Don’t Blame the Victim, Blame the Game: The OFAC’s Misstep in Fining Ransomware Payers

Young male frustrated by ransomware attack on desktop screen.

Ransomware attacks have always been a large issue in the cybersecurity world. The victims of ransomware attacks may also be blamed along with hackers.

The Treasury Department’s Office of Foreign Assets Control (OFAC) recently came out with an advisory stating that those who pay the ransom of a ransomware attack may themselves be subject to fines. While this may sound good on paper, in practice this black-and-white approach to a growing cybersecurity problem can be detrimental to all involved.

Popular in many an action movie, the “we don’t negotiate with terrorists” mantra may be thought of as appropriate dogma to cyberattacks. If one pays a bad actor the demanded ransom, then it incentivizes future attacks on others. If everyone refused to pay these ransoms, the method of attack would no longer be a profitable one, and they would move on to another cybercrime. Of course, in the movies, Harrison Ford always gets his plane back and the girl; companies who are unprepared victims of ransomware are seldom that lucky.

What makes ransomware such an effective method of attack is precisely why paying that ransom is not always a bad idea. For most attacks, the ransom is pennies on the dollar compared to what the cost of a recovery would be. For all the ethical debate about rewarding someone for their crime, the reality is that not doing so may cause the most possible damage to the company or individual attacked. The city of Atlanta is an excellent example.

Atlanta was the victim of the SamSam Ransomware in January of 2018. The requested ransom for this attack was $6,800 to unlock a single computer or $51,000 for all the decrypt keys needed to restore the city’s entire system. This attack was the largest successful cyber attack on a U.S. city in history. The attack affected around six million people, interrupting activities such as paying bills and fines, some court-related processing, as well as several internal systems for the city itself. Atlanta decided not to pay the $6,800 or the $51,000 ransom. They did not reward the bad actors for their bad actions and decided to take on the recovery themselves. To do this, Atlanta initially put in $2.7 million to recover everything, but once their systems were finally set back into place, the actual costs to the city were nearly $10 million. Atlanta didn’t let the bad guys win, but at what cost?

$10 million suddenly stripped from a city’s budget does not just mean the problem was fixed, it meant that they were now short of $10 million originally set for other things like salaries, school budgets, road repairs, etc. What could have been a negligible expense ended up costing millions and impacting the city for years to come. The question is what impact does the OFAC advisory really have on protecting U.S. cities and companies from these types of ransom attacks?

The answer unfortunately is, not much. For one thing, this advisory punishes the victim of the attacks. Instead of having to consider the cost of paying the ransom versus the cost of not, they now have to factor in the ransom plus the fine. This makes for some very fuzzy math. Either the fine is so high that it costs a company more to go through a very expensive recovery phase or the fine plus ransom is still less than the cost of recovery.

If the cost of the fine plus ransom is greater than the cost of recovery, under the government’s guidance all ransomware attacks would be exponentially more expensive for the victims. In many cases, it may actually shut down a company that is unable to pay thousands or millions of dollars to recover.

If the cost of the fine and ransom ends up being less than the cost of recovery, then the government is essentially profiting from ransomware attacks. The fiscally responsible move will still be to pay the ransom, but now the government will get a little cut of every attack. Under this model what is the government’s motive to end such attacks?

In both scenarios, the only party to actually suffer is the victim. The government either profits or keeps the status quo, the hacker either gets paid or doesn’t, same as today. The victim is either forced out of business or put in a financially vulnerable spot by the government or simply must pay a “victim’s tax” for being targeted. This would make for a terrible action movie.

If the OFAC advisory isn’t really an effective way of protecting U.S. businesses and cities from ransomware attacks, then what should the government be doing? The answer is in education.

Being a victim of a ransomware attack isn’t an inevitability. Being put into a situation of having to decide whether to pay is not absolute. With the right internal policies, procedures, and technology in place, being the victim of a ransomware attack is entirely avoidable. But you need to know what policies and procedures to have in place. You need to know what tech is available to protect you. The government should expand itself as a resource to help businesses and cities become aware.

