The Cybersecurity and Infrastructure Security Agency (CISA) and Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing a joint Ransomware Guide meant to be a one-stop resource for stakeholders on how to be proactive and prevent these attacks from happening and also a detailed approach on how to respond to an attack and best resolve the cyber incident.
CISA and MS-ISAC observed there are vast products and resources available, but very few that have them all in one place.
This one-stop guide is divided into two parts:
First, the guide focuses on best practices for ransomware prevention, detailing practices that organizations should continuously do to help manage the risk posed by ransomware and other cyber threats. It is intended to enable forward-leaning actions to successfully thwart and confront malicious cyber activity associated with ransomware. Some of the several CISA and MS-ISAC preventive services that are listed are Malicious Domain Blocking and Reporting, regional CISA Cybersecurity Advisors, Phishing Campaign Assessment, and MS-ISAC Security Primers on ransomware variants such as Ryuk.
The second part of this guide, response best practices and services, is divided up into three sections: (1) Detection and Analysis, (2) Containment and Eradication, and (3) Recovery and Post-Incident Activity. One of the unique aspects that will significantly help an organization’s leadership as well as IT professional with response is a comprehensive, step-by-step checklist.
With many technical details on response actions and lists of CISA and MS-ISAC services available to the incident response team, this part of the guide can enable a methodical, measured and properly managed approach.
“It is a CISA priority to help our partners defend against ransomware, advise them on appropriate risk-management actions and provide best practices for a resilient, responsible incident response plan in the event of an cyberattack,” said Bryan Ware, Assistant Director for Cybersecurity, CISA. “The collaborative and consistent engagement with our industry and government partners support our concerted efforts to offer trusted, proactive and timely resources and services. This guide is based on operational insight from CISA and MS-ISAC and our engagements with varied sector partners.”
Recent events stress the important reminder that ransomware can happen at any time to any organizations, so we encourage all organizations with sensitive or important data stored on their network to take steps now to protect it, including backing up data, training employees, and patching systems to blunt the potential impact of ransomware.
Malicious actors have adjusted their ransomware tactics over time to include pressuring victims for payment by threatening to release stolen data if they refuse to pay and publicly naming and shaming victims as secondary forms of extortion.
One of the ways this guide can help is with identifying their critical data. It’s hard to have an organization determine after-the-fact what critical data was impacted by a ransomware incident if they did not have that understanding of what critical data they had ahead of time.
And, it is hard to revert to backups if an organization does not have or has not properly maintained and tested their backups.
This joint ransomware guide is written primarily for the IT professional, but every level of an organization can benefit from reviewing it. CISA and MS-ISAC are proud to provide this guide that can help them plan for a ransomware incident and understand the risk management, analytical, and response services available to them.
The COVID-19 pandemic has been globally disruptive in nearly every facet of life. But other things may prove as disruptive in the future, said leaders of the military intelligence community.
One advancement that may possibly be as disruptive as COVID-19 is the revolution in information technology that’s available to everybody — not just the U.S. and its allies, Navy Vice Adm. Robert Sharp, director of the National Geospatial-Intelligence Agency, said during an online forum today with the Armed Forces Communications and Electronics Association and the Intelligence and National Security Alliance.
“It’s this revolution in remotely-sensed and geo-located data, which is available to everyone,” he said. “It’s available to us, but it’s also available to our competitors. [Also] the revolution in smart machines and artificial intelligence — once again, [it’s a] great opportunity for us, but it’s not only our opportunity. That’s the competition space.”
Another area of concern is something Sharp called “GEOINT assurance.” With the growth of open-source geospatial intelligence coming from multiple sources, it becomes less certain that the information can be trusted, he said.
“How do you have confidence in the ones and zeros that you’re using for making decisions based off of,” he asked.
Army Gen. Paul Nakasone, director of the National Security Agency and commander of U.S. Cyber Command, cited influence operations as the next possible great disruptor. Influence operations, he said, have a very low barrier to entry, enabling just about anybody to engage in them.
“We’ve seen it now in our democratic processes,” Nakasone said. “I think we’re going to see it in our diplomatic processes, we’re going to see it in warfare, and we’re going to see it in sowing civil distrust in different countries.”
Influence operations, he said, are all enabled by the proliferation of inexpensive technology that allows anybody with an agenda to get online.
