FBI to LACBA: Cyber Threatscape for Law Firms Gone Remote Tuesday, December 8, 2020
Presented by the Small Firm and Sole Practitioner Section
Many law firms have adapted quickly to the realities of our current health crisis, with their workforces now collaborating remotely as they fulfill essential business functions. This shift to a virtual workplace has left remote employees potentially vulnerable to cyber attackers, who prey increasingly on American businesses by exploiting security vulnerabilities and the internet habits of employees untrained in secure remote business protocol.
Please join us as we welcome our special guest, Special Agent Michael Sohn of the FBI’s Los Angeles Cyber Task Force, as he discusses major cyber risks and threats emerging in our region and the best habits for protecting against them. SA Sohn will offer concrete tips that you can implement immediately and teach to your staff so you can reduce the chances of your law firm becoming a cyber victim of the COVID19 pandemic.
Speakers: Supervisory Special Agent Michael Sohn, FBI Los Angeles Cyber Task Force
Moderator: Zein Obagi, Obagi Law Group, PC
Date: December 8, 2020 Time: 12:00 PM - 1:30 PM
1.5 Hr Competency Credit
FREE to All LACBA Members
Registration Link: https://tinyurl.com/y3llxjcc
Thank You to Our Sponsors
Once you have completed your LACBA registration, on the date of the event you will receive a link from Zoom that will allow you to join the webinar directly. In order to receive participatory CLE credit, registrants must participate in the webinar via Zoom. LACBA cannot provide CLE credit to those who only listen to the program audio by phone. Individuals wishing to receive CLE credit must register independently.
Important Information:
Please log in to Zoom at least 10 minutes before the program time.
You will receive a certificate of attendance via email in 7-10 business days. plaintiff trial lawyers
OUR AWARD-WINNING PERSONAL INJURY AND EMPLOYMENT TRIAL ATTORNEYS HAVE WON MILLIONS IN JURY VERDICTS ON BEHALF OF VICTIMS IN THE COURTROOM
www.kramerlaw.com The Attorney's Quick Guide To Determining Which Claims Are Worth Pursuing
811 Wilshire Boulevard, Suite 1721 Los Angeles, California 90017 424-284-2401 | www.obagilaw.com This guide is informational only and We pay referral fees to attorneys per the R.P.C. not to be construed as legal advice. Does The PNC Have A Viable Employment Claim? Nearly all of the PNC claims you will field will involve at least one of three primary elements. As you evaluate the viability of the claim, keep these three elements in mind.
DISCRIMINATION AGAINST ILLEGAL ADVERSE ACTION / RETALIATION FOR TAKING A PROTECTED CLASS DISPARATE TREATMENT PART IN PROTECTED ACTIVITY OR HARASSMENT Age (over 40) Most common protected activities: Ancestry / national origin Increase in co-workers' pay / cut in PNC's pay Filing a workers' compensation Disability (mental and physical) claim Promotion for co-worker / Familial status demotion for PNC Alerting law enforcement or other Gender expression government agencies about the Loss in title employer's about illegal activity Gender identity Refusal to hire Genetic information Safety-based actions, which Termination / threat to job security includes filing a complaint Marital status with Cal / OSHA or other agency Transfer to another department / regarding working conditions Medical condition location Military / veteran status Unwanted sexual advance / Requesting reasonable touching accommodations to work with a Pregnancy status disability Using sexually suggestive language Race / color or describing sex acts Complaining about discrimination Religion / creed Using racist language / displaying or harassment in the workplace racist images Sex / gender Telling offensive jokes about Refusing to participate in illegal Sexual orientation protected class(es) of people activity
Other potential causes for employment claims
Wage / hour claims Medical / family leave claims Workers' compensation (50+ employees) Was PNC misclassified as PNC must be an employee, not an independent contractor? Did PNC make protected request independent contractor for family medical leave? Was overtime rate of pay PNC must have workplace injury or appropriately made to PNC? Did the employer properly evaluate occupational illness due to work and respond to request? environment Did employer provide paid rest and meal periods as required? Would employer have taken the Did PNC give sufficient written action without PNC having ever notice re. medical condition? Disability discrimination made the request for leave? (15+ employees) Privacy violations Did employer fail to engage in the Did employer intrude on PNC's process to determine reasonable reasonable expectation to privacy, accommodations? OR did employer retaliate / harass / Did employer discriminate / discriminate after making the retaliate based on disability? privacy violation? Does The PNC Have A Viable Employment Claim? Basic Analysis The steps below will assist you in determining the validity of the PNC's employment claim.