Three ways the government can help with ransomware education are:

  • PSA videos – Create short and informative videos that can be incorporated into any HR department’s cybersecurity employee training program. Videos like these can highlight what to look for to identify a phishing scam, how to keep your personal information safe from being a phishing target, and steps to take the moment an attack is apparent.
  • Cyber training classes – The best way to prevent a ransomware attack is to ensure everyone within a network, be it a municipality or a corporation, is aware of all the suggested cybersecurity policies and best practices, as well as how to identify any potential point of attack. Building off the basic information that can be shared through a PSA, these classes presented by the government could go into much greater detail and provide employees with everything they need.
  • Cybersecurity education in schools – Ransomware and other such malicious cyber attacks will always be a threat. It is the nature of a constantly changing digital world. While keeping employees up to date on the latest threats with PSA Videos and Cyber Training classes is vitality important, we need to address these threats at the root. The best way to achieve this is to instill from a young age the threats and dangers of cyberattacks. Teach students how to look at phishing scams or behavioral vulnerabilities with a focused mind, so that as the next generation of workers enters their various fields, they are less likely to fall prey.

The government’s role is to protect its citizens and companies. Punishing the victim should not be one of its tactics to do so. Though it may be counter-intuitive, sometimes paying off a ransom is the best move to make. The best way to prevent these types of attacks is proper education and actions before they occur. With the government’s support of a comprehensive cybersecurity education program that works with today’s generation of workers as well as the next, it will have much greater success in decreasing successful ransomware attacks in the short and long term.

New Orleans Struck by Cyberattack, City Declares State Of Emergency

On Friday, December 13, New Orleans Mayor LaToya Cantrell declared a state of emergency for the city after a cyberattack was detected around 11 a.m. 

The incident began at around 5 a.m. when NOLA Ready – New Orleans’ emergency preparedness campaign – confirmed “suspicious activity…on the City’s network” and a “cybersecurity incident” by the time 11 a.m. rolled around. Once the threat was established, New Orleans’ IT department issued a shutdown of all employee devices and disconnection from Wi-Fi. Servers were also ordered to be powered down following the attack. Emergency response lines were still open to take calls, however. 

The City of New Orleans declared a state of emergency shortly after the cyberattack was detected. A press conference was held the Friday of the incident, in which Mayor LaToya Cantrell confirmed that a cyberattack was responsible for the unusual network activity. Officials stated how no data was lost after the attack and that there is still no indication that passwords were compromised. Chief Information Officer Kim LaGrue confirmed that phishing emails had been sent to employees that asked for their login information while the attack went underway. There was also evidence of ransomware – specifically the Ryuk strain – as cause for the cyberattack. 

Mayor Cantrell did later affirm that ransomware was behind the attack, but investigations are still ongoing to verify if Ryuk was indeed involved according to the press conference held Monday, the 16th. 

It’s always important to take precautionary steps in making sure you’re prepared for an impending cyberattack. Some cybersecurity steps you can take include:

-Backing up all your data

-Being mindful of what email links and attachments you click on

-Patching software vulnerabilities

-Using strong passwords and activating two-factor authentication for your accounts

Ransomware Attack Hits UK Police Federation

Just announced yesterday, the U.K. Police Federation of England and Wales (PFEW) survey headquarters had been hit with a cyberattack – the ransomware encrypting computer email systems and databases and deleting backup data.

The attack occurred on March 9 and affected this headquarters solely – consisting of approximately 119,000 police officers – as a statement provided by the Federation revealed how 43 branches spread throughout the U.K. and Wales were not affected.

In a tweet yesterday morning, the Police Federation explains how “[t]here is no evidence at this stage that any data was extracted from our systems but this cannot be discounted.”

Officers of the National Cyber Crime Unit have begun their investigation and are in contact with PFEW to determine the nature of the attack and the extent of damage. According to the PFEW, the attack was likely done as part of a much larger campaign set to cause further havoc.