“The great technology that’s enabling so much of what we’re doing is also that dual-edged sword that malicious cyber actors and others are being able to use to create doubt, or to be able to question authority, or to be able to … to spread messages that are far from true,” he said. “I think influence operations, just in general, will be for us one of the things that we’ll be dealing with not just every two or four years, but this is the competitive space that we’re going to be in as intelligence agencies and as our nation”.
Largest Ever Seizure of Terrorist Organizations’ Cryptocurrency Accounts
The Justice Department on Thursday announced the dismantling of three terrorist financing cyber-enabled campaigns, involving the al-Qassam Brigades, Hamas’s military wing, al-Qaeda, and Islamic State of Iraq and the Levant (ISIS).
This coordinated operation is detailed in three forfeiture complaints and a criminal complaint unsealed today in the District of Columbia. These actions represent the government’s largest-ever seizure of cryptocurrency in the terrorism context.
These three terror finance campaigns all relied on sophisticated cyber-tools, including the solicitation of cryptocurrency donations from around the world. The action demonstrates how different terrorist groups have similarly adapted their terror finance activities to the cyber age.
Each group used cryptocurrency and social media to garner attention and raise funds for their terror campaigns. Pursuant to judicially-authorized warrants, U.S. authorities seized millions of dollars, over 300 cryptocurrency accounts, four websites, and four Facebook pages all related to the criminal enterprise.
Funds successfully forfeited with a connection to a state sponsor of terrorism may in whole or in part be directed to the United States Victims of State Sponsored Terrorism Fund (http://www.usvsst.com/) after the conclusion of the case.
“It should not surprise anyone that our enemies use modern technology, social media platforms and cryptocurrency to facilitate their evil and violent agendas,” said Attorney General William P. Barr. “The Department of Justice will employ all available resources to protect the lives and safety of the American public from terrorist groups. We will prosecute their money laundering, terrorist financing and violent illegal activities wherever we find them. And, as announced today, we will seize the funds and the instrumentalities that provide a lifeline for their operations whenever possible. I want to thank the investigators from the Internal Revenue Service, Department of Homeland Security, Federal Bureau of Investigation, and the prosecutors from the D.C. United States Attorney’s Office and National Security Division for their hard and innovative work in attacking the networks that allow these terrorists to recruit for and fund their dangerous actions.”
“Terrorist networks have adapted to technology, conducting complex financial transactions in the digital world, including through cryptocurrencies. IRS-CI special agents in the DC cybercrimes unit work diligently to unravel these financial networks,” said Secretary of the Treasury Steven T. Mnuchin. “Today’s actions demonstrate our ongoing commitment to holding malign actors accountable for their crimes.”
“The Department of Homeland Security was born after the September 11, 2001 terrorist attacks and, nearly 20 years later, we remain steadfast in executing our critical mission to safeguard the American people, our homeland, and our values,” said Acting Secretary of Homeland Security Chad F. Wolf. “Today’s announcement detailing these enforcement actions targeting foreign terrorist organizations is yet another example of the Department’s commitment to our mission. After launching investigations that identified suspected online payments being funneled to and in support of terrorist networks, Homeland Security Investigations skillfully leveraged their cyber, financial, and trade investigative expertise to disrupt and dismantle cyber-criminal networks that sought to fund acts of terrorism against the United States and our allies. Together with our federal law enforcement partners, the Department will utilize every resource available to ensure that our Homeland is and remains secure.”
“These important cases reflect the resolve of the D.C. United States Attorney’s Office to target and dismantle these sophisticated cyber-terrorism and money laundering actors across the globe,” stated Acting United States Attorney Michael R. Sherwin. “While these individuals believe they operate anonymously in the digital space, we have the skill and resolve to find, fix and prosecute these actors under the full extent of the law.”
“IRS-CI’s ability to trace funds used by terrorist groups to their source and dismantle these radical group’s communication and financial networks directly prevents them from wreaking havoc throughout the world,” said Don Fort, Chief, IRS Criminal Investigation. “Today the world is a safer place.”
“As the primary law enforcement agency charged with defeating terrorism, the FBI will continue to combat illicit terrorist financing regardless of platform or method employed by our adversaries,” said FBI Director Christopher Wray. “As demonstrated by this recent operation, the FBI remains committed to cutting off the financial lifeblood of these organizations that seek to harm Americans at home and abroad.”
“Homeland Security Investigations continues to demonstrate their investigative expertise with these enforcement actions,” said ICE Deputy Director and Senior Official Performing the Duties of the Director Matthew T. Albence. “Together with law enforcement partners, HSI has utilized their unique authorities to bring to justice those cyber-criminal networks who would do us harm.”