STEP 1 STEP 2 STEP 3
Does the employer have Did the employee engage in Did employee sustain 5 or more employees? protected conduct resulting in adverse employment decision? retaliation? If no, FEHA may not apply.
Does the employer have 50 or OR more employees? Did the employer engage in If no, FMLA and CFRA unlawful discrimination or STEP 4 may not apply. harassment? How long ago was violation? Check appropriate statute of limitations for the claim.
STEP 5
The Retaliation Path The Discrimination / Harassment Path
What protected conduct prompted the retaliation? What evidence of discriminatory animus or harassment exists? (Think documents or friendly witnesses) Was the protected conduct or complaint in writing, otherwise memorialized or witnessed? How much time elapsed between discriminatory or harassing conduct and the adverse employment conduct, if any? How soon after the protected conduct did retaliation occur? Were other employees similarly treated or terminated? Was the retaliation in writing? (Layoff, reduction in force inquiry)
STEP 6
Did the employee suffer money damages? Did the employee suffer non-economic damages?
Loss of wages Does the employee need psychological treatment or therapy?
Loss of healthcare insurance, other benefits Does The PNC Have A Viable Employment Claim? The Introduction Here are the questions you should ask a PNC at intake.
Details of / additional information for 1 4 complaint (cont.) Ask PNC to upload / deliver any documents in their possession How did PNC hear about your firm? Nature of complaint Are there witnesses, and if so, how When you ask this question, tell the If no longer with the company, many and who are they? PNC you love to send a thank you to how did PNC leave company? Did PNC file any written complaints your referral friends and partners. e.g., fired, laid off, quit with any administrative agencies or Date of separation or other the employer? 2 adverse employment action If yes, provide dates and to whom PNC complained. Type of unlawful conduct PNC was PNC Identification information subject to Full name Discrimination 6 Age Retaliation Financial information / damages Harassment Phone number Types of damages sustained For each type of conduct, ask PNC Email address to provide details of the conduct Last salary / rate of pay Mailing / physical address For discrimination complaint, please provide basis for Hours worked per week discrimination. Does PNC recall signing an 3 Arbitration Agreement? Information on employer in question 5 Did PNC sign a severance package or settlement agreement Is subject of complaint PNC's Details of / additional information with the employer? current or former employer? in support of complaint Has PNC ever filed for bankruptcy? Name of company / and any Ask PNC to provide as much detail employees pertinent as they can about how their to the complaint employment ended or the type of 7 adverse action(s) taken against PNC's last / most recent job title them that they believe are with the employer Is there any additional information unlawful or wrongful, and which the PNC would like your firm to know Number of employees employed led PNC to seek legal counsel as to why they are contacting you? by employer (to the best of the Are there any documents (text PNC's knowledge) If intake is done online / via messages, emails, voicemails) questionnaire, end with thanking How long had / has PNC been evidencing the claims above? If so, PNC and assure them a member of employed by this employer? what types and who has them? your firm will contact them promptly. TARA HATTENDORF
Small Firm Attention. Large Firm Results.
Tara Hattendorf is a strong advocate with a compassionate heart. Tara strives to make the litigation process understandable and seamless for our clients. She works throughout the life of a lawsuit to ensure that our clients' goals are at the forefront, and she works diligently to get our clients great results.