The incident was reported to the data protection regulator in the U.K. within three days as part of European ordinance, although the PFEW announced the attack 12 days after it first occurred.

Norwegian Aluminum Producers Norsk Hydro Hit by Cyber Attack

Norsk Hydro, one of the largest Norwegian aluminum providers, partly shut down their operations due to a large scale ransomware attack. The company has been trying to neutralize the attack this week, as they were unaware of how significant the damage was on their operations. The main cause of the attack has now been identified (due to LockerGoga ransomware), and the company is currently working with external partners to restore full systems operations.

When the attack hit, Norsk Hydro stated their switch to manual operations. Their shares went down about two percent while aluminium prices went up 1.5%. There have been a lot of breaches that caused both data loss and other infrastructural issues. In the past, cybercriminals have managed to hack into companies such as Anthem, Yahoo!, and Marriott International just to name a few.

Norsk claimed to Business Insider, “We are working to [further] contain the situation and reduce impact, aiming to resume normal operation.”

On Thursday, March 21, Hydro’s specialists found what the source of the problem was and has been working to get their systems back to the way it was – in its pre-infected state. Safety issues have not been announced since the ransomware attack first struck on Tuesday, March 19. Manual operations are still being used, but the company had announced that “most operations are [now] running.” It is still unclear how long full restoration to normal IT operations will occur.

UPDATE 3/27/19: Norsk Hydro reported financial losses of up to $40 million based on the ransomware’s impact from last week. While the company is now running almost all its operations normally, the Extruded Solutions business division is still in recovery mode. The Building Systems unit is still “at a standstill,” as said in a press release. Delays are expected, but Norsk Hydro announced that this unit will “gradually ramp up production and shipments during the week.”

Surviving a Ransomware Attack

The rate of ransomware attacks may have gone down, but does that mean there were fewer attacks? The rates have shown a slight decrease from the previous year, with 1,783 attacks in 2017 compared to a whopping 2,673 reported in 2016. Yet, while such numbers may indicate this catastrophic cybercrime is on the decline, the reality surfaces as most attacks being under-reported, leaving many to wonder how frequently the attacks occur and how the cost will affect businesses.

According to Ms.Smith of CSO reporting, Verizon analytics have found that ransomware incidents have actually doubled. Researchers have found that attackers usually demand a cryptocurrency payment to be able to release an affected user’s files, but there is no assurance to do so after payment is received. Through such ransomware attacks, cybercriminals are always thinking of ways to maximize their profit.

As former Whitehouse CIO who is now president and CEO of Fortalice Solutions explains, “We used to hear very often that it was mostly consumers – but [for those attacks] you’re looking at $75 as a cyber-criminal.” Attackers have a strategy to target all businesses utilizing the internet for their needs, raising a corporate concern of impending cyberattacks.

In 2017, the WannaCry, NotPetya, and BadRabbit strains didn’t simply upset business forms; rather, the attacks greatly impacted universal brands like FedEx from a functional operation. This took the ransomware danger vector to a “totally new level,” using worms to proliferate through frameworks and affecting 300-400,000 gadgets around the world, says Steven Wilson, leader of Europol’s EC3 digital wrongdoing focus. The cyber-threat further continues with cheap off-the-rack shelf kits sold online, allowing an attacker to access ransomware tools necessary to carry out another business damaging strike.

“Just think: your entire customer records database is gone,” says Wilson. “You don’t know who owes you money, who you owe money to, or who you’re going to sell your product to. That’s the reality if ransomware strikes you. Everything is gone.”

Raising Awareness

While ransomware such as WannaCry is still very much prevalent, cybercrime attacks like these helped raise awareness of any more possible strikes. From ongoing evidential trends, ransomware is here to stay. Fortunately, there are cyber-hygiene steps you can acquaint yourself with to prevent attacks from happening in the future.

Having up to date computer operating systems is the first step to preparedness, as the latest versions of anti-malware software can assist in the case of an attack. In the event of a major ransomware strike, it is always best to keep and regularly update backup storage of all files for recovery.

