or doesn’t, same as today. The victim is either forced out of business or put in a financially vulnerable spot by the government or simply must pay a “victim’s tax” for being targeted. This would make for a terrible action movie.

If the OFAC advisory isn’t really an effective way of protecting U.S. businesses and cities from ransomware attacks, then what should the government be doing? The answer is in education.

Being a victim of a ransomware attack isn’t an inevitability. Being put into a situation of having to decide whether to pay is not absolute. With the right internal policies, procedures, and technology in place, being the victim of a ransomware attack is entirely avoidable. But you need to know what policies and procedures to have in place. You need to know what tech is available to protect you. The government should expand itself as a resource to help businesses and cities become aware.

Three ways the government can help with ransomware education are:

  • PSA videos – Create short and informative videos that can be incorporated into any HR department’s cybersecurity employee training program. Videos like these can highlight what to look for to identify a phishing scam, how to keep your personal information safe from being a phishing target, and steps to take the moment an attack is apparent.
  • Cyber training classes – The best way to prevent a ransomware attack is to ensure everyone within a network, be it a municipality or a corporation, is aware of all the suggested cybersecurity policies and best practices, as well as how to identify any potential point of attack. Building off the basic information that can be shared through a PSA, these classes presented by the government could go into much greater detail and provide employees with everything they need.
  • Cybersecurity education in schools – Ransomware and other such malicious cyber attacks will always be a threat. It is the nature of a constantly changing digital world. While keeping employees up to date on the latest threats with PSA Videos and Cyber Training classes is vitality important, we need to address these threats at the root. The best way to achieve this is to instill from a young age the threats and dangers of cyberattacks. Teach students how to look at phishing scams or behavioral vulnerabilities with a focused mind, so that as the next generation of workers enters their various fields, they are less likely to fall prey.

The government’s role is to protect its citizens and companies. Punishing the victim should not be one of its tactics to do so. Though it may be counter-intuitive, sometimes paying off a ransom is the best move to make. The best way to prevent these types of attacks is proper education and actions before they occur. With the government’s support of a comprehensive cybersecurity education program that works with today’s generation of workers as well as the next, it will have much greater success in decreasing successful ransomware attacks in the short and long term.

https://www.cpomagazine.com/cyber-security/dont-blame-the-victim-blame-the-game-the-ofacs-misstep-in-fining-ransomware-payers/

Ransom Demand Scam Tricks Users by Using Real Passwords in Emails

Have you heard about the new ransom demand sextortion scam? Cybercriminals have implemented a new method of false blackmail to scare users into paying bitcoin.

The email reads:

I’m aware that X is your password.

You don’t know me and you’re thinking why you received this email, right?

Well, I actually placed a malware on the porn website and guess what, you visited this website to have fun (you know what I mean). While you were watching the video, your web browser acted as an RDP (Remote Desktop) and a keylogger which provided me access to your display screen and webcam. Right after that, my software gathered all your contacts from your Messenger,  Facebook account, and email account.

What exactly did I do?

I made a split-screen video. First part recorded the video you were viewing (you’ve got a fine taste haha), and next part recorded your webcam (Yep! It’s you doing nasty things!).

What should you do?

Well, I believe, $1400 will be a fair price to pay so your secrets stay safe with me. You’ll make the payment via Bitcoin to the below address (if you don’t know this, search “how to buy bitcoin” in Google).

BTC Address: 1Dvd7Wb72JBTbAcfTrxSJCZZuf4tsT8V72

(It is cAsE sensitive, so copy and paste it)

Important:

You have 24 hours in order to make the payment. (I have a unique pixel within this email message, and right now I know that you have read this email). If I don’t get the payment, I will send your video to all of your contacts including relatives, co-workers, and so forth. Nonetheless, if I do get paid, I will erase the video immediately. If you want evidence, reply with “Yes!” and I will send your video recording to your 5 friends. This is a non-negotiable offer, so don’t waste my time and yours by replying to this email.

To be clear, there is a slim chance that anyone has recorded a video of you, therefore making this email a scam. With that said, hackers are able to make emails such as this so convincing nowadays by implementing new strategies like using your real password (most probably accessed through corporate data breaches within the last few years).

This has really changed the cyber-blackmailing game, but luckily hackers don’t have access to current passwords.

“[A]ll three recipients said the password was close to ten years old, and that none of the passwords cited in the sextortion email they received had been used anytime on their current computers,” explained researcher Brian Krebs, thereby making the stolen passwords old and outdated.

While sextortion scams like this have endeavored for a considerable length of time, there are no reports of any cybercriminals utilizing this strategy and really introducing malware to film somebody pleasuring themselves while watching porn. It’s substantially less demanding to simply lie about it and persuade individuals that it’s true.

To be safe from hackers, you can cover your webcam when not in use and change your passwords regularly to prevent any cybercriminals from accessing your login credentials. To be on the safe side, you can also set up two-factor authorization and secure logins.

To read more about this click here.