Tara supports senior counsel at Obagi Law in all aspects of civil litigation, including pleading preparation, law and motion practice, discovery, conducting and defending depositions, arguing at hearings, assisting and leading settlement discussions, and upholding our stellar reputation for constant contact with our clients. Already, in her first year with the Obagi Law Group, exceptional examples of results she has achieved for clients include a $250,000 settlement for a retaliatory wrongful termination and quid pro quo sexual harassment, and a $385,000 settlement for a client in a textile industry breach of contract dispute. Tara developed her passion for law and justice through her undergraduate journalism studies. Subsequently at the USC Gould School of Law, Tara gained invaluable experience at the California Office of the Attorney General in the Civil Rights Enforcement Section. She also clerked at Public Counsel in the Center for Veterans' Advancement. During her final year of law school, she served as a Senior Copy Editor of the Southern California Review of Law and Social Justice.
Tara graduated from Pacific Union College, summa cum laude, with a B.S. in History, Political Studies and Ethics, and a minor in Public Relations & Journalism. She earned a J.D. from the University of Southern California Gould School of Law, with a Certificate in Entertainment Law. Tara was admitted into the California Bar in December 2019. She is also admitted to practice in the Central and Northern Districts of California. ZEIN E. OBAGI, JR.
Small Firm Attention. Large Firm Results.
Zein Obagi is the founder and lead counsel at Obagi Law Group, P.C., in Downtown Los Angeles. Serving a diversity of clients throughout the greater L.A. metro area and all across the state, Mr. Obagi offers exceptional and effective advocacy to those who are dealing with legal challenges involving any of the following and more:
Employment law litigation for matters involving harassment, discrimination, and whistleblower and other unlawful employer retaliation;
Business litigation and partnership disputes with a particular emphasis on the cannabis industry and business debt collection.
Mr. Obagi has earned a reputation as a tenacious and aggressive trial attorney who zealously pursues the most favorable outcomes on his clients' behalves. His list of successes is varied and many, including a $2.73 million jury verdict in cannabis litigation, enforcing judgments against a wide range of defiant institutions such as the Mexican government and regularly attaining 6-figure employment litigation settlements for plaintiffs. Of course, all case results are fact dependent and no attorney can guarantee any result.
A 2005 graduate of UC Berkeley, Mr. Obagi attained his J.D. from the University of Southern California Gould School of Law in 2008. While in law school, he was a member of the Hale Moot Court Honors Program, and he received the highest score in his class for "Contracts."
Mr. Obagi is admitted to practice in California, including the U.S. District Court for the Central, Southern, Eastern and North Districts of California, the U.S. Court of Appeals for the 9th Circuit, and the Supreme Court of the United States. In 2019 and 2020, SuperLawyers identified him as a Rising Star.
Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments1
Date: October 1, 2020
The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) is issuing this advisory to highlight the sanctions risks associated with ransomware payments related to malicious cyber-enabled activities. Demand for ransomware payments has increased during the COVID-19 pandemic as cyber actors target online systems that U.S. persons rely on to continue conducting business. Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations. This advisory describes these sanctions risks and provides information for contacting relevant U.S. government agencies, including OFAC, if there is a reason to believe the cyber actor demanding ransomware payment may be sanctioned or otherwise have a sanctions nexus.2
Background on Ransomware Attacks
Ransomware is a form of malicious software (“malware”) designed to block access to a computer system or data, often by encrypting data or programs on information technology systems to extort ransom payments from victims in exchange for decrypting the information and restoring victims’ access to their systems or data. In some cases, in addition to the attack, cyber actors threaten to publicly disclose victims’ sensitive files. The cyber actors then demand a ransomware payment, usually through digital currency, in exchange for a key to decrypt the files and restore victims’ access to systems or data.