Al-Qassam Brigades Campaign
The first action involves the al-Qassam Brigades and its online cryptocurrency fundraising efforts. In the beginning of 2019, the al-Qassam Brigades posted a call on its social media page for bitcoin donations to fund its campaign of terror. The al-Qassam Brigades then moved this request to its official websites, alqassam.net, alqassam.ps, and qassam.ps.
The al-Qassam Brigades boasted that bitcoin donations were untraceable and would be used for violent causes. Their websites offered video instruction on how to anonymously make donations, in part by using unique bitcoin addresses generated for each individual donor.
However, such donations were not anonymous. Working together, IRS, HSI, and FBI agents tracked and seized all 150 cryptocurrency accounts that laundered funds to and from the al-Qassam Brigades’ accounts. Simultaneously, law enforcement executed criminal search warrants relating to United States-based subjects who donated to the terrorist campaign.
With judicial authorization, law enforcement seized the infrastructure of the al-Qassam Brigades websites and subsequently covertly operated alqassam.net. During that covert operation, the website received funds from persons seeking to provide material support to the terrorist organization, however, they instead donated the funds bitcoin wallets controlled by the United States.
The United States Attorney’s Office for the District of Columbia also unsealed criminal charges for two Turkish individuals, Mehmet Akti and Hüsamettin Karataş, who acted as related money launderers while operating an unlicensed money transmitting business.
The second cyber-enabled terror finance campaign involves a scheme by al-Qaeda and affiliated terrorist groups, largely based out of Syria. As the forfeiture complaint details, these terrorist organizations operated a bitcoin money laundering network using Telegram channels and other social media platforms to solicit cryptocurrency donations to further their terrorist goals. In some instances, they purported to act as charities when, in fact, they were openly and explicitly soliciting funds for violent terrorist attacks. For example, one post from a charity sought donations to equip terrorists in Syria with weapons:
Undercover HSI agents communicated with the administrator of Reminder for Syria, a related charity that was seeking to finance terrorism via bitcoin donations. The administrator stated that he hoped for the destruction of the United States, discussed the price for funding surface-to air missles, and warned about possible criminal consequences from carrying out a jihad in the United States.
Posts from another Syrian charity similarly explicitly referenced weapons and extremist activities:
Al-Qaeda and the affiliated terrorist groups together created these posts and used complicated obfuscation techniques, uncovered by law enforcement, to layer their transactions so to conceal their actions. Today’s complaint seeks forfeiture of the 155 virtual currency assets tied to this terrorist campaign.
The final complaint combines the Department’s initiatives of combatting COVID-19 related fraud with combatting terrorism financing. The complaint highlights a scheme by Murat Cakar, an ISIS facilitator who is responsible for managing select ISIS hacking operations, to sell fake personal protective equipment via FaceMaskCenter.com (displayed below)
The website claimed to sell FDA approved N95 respirator masks, when in fact the items were not FDA approved. Site administrators claimed to have near unlimited supplies of the masks, in spite of such items being officially-designated as scarce. The site administrators offered to sell these items to customers across the globe, including a customer in the United States who sought to purchase N95 masks and other protective equipment for hospitals, nursing homes, and fire departments.
The unsealed forfeiture complaint seized Cakar’s website as well as four related Facebook pages used to facilitate the scheme. With this third action, the United States has averted the further victimization of those seeking COVID-19 protective gear, and disrupted the continued funding of ISIS.
The claims made in these three complaints are only allegations and do not constitute a determination of liability. The burden to prove forfeitability in a civil forfeiture proceeding is upon the government. Further, charges contained in criminal complaint are merely allegations, and the defendants are presumed innocent unless and until proven guilty beyond a reasonable doubt in a court of law.
IRS-CI Cyber Crimes Unit (Washington, D.C.), HSI’s Philadelphia Office, and FBI’s Washington D.C., New York, and Los Angeles field offices are investigating the case. Assistant U.S Attorneys Jessi Camille Brooks and Zia M. Faruqui, and National Security Division Trial Attorneys Danielle Rosborough and Alexandra Hughes are litigating the case, with assistance from Paralegal Specialists Brian Rickers and Bria Cunningham, and Legal Assistant Jessica McCormick. Additional assistance has been provided by Chainalysis and Excygent.