As Payton explains, “Organizations should also consider network segmentation and introduce kill switches to prevent malware from moving laterally, as WannaCry did.” [It’s always best to] practice for the worst and hope for the best – making sure you’re thinking ahead, practicing that digital disaster, practicing your comms plan,” Payton further suggesting that organizations also perform test runs on full restores.

How can the technology community help?

Through public and private bodies working together and familiarizing themselves with program vulnerabilities, ransomware disasters can surely be prevented. Working as a key to inform decryptors of dangerous ransomware, NoMoreRansom, for instance, pools assets crosswise over associations and can help the technology community be one step ahead of the next crippling attack.

For more on ransomware preparedness strategies, please click here to learn more about preventing ransomware.

New Ransomware Strain Demands Nudes, Not Bitcoin

Normally, when you see the popular kids cartoon character, Thomas the Train, you don’t think anything of it. But if you see Thomas the Train show up on your computer, it might not be such a pleasant sight. As if extorting money and encrypting files wasn’t bad enough, cybercriminals have taken it to the next level: demanding naked photographs instead of Bitcoin. The new ransomware called nRansomware was first spotted by researchers at MalwareHunterTeam on Thursday.


The message reads that the computer has been locked and demands the victim to send “at least 10 nude pictures of you,” claiming that they will verify if they indeed belong to them. They also mention that those nude photographs will be sold on the Dark Web.

MalwareHunterTeam warns that it may simply be a prank since it doesn’t actually encrypt files; it’s simply a screenlocker. There is no information on anyone being infected as of yet.

If this is a real strain of ransomware, it’s a very sick, twisted type of attack. While it’s not entirely unexpected because of hacking or malware to access the webcam, it’s definitely reached a new low.

3 Ways to Avoid Being Affected During the Next WannaCry Attack

It wasn’t too long ago that businesses spent over $1 Billion on ransomware (that was in 2016). With two global ransomware attacks that have happened in the past month, it’s clear that the ransomware train is not stopping anytime soon.  

With over 230,000 computers and 150 countries affected, the WannaCry attack definitely made many “wanna cry.” We’re only 7 months into the year and we’ve already been hit with two global attacks; what’s to say there won’t be another one?

Ransomware is a type of malware that encrypts your files in exchange for a ransom. In the premature days, ransomware would only infect a single computer at a time. Now, the infection spreads throughout entire networks at the same time. With the rise of ransomware attacks, it’s more important to stay connected, now more than ever.  

These steps will get you ready for the next attack and keep the hackers at bay.

  1. Backup Your Data

Backing up your data could be the golden to key in the fight against ransomware.

Why are backups so important?

The main purpose of a backup is create a copy of your data in the event of an emergency (i.e. ransomware attack, flood, earthquake, technology failure, etc.). Most backups used to be stored on actual appliances, which still run the risk of being either infected or damaged in the event of a disaster. Since attackers have gotten wiser, servers and machines are now regularly being infected alongside computers, which is why it’s so important to backup to a ransomware resistant virtual appliance.

Being able to backup your data and restore it immediately is a crucial step when fighting against ransomware. To be able to restore your data and get back to business without paying the ransom is invaluable!

As an IT company, we have helped many of our clients recover from ransomware, which is why we only partner with trusted backup storage and solution companies. If you are looking to upgrade your backup solution, our most trusted partner is reevert Storage and Backup Solution. Visit their website for a free 30-day trial.

  1. Avoid easy passwords 

Having to remember a million different passwords can be a hassle, it’s true. But instead of looking at it like that, just think about what a real hassle it would be to be hacked. By changing your password every few months, you’re being proactive in battling hackers from stealing your data.

To learn the do’s and don’ts of passwords, check out our infographic here.

  1. Keep your Windows up to date

While you can do your absolute best to avoid clicking on the wrong emails or going on safe sites, it can all be compromised if you don’t update your Windows system. What made Petya malware and WannaCry so successful was that they exposed vulnerabilities in unpatched systems, allowing them to leak through onto the system. By updating your system as soon as the patches are released, you’re being proactive in protecting yourself against ransomware.