In recent years, ransomware attacks have become more focused, sophisticated, costly, and numerous. According to the Federal Bureau of Investigation’s 2018 and 2019 Internet Crime Reports, there was a 37 percent annual increase in reported ransomware cases and a 147 percent annual increase in associated losses from 2018 to 2019.3 While ransomware attacks are carried out against large corporations, many ransomware attacks also target small- and medium-sized
1 This advisory is explanatory only and does not have the force of law. It does not modify statutory authorities, Executive Orders, or regulations. It is not intended to be, nor should it be interpreted as, comprehensive or as imposing requirements under U.S. law, or otherwise addressing any particular requirements under applicable law. Please see the legally binding provisions cited for relevant legal authorities. 2 This advisory is limited to sanctions risks related to ransomware and is not intended to address issues related to information security practitioners’ cyber threat intelligence-gathering efforts more broadly. For guidance related to those activities, see guidance from the U.S. Department of Justice, Criminal Division, Computer Crime and Intellectual Property Section, Cybersecurity Unit, Legal Considerations when Gathering Online Cyber Threat Intelligence and Purchasing Data from Illicit Sources (February 2020), available at https://www.justice.gov/criminal-ccips/page/file/1252341/download. 3 Compare Federal Bureau of Investigation, Internet Crime Complaint Center, 2018 Internet Crime Report, at 19, 20, available at https://pdf.ic3.gov/2018_IC3Report.pdf, with Federal Bureau of Investigation, Internet Crime Complaint Center, 2019 Internet Crime Report, available at https://pdf.ic3.gov/2019_IC3Report.pdf.
1
businesses, local government agencies, hospitals, and school districts, which may be more vulnerable as they may have fewer resources to invest in cyber protection.
OFAC Designations of Malicious Cyber Actors
OFAC has designated numerous malicious cyber actors under its cyber-related sanctions program and other sanctions programs, including perpetrators of ransomware attacks and those who facilitate ransomware transactions. For example, starting in 2013, a ransomware variant known as Cryptolocker was used to infect more than 234,000 computers, approximately half of which were in the United States.4 OFAC designated the developer of Cryptolocker, Evgeniy Mikhailovich Bogachev, in December 2016.5
Starting in late 2015 and lasting approximately 34 months, SamSam ransomware was used to target mostly U.S. government institutions and companies, including the City of Atlanta, the Colorado Department of Transportation, and a large healthcare company. In November 2018, OFAC designated two Iranians for providing material support to a malicious cyber activity and identified two digital currency addresses used to funnel SamSam ransomware proceeds.6
In May 2017, a ransomware known as WannaCry 2.0 infected approximately 300,000 computers in at least 150 countries. This attack was linked to the Lazarus Group, a cybercriminal organization sponsored by North Korea. OFAC designated the Lazarus Group and two sub- groups, Bluenoroff and Andariel, in September 2019.7
Beginning in 2015, Evil Corp, a Russia-based cybercriminal organization, used the Dridex malware to infect computers and harvest login credentials from hundreds of banks and financial institutions in over 40 countries, causing more than $100 million in theft. In December 2019, OFAC designated Evil Corp and its leader, Maksim Yakubets, for their development and distribution of the Dridex malware.8
OFAC has imposed, and will continue to impose, sanctions on these actors and others who materially assist, sponsor, or provide financial, material, or technological support for these activities.
4 Press Release, U.S. Dept. of Justice, U.S. Leads Multi-National Action Against “Gameover Zeus” Botnet and “Cryptolocker” Ransomware, Charges Botnet Administrator (June 2, 2014), available at https://www.justice.gov/opa/pr/us-leads-multi-national-action-against-gameover-zeus-botnet-and-cryptolocker- ransomware. 5 Press Release, U.S. Dept. of the Treasury, Treasury Sanctions Two Individuals for Malicious Cyber-Enabled Activities (Dec. 29, 2016), available at https://www.treasury.gov/press-center/press-releases/Pages/jl0693.aspx. 6 Press Release, U.S. Dept. of the Treasury, Treasury Designates Iran-Based Financial Facilitators of Malicious Cyber Activity and for the First Time Identifies Associated Digital Currency Addresses (Nov. 28, 2018), available at https://home.treasury.gov/news/press-releases/sm556. 7 Press Release, U.S. Dept. of the Treasury, Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups (Sept. 13, 2019), available at https://home.treasury.gov/news/press-releases/sm774. 8 Press Release, U.S. Dept. of the Treasury, Treasury Sanctions Evil Corp, the Russia-Based Cybercriminal Group Behind Dridex Malware (Dec. 5, 2019), available at https://home.treasury.gov/news/press-releases/sm845. 2
Ransomware Payments with a Sanctions Nexus Threaten U.S. National Security Interests
Facilitating a ransomware payment that is demanded as a result of malicious cyber activities may enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims. For example, ransomware payments made to sanctioned persons or to comprehensively sanctioned jurisdictions could be used to fund activities adverse to the national security and foreign policy objectives of the United States. Ransomware payments may also embolden cyber actors to engage in future attacks. In addition, paying a ransom to cyber actors does not guarantee that the victim will regain access to its stolen data.