A Dubai resident who flaunted his extravagant lifestyle on social media has arrived in the United States to face criminal charges alleging he conspired to launder hundreds of millions of dollars from business email compromise (BEC) frauds and other scams, including schemes targeting a U.S. law firm, a foreign bank and an English Premier League soccer club.
Ramon Olorunwa Abbas, 37, a.k.a. “Ray Hushpuppi” and “Hush,” a Nigerian national, arrived in Chicago Thursday evening after being expelled from the United Arab Emirates (UAE). Abbas made his initial U.S. court appearance this morning in Chicago, and he is expected to be transferred to Los Angeles in the coming weeks.
Abbas was arrested last month by UAE law enforcement officials. FBI special agents earlier this week obtained custody of Abbas and brought him to the United States to face a charge of conspiring to engage in money laundering that is alleged in a criminal complaint filed on June 25 by federal prosecutors in Los Angeles.
According to an affidavit filed with the complaint, Abbas maintains social media accounts that frequently showed him in designer clothes, wearing expensive watches, and posing in or with luxury cars and charter jets. “The FBI’s investigation has revealed that Abbas finances this opulent lifestyle through crime, and that he is one of the leaders of a transnational network that facilitates computer intrusions, fraudulent schemes (including BEC schemes), and money laundering, targeting victims around the world in schemes designed to steal hundreds of millions of dollars,” according to the affidavit.
The affidavit describes BEC schemes as often involving a computer hacker gaining unauthorized access to a business’ email account, blocking or redirecting communications to and/or from that email account, and then using the compromised email account or a separate fraudulent email account to communicate with personnel from a victim company and to attempt to trick them into making an unauthorized wire transfer.
“BEC schemes are one of the most difficult cybercrimes we encounter as they typically involve a coordinated group of con artists scattered around the world who have experience with computer hacking and exploiting the international financial system,” said United States Attorney Nick Hanna. “This case targets a key player in a large, transnational conspiracy who was living an opulent lifestyle in another country while allegedly providing safe havens for stolen money around the world. As this case demonstrates, my office will continue to hold such criminals accountable, no matter where they live.”
“In 2019 alone, the FBI recorded $1.7 billion in losses by companies and individuals victimized through business email compromise scams, the type of scheme Mr. Abbas is charged with conducting from abroad,” said Paul Delacourt, the Assistant Director in Charge of the FBI’s Los Angeles Field Office. “While this arrest has effectively taken a major alleged BEC player offline, BEC scams represent the most financially costly type of scheme reported to the FBI. I urge anyone who transfers funds personally or on behalf of a company to educate themselves about BEC so they can identify this insidious scheme before losing sizable amounts of money.”
“This was a challenging case, one that spanned international boundaries, traditional financial systems and the digital sphere,” said Jesse Baker, Special Agent in Charge of the United States Secret Service, Los Angles Field Office. “Technology has essentially erased geographic boundaries leaving trans-national criminal syndicates to believe that they are beyond the reach of law enforcement. The success in this case was the direct result of our trusted partnerships between the Department of Justice and our federal law enforcement colleagues. These partnerships helped dismantle a sophisticated organized crime group who preyed upon unsuspecting businesses. It is thanks to these partnerships that the American people can feel a bit more secure today.”
The affidavit alleges that Abbas and others committed a BEC scheme that defrauded a client of a New York-based law firm out of approximately $922,857 in October 2019. Abbas and co-conspirators allegedly tricked one of the law firm’s paralegals into wiring money intended for the client’s real estate refinancing to a bank account that was controlled by Abbas and the co-conspirators.
The affidavit also alleges that Abbas conspired to launder funds stolen in a $14.7 million cyber-heist from a foreign financial institution in February 2019, in which the stolen money was sent to bank accounts around the world. Abbas allegedly provided a co-conspirator with two bank accounts in Europe that Abbas anticipated each would receive €5 million (about $5.6 million) of the fraudulently obtained funds.
Abbas and others further conspired to launder hundreds of millions of dollars from other fraudulent schemes and computer intrusions, including one scheme to steal £100 million (approximately $124 million) from an English Premier League soccer club, the complaint alleges.
A criminal complaint contains allegations that a defendant has committed a crime. Every defendant is presumed innocent until and unless proven guilty beyond a reasonable doubt.
If convicted of conspiracy to engage in money laundering, Abbas would face a statutory maximum sentence of 20 years in federal prison.
The FBI led the investigation of Abbas, and the United States Secret Service was also involved and provided substantial assistance. The FBI further thanks the government of the United Arab Emirates and the Dubai Police Department for their substantial assistance.