If you have Windows 10, updates will automatically be installed. If you’re running on any system before that, be sure to run these updates immediately.

Email security is also an important factor in fighting against ransomware. To learn about email security, read our blog

Don’t let the perpetrators win. Follow these tips to avoid being a victim during the next WannaCry attack.

What is a Phishing Scam and How to Avoid Being A Victim

What is a phishing scam?

Phishing Scams are carried out through emails, website and phone calls with one main purpose in mind: to steal your money. Many times, your sensitive information is stolen via malicious software on your computer or through a process called ‘social engineering’. Social engineering is when you hand over your personal information under false pretenses. Being aware of cybercriminals’ tricks is an important factor in cybersecurity.

How to Avoid An Email Phishing Scam:

1. Is the “from” email address a random email address? If you don’t recognize the sender and it’s unrelated to the content of the message, delete it immediately.

2. Is it being addressed to a generic name (i.e. Dear Customer, user, you, etc.)? You might even find that you were simply bcc’d on the email. Most of these are spray-and-pray types of situations.

3. Look for poor grammar and spelling mistakes in the email content. Most major companies have a staff of copywriters or editors that would not allow mass emails to go out with spelling / grammar mistakes (although, the criminals are getting much better).

4. Be aware of anything that implies a threat or immediate action to be taken. If they’re threatening to close your account if you don’t respond or login, it’s most likely a scam.

5. Always hover over links and check the address before clicking them. Oftentimes, links are disguised and direct to a malicious website. Always type in the URL directly into the address bar.

For example, you may be getting a phishing email disguised as your bank. These usually take you to a fake website where you enter in your sensitive credentials.

6. Unless you’re expecting an attachment or link from someone you recognize, never click or open them. Cybercriminals can steal private information by installing malicious software on your computer. A common tactic is using Word or Excel Document Macros (automation scripts) to execute or download malicious software on your computer or network.

To learn more about how to protect yourself and educate your employees, check out Inverselogic’s free guides to cybersecurity. If you are interested in personalizing these guides for your business, let us know and we’d be happy to work something out with you.

NHS, FedEx and Other Major Companies Hit in Global Cyberattack

More than 74 countries and 45,000 attacks were carried out during a global cyberattack today. Among the countries affected, 16 National Health Services (NHS) hospitals in England were hit, along with FedEx and Spain’s largest telecom.

The attack appears to be carried out by hackers using a stolen tool created by the United States National Security Agency (NSA): WannaCry Ransomware.

With this strain of ransomware, $300 (£233) is being demanded in exchange for the decryption key for each locked system. Hospitals were forced to shut down their emergency rooms and send patients to other locations. Patient records, schedules, phones and email were all compromised during the attack, putting a number of patients at grave risk.

As of now, it is not being seen as a matter of national security brought on by foreign power. It is still being treated as a very serious matter.

For more information, please visit to read the full article.

Cybersecurity Experts Give 5 Tips to Avoid Ransomware

Malware – a mashup of the words ‘malicious’ and ‘software’ – is what cybersecurity experts use to describe any malicious program on a computer or mobile device. Ransomware, a type of malware, is a version that encrypts files and asks for a ransom (typically through bitcoin), in order to decrypt said files. Though there are various types of malware that exist, many versions install without user consent. The effects of malware range from crippling your computer to stealing sensitive data.

Recently, there has been an increase in attacks on hospitals in exchange for hefty funds. In February, Hollywood Presbyterian Medical Center paid a $17,000 ransom (40 bitcoin) after a hacker seized their patients medical records and important files. Unfortunately, this is a trend that is happening all too often. We’ve put together an infographic to help you fight against ransomware and protect your important files. If you do not have a proper backup plan set up, Inverselogic’s cybersecurity experts can put a plan of action together for you and your business.

Malware Infographic