Facilitating Ransomware Payments on Behalf of a Victim May Violate OFAC Regulations
Under the authority of the International Emergency Economic Powers Act (IEEPA) or the Trading with the Enemy Act (TWEA),9 U.S. persons are generally prohibited from engaging in transactions, directly or indirectly, with individuals or entities (“persons”) on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List), other blocked persons, and those covered by comprehensive country or region embargoes (e.g., Cuba, the Crimea region of Ukraine, Iran, North Korea, and Syria). Additionally, any transaction that causes a violation under IEEPA, including transactions by a non-U.S. person which causes a U.S. person to violate any IEEPA-based sanctions, is also prohibited. U.S. persons, wherever located, are also generally prohibited from facilitating actions of non-U.S. persons, which could not be directly performed by U.S. persons due to U.S. sanctions regulations. OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC.
OFAC’s Economic Sanctions Enforcement Guidelines (Enforcement Guidelines)10 provide more information regarding OFAC’s enforcement of U.S. economic sanctions, including the factors that OFAC generally considers when determining an appropriate response to an apparent violation. Under the Enforcement Guidelines, in the event of an apparent violation of U.S. sanctions laws or regulations, the existence, nature, and adequacy of a sanctions compliance program is a factor that OFAC may consider when determining an appropriate enforcement response (including the amount of civil monetary penalty, if any).
As a general matter, OFAC encourages financial institutions and other companies to implement a risk-based compliance program to mitigate exposure to sanctions-related violations.11 This also applies to companies that engage with victims of ransomware attacks, such as those involved in providing cyber insurance, digital forensics and incident response, and financial services that may involve processing ransom payments (including depository institutions and money services
9 50 U.S.C. §§ 4301–41; 50 U.S.C. §§ 1701–06. 10 31 C.F.R. part 501, appx. A. 11 To assist the public in developing an effective sanctions compliance program, in 2019, OFAC published A Framework for OFAC Compliance Commitments, intended to provide organizations with a framework for the five essential components of a risk-based sanctions compliance program. The Framework is available at https://home.treasury.gov/system/files/126/framework_ofac_cc.pdf.
3
businesses). In particular, the sanctions compliance programs of these companies should account for the risk that a ransomware payment may involve an SDN or blocked person, or a comprehensively embargoed jurisdiction. Companies involved in facilitating ransomware payments on behalf of victims should also consider whether they have regulatory obligations under Financial Crimes Enforcement Network (FinCEN) regulations.12
Under OFAC’s Enforcement Guidelines, OFAC will also consider a company’s self-initiated, timely, and complete report of a ransomware attack to law enforcement to be a significant mitigating factor in determining an appropriate enforcement outcome if the situation is later determined to have a sanctions nexus. OFAC will also consider a company’s full and timely cooperation with law enforcement both during and after a ransomware attack to be a significant mitigating factor when evaluating a possible enforcement outcome.
OFAC Licensing Policy
Ransomware payments benefit illicit actors and can undermine the national security and foreign policy objectives of the United States. For this reason, license applications involving ransomware payments demanded as a result of malicious cyber-enabled activities will be reviewed by OFAC on a case-by-case basis with a presumption of denial.
Victims of Ransomware Attacks Should Contact Relevant Government Agencies
OFAC encourages victims and those involved with addressing ransomware attacks to contact OFAC immediately if they believe a request for a ransomware payment may involve a sanctions nexus. Victims should also contact the U.S. Department of the Treasury’s Office of Cybersecurity and Critical Infrastructure Protection if an attack involves a U.S. financial institution or may cause significant disruption to a firm’s ability to perform critical financial services.