This case is being prosecuted by Assistant United States Attorneys Anil J. Antony and Joseph B. Woodring of the Cyber and Intellectual Property Crimes Section. The Criminal Division’s Office of International Affairs provided substantial assistance in this matter.
As the public increases its use of mobile banking apps, partially due to increased time at home, the FBI anticipates cyber actors will exploit these platforms.
Americans are increasingly using their mobile devices to conduct banking activities such as cashing checks and transferring funds. US financial technology providers estimate more than 75 percent of Americans used mobile banking in some form in 2019.
Studies of US financial data indicate a 50 percent surge in mobile banking since the beginning of 2020.
Additionally, studies indicate 36 percent of Americans plan to use mobile tools to conduct banking activities, and 20 percent plan to visit branch locations less often.
With city, state, and local governments urging or mandating social distancing, Americans have become more willing to use mobile banking as an alternative to physically visiting branch locations.
The FBI expects cyber actors to attempt to exploit new mobile banking customers using a variety of techniques, including app-based banking trojans and fake banking apps.
App-Based Banking Trojans
The FBI advises the public to be cautious when downloading apps on smartphones and tablets, as some could be concealing malicious intent. Cyber actors target banking information using banking trojans, which are malicious programs that disguise themselves as other apps, such as games or tools. When the user launches a legitimate banking app, it triggers the previously downloaded trojan that has been lying dormant on their device. The trojan creates a false version of the bank’s login page and overlays it on top of the legitimate app. Once the user enters their credentials into the false login page, the trojan passes the user to the real banking app login page so they do not realize they have been compromised.
Fake Banking Apps
Actors also create fraudulent apps designed to impersonate the real apps of major financial institutions, with the intent of tricking users into entering their login credentials. These apps provide an error message after the attempted login and will use smartphone permission requests to obtain and bypass security codes texted to users. US security research organizations report that in 2018, nearly 65,000 fake apps were detected on major app stores, making this one of the fastest growing sectors of smartphone-based fraud.
TIPS TO PROTECT YOU AND YOUR ORGANIZATION
Obtain Apps from Trusted Sources
Private sector companies manage app stores for smartphones and actively vet these apps for malicious content. Additionally, most major US banks will provide a link to their mobile app on their website. The FBI recommends only obtaining smartphone apps from trusted sources like official app stores or directly from bank websites.
Use Two-Factor Authentication
Since 2016, surveys of application and website users have identified that a majority of users do not enable two-factor authentication when prompted. These users cite inconvenience as the major reason to avoid the use of this technology. Cybersecurity experts have stressed that two-factor authentication is a highly effective tool to secure accounts against compromise, and enabling any form of two-factor authentication will be to the user’s advantage
Enable two-factor or multi-factor authentication on devices and accounts to protect them from malicious compromise.
Use strong two-factor authentication if possible via biometrics, hardware tokens, or authentication apps.
Use multiple types of authentication for accounts if possible. Layering different authentication standards is a stronger security option
Monitor where your Personal Identifiable Information (PII) is stored and only share the most necessary information with financial institutions.
Click links in e-mails or text messages; ensure these messages come from the financial institution by double-checking e-mail details. Many criminals use legitimate-looking messages to trick users into giving up login details.
Give two-factor passcodes to anyone over the phone or via text. Financial institutions will not ask you for these codes over the phone.
Use Strong Passwords and Good Password Security
Cyber actors regularly exploit users who reuse passwords or use common or insecure passwords. The FBI recommends creating strong, unique passwords to mitigate these attacks. The National Institute of Standards and Technology’s most recent guidance encourages users to make passwords or passphrases that are 15 characters or longer.
Use passwords that contain upper case letters, lower case letters, and symbols.
Use a minimum of eight characters per password.
Create unique passwords for banking apps.
Use a password manager or password management service.
Use common passwords or phrases, such as “Password1!” or “123456.”
Reuse the same passwords for multiple accounts.
Store passwords in written form or in an insecure phone app like a notepad.
Give your password to anyone. Financial institutions will not ask you for this information over the phone or text message.
If a Banking App Appears Suspicious, Call the Bank
If you encounter an app that appears suspicious, exercise caution and contact that financial institution. Major financial institutions may ask for a banking PIN number, but will never ask for your username and password over the phone. Check your bank’s policies regarding online and app account security. If the phone call seems suspicious, hang up and call the bank back at the customer service number posted on their website.