U.S. Department of the Treasury’s Office of Foreign Assets Control o Sanctions Compliance and Evaluation Division: [email protected]; (202) 622-2490 / (800) 540-6322 o Licensing Division: https://licensing.ofac.treas.gov/; (202) 622-2480 U.S. Department of the Treasury’s Office of Cybersecurity and Critical Infrastructure Protection (OCCIP) o [email protected]; (202) 622-3000 Financial Crimes Enforcement Network (FinCEN) o FinCEN Regulatory Support Section: [email protected]
12 See FinCEN Guidance, FIN-2020-A00X, “Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments,” October 1, 2020, for applicable anti-money laundering obligations related to financial institutions in the ransomware context. 4
Contact Information for Other Relevant U.S. Government Agencies:
Federal Bureau of Investigation Cyber Task Force o https://www.ic3.gov/default.aspx; www.fbi.gov/contact-us/field U.S. Secret Service Cyber Fraud Task Force o www.secretservice.gov/investigation/#field Cybersecurity and Infrastructure Security Agency o https://us-cert.cisa.gov/forms/report Homeland Security Investigations Field Office o https://www.ice.gov/contact/hsi
If you have any questions regarding the scope of any sanctions requirements described in this advisory, please contact OFAC’s Sanctions Compliance and Evaluation Division at (800) 540- 6322 or (202) 622-2490.
5
October 02, 2019
Alert Number I-100219-PSA
Questions regarding this PSA should be directed to your local FBI Field Office.
Local Field Office Locations: www.fbi.gov/contact-us/field-offices
High-Impact Ransomware Attacks Threaten U.S. Businesses And Organizations
This Public Service Announcement (PSA) is an update and companion to Ransomware PSA I- 091516-PSA posted on www.ic3.gov. This PSA contains updated information about the ransomware threat.
WHAT IS RANSOMWARE?
Ransomware is a form of malware that encrypts files on a victim’s computer or server, making them unusable. Cyber criminals demand a ransom in exchange for providing a key to decrypt the victim’s files.
Ransomware attacks are becoming more targeted, sophisticated, and costly, even as the overall frequency of attacks remains consistent. Since early 2018, the incidence of broad, indiscriminant ransomware campaigns has sharply declined, but the losses from ransomware attacks have increased significantly, according to complaints received by IC3 and FBI case information.
Although state and local governments have been particularly visible targets for ransomware attacks, ransomware actors have also targeted health care organizations, industrial companies, and the transportation sector.
HOW DOES RANSOMWARE INFECT ITS VICTIMS?
Cyber criminals use a variety of techniques to infect victim systems with ransomware. Cyber criminals upgrade and change their techniques to make their attacks more effective and to prevent detection.
The FBI has observed cyber criminals using the following techniques to infect victims with ransomware: • Email phishing campaigns: The cyber criminal sends an email containing a malicious file or link, which deploys malware when clicked by a recipient. Cyber criminals historically used generic, broad-based spamming strategies to deploy their malware, while recent ransomware campaigns have been more targeted. Criminals may also compromise a victim’s email account by using precursor malware, which enables the cyber criminal to use a victim’s email account to further spread the infection.
• Remote Desktop Protocol vulnerabilities: RDP is a proprietary network protocol that allows individuals to control the resources and data of a computer over the internet. Cyber criminals have used both brute-force methods, a technique using trial-and- error to obtain user credentials, and credentials purchased on darknet marketplaces to gain unauthorized RDP access to victim systems. Once they have RDP access, criminals can deploy a range of malware—including ransomware—to victim systems.
• Software vulnerabilities: Cyber criminals can take advantage of security weaknesses in widely used software programs to gain control of victim systems and deploy ransomware. For example, cyber criminals recently exploited vulnerabilities in two remote management tools used by managed service providers (MSPs) to deploy ransomware on the networks of customers of at least three MSPs.
IF MY SYSTEM IS INFECTED, SHOULD I PAY THE RANSOM? SHOULD I CONTACT THE FBI?
The FBI does not advocate paying a ransom, in part because it does not guarantee an organization will regain access to its data. In some cases, victims who paid a ransom were never provided with decryption keys. In addition, due to flaws in the encryption algorithms of certain malware variants, victims may not be able to recover some or all of their data even with a valid decryption key.
Paying ransoms emboldens criminals to target other organizations and provides an alluring and lucrative enterprise to other criminals. However, the FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers.
Regardless of whether you or your organization have decided to pay the ransom, the FBI urges you to report ransomware incidents to law enforcement. Doing so provides investigators with the critical information they need to track ransomware attackers, hold them accountable under U.S. law, and prevent future attacks.
HOW CAN I PROTECT MYSELF AGAINST RANSOMWARE?
The most important defense for any organization against ransomware is a robust system of backups. Having a recent backup to restore from could prevent a ransomware attack from crippling your organization. The time to invest in backups and other cyber defenses is before an attacker strikes, not afterward when it may be too late.
As ransomware techniques and malware continue to evolve and become more sophisticated, even the most robust prevention controls are no guarantee against exploitation. This makes contingency and remediation planning crucial to business recovery and continuity. Those plans should be tested regularly to ensure the integrity of sensitive data in the event of a compromise. CYBER DEFENSE BEST PRACTICES
• Regularly back up data and verify its integrity. Ensure backups are not connected to the computers and networks they are backing up. For example, physically store them offline. Backups are critical in ransomware; if you are infected, backups may be the best way to recover your critical data. • Focus on awareness and training. Since end users are targeted, employees should be made aware of the threat of ransomware and how it is delivered, and trained on information security principles and techniques. • Patch the operating system, software, and firmware on devices. All endpoints should be patched as vulnerabilities are discovered. This can be made easier through a centralized patch management system. • Ensure anti-virus and anti-malware solutions are set to automatically update and that regular scans are conducted. • Implement the least privilege for file, directory, and network share permissions. If a user only needs to read specific files, they should not have write-access to those files, directories, or shares. Configure access controls with least privilege in mind. • Disable macro scripts from Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Office Suite applications. • Implement software restriction policies or other controls to prevent the execution of programs in common ransomware locations, such as temporary folders supporting popular internet browsers, and compression/decompression programs, including those located in the AppData/LocalAppData folder. • Employ best practices for use of RDP, including auditing your network for systems using RDP, closing unused RDP ports, applying two-factor authentication wherever possible, and logging RDP login attempts. • Implement application whitelisting. Only allow systems to execute programs known and permitted by security policy. • Use virtualized environments to execute operating system environments or specific programs. • Categorize data based on organizational value, and implement physical and logical separation of networks and data for different organizational units. For example, sensitive research or business data should not reside on the same server and network segment as an organization’s email environment. • Require user interaction for end-user applications communicating with websites uncategorized by the network proxy or firewall. For example, require users to type information or enter a password when their system communicates with a website uncategorized by the proxy or firewall.
September 10, 2019
Alert Number I-091019-PSA
Questions regarding this PSA should be directed to your local FBI Field Office.
Local Field Office Locations: www.fbi.gov/contact-us/field-offices
Business Email Compromise The $26 Billion Scam
This Public Service Announcement is an update and companion piece to Business Email Compromise PSA 1-071218-PSA posted on www.ic3.gov. This PSA includes new Internet Crime Complaint Center complaint information and updated statistics from October 2013 to July 2019.
DEFINITION
Business Email Compromise/Email Account Compromise (BEC/EAC) is a sophisticated scam that targets both businesses and individuals who perform legitimate transfer-of-funds requests.
The scam is frequently carried out when a subject compromises legitimate business or personal email accounts through social engineering or computer intrusion to conduct unauthorized transfers of funds.
The scam is not always associated with a transfer-of-funds request. One variation involves compromising legitimate business email accounts and requesting employees’ Personally Identifiable Information or Wage and Tax Statement (W-2) forms.1
STATISTICAL DATA
The BEC/EAC scam continues to grow and evolve, targeting small, medium, and large business and personal transactions. Between May 2018 and July 2019, there was a 100 percent increase in identified global exposed losses2. The increase is also due in part to greater awareness of the scam, which encourages reporting to the IC3 and international and financial partners. The scam has been reported in all 50 states and 177 countries. Fraudulent transfers have been sent to at least 140 countries.
Based on the financial data, banks located in China and Hong Kong remain the primary destinations of fraudulent funds. However, the Federal Bureau of Investigation has seen an increase of fraudulent transfers sent to the United Kingdom, Mexico, and Turkey. The following BEC/EAC statistics were reported to the IC3 and are derived from multiple sources, including IC3 and international law enforcement complaint data and filings from financial institutions between October 2013 and July 2019:
The following statistics were reported in victim complaints to the IC3 between June 2016 and July 2019:
Domestic and international incidents: 166,349
Domestic and international exposed dollar loss: $26,201,775,589
The following BEC/EAC statistics were reported in victim complaints to the IC3 between October 2013 and July 2019:
Total U.S. victims: 69,384
Total U.S. exposed dollar loss: $10,135,319,091
Total non-U.S. victims: 3,624
Total non-U.S. exposed dollar loss: $1,053,331,166
The following statistics were reported in victim complaints to the IC3 between June 2016 and July 2019:
Total U.S. financial recipients: 32,367
Total U.S. financial recipient exposed dollar loss: $3,543,308,220
Total non-U.S. financial recipients: 14,719
Total non-U.S. financial recipient exposed dollar loss: $4,843,767,489
BEC AND PAYROLL DIVERSION
The IC3 has received an increased number of BEC complaints concerning the diversion of payroll funds. Complaints indicate that a company’s human resources or payroll department receives spoofed emails appearing to be from employees requesting a change to their direct deposit account. This is different from the payroll diversion scheme in which the subject gains access to an employee’s direct deposit account and alters the routing to another account.3
In a typical example, HR or payroll representatives received emails appearing to be from employees requesting to update their direct deposit information for the current pay period. The new direct deposit information provided to HR or payroll representatives generally leads to a pre-paid card account. Some companies reported receiving phishing emails prior to receiving requests for changes to direct deposit accounts. In these cases, multiple employees may receive the same email that contains a spoofed log-in page for an email host. Employees enter their usernames and passwords on the spoofed log-in page, which allows the subject to gather and use employee credentials to access the employees’ personal information. This makes the direct deposit requests appear legitimate.
Payroll diversion schemes that include an intrusion event have been reported to the IC3 for several years. Only recently, however, have these schemes been directly connected to BEC actors through IC3 complaints.
A total of 1,053 complaints reporting this BEC evolution of the payroll diversion scheme were filed with the IC3 between Jan. 1, 2018, and June 30, 2019, with a total reported loss of $8,323,354. The average dollar loss reported in a complaint was $7,904. The dollar loss of direct deposit change requests increased more than 815 percent between Jan. 1, 2018, and June 30, 2019 as there was minimal reporting of this scheme in IC3 complaints prior to January 2018.
SUGGESTIONS FOR PROTECTION
Employees should be educated about and alert to this scheme. Training should include preventative strategies and reactive measures in case they are victimized. Among other steps, employees should be told to:
• Use secondary channels or two-factor authentication to verify requests for changes in account information. • Ensure the URL in emails is associated with the business it claims to be from. • Be alert to hyperlinks that may contain misspellings of the actual domain name. • Refrain from supplying login credentials or PII in response to any emails. • Monitor their personal financial accounts on a regular basis for irregularities, such as missing deposits. • Keep all software patches on and all systems updated. • Verify the email address used to send emails, especially when using a mobile or handheld device by ensuring the senders address email address appears to match who it is coming from. • Ensure the settings the employees’ computer are enabled to allow full email extensions to be viewed.
If you discover you are the victim of a fraudulent incident, immediately contact your financial institution to request a recall of funds and your employer to report irregularities with payroll deposits
As soon as possible, file a complaint regardless of the amount with www.ic3.gov or, for BEC/EAC victims, BEC.IC3.gov.
1. Reference PSA 1-022118-PSA Increase in W-2 Phishing Campaigns ↩ 2. Exposed dollar loss includes actual and attempted loss in United States dollars ↩ 3. Reference PSA I-091818-PSA Cybercriminals Utilize Social Engineering