The hackers behind the Sodinokibi/REvil ransomware have reportedly switched their demands for payment from Bitcoin or Ethereum to Monero cryptocurrency to try to prevent law enforcement from tracking payments.

The hackers reportedly advertised the switch in a posting to an online hacker and malware forum, and admitted that the switch from Bitcoin to Monero is meant to make it harder for law enforcement to track them. The hackers stated, “We inform you that after a while the BTC will be removed as a payment method. Victims need to begin to understand the new cryptocurrency, as well as other interested parties who work with us.”

On its Sodinokibi Tor payment site, it is reported that the hackers have alerted the world that they have moved away from Bitcoin to Monero, and if a victim wants to use Bitcoin, there is a 10% increase in the ransom.

Sodinokibi hackers have followed in the footsteps of the Maze ransomware operators and are reportedly publishing stolen data from victimized companies if the ransom is not paid. Last month, the Sodinokibi hackers published over 12 GB of data from a company that did not pay the ransom, allowing other criminals to use the data and sell it on hacker forums.

There’s nothing worse than paying criminals. And paying a ransom for data is just that—paying criminals for a criminal act. All you get out of the payment is access to your data. It doesn’t fix the vulnerability or the root problem. Let the record reflect that the FBI does not recommend paying ransoms to cyber criminals.

It is being reported that companies are paying ransom at a faster rate than ever before. Part of the reason for the payments is a response to the experiences of others, including the City of Baltimore, which expended far more resources in recovering from its ransomware attack than the amount requested by the criminals. However, if you look at what the City of Baltimore bought in response to the ransomware attack—although it was more than the ransom requested—it was an investment in its future security, because it upgraded its systems and equipment to protect against future cyber-attacks. The investment was for the future—not a payment to line the criminals’ pockets and leave the system in a state of vulnerability for another attack. When determining whether to pay a ransom, companies may wish to consider whether it is an extortion payment that only buys back access to their own data and doesn’t fix the vulnerability, or an investment in appropriate equipment and protection for the future.

It used to be that companies would consider paying a ransom if they did not have appropriate data back-up systems to migrate to following a ransomware attack. Everyone now knows that the response to a ransomware incident is to have a robust and tested back-up system so you can shut off the infected system and get the company back up and running on the back-up if it was not also infected. Companies that did not have a back-up system had to consider whether or not to pay the ransom. Recently, companies with a back-up system have told attackers to go pound sand, migrated to the back-up system, and killed the old system.

Unfortunately, as companies implement more robust incident response plans, and are able to recover from ransomware attacks without paying ransom, cyber criminals are getting more sophisticated and figuring out how to stay ahead of that “go pound sand” response from victims. Recently, it has been reported that the cyber-criminal group MAZE is infecting businesses with ransomware and exfiltrating company data. Even if a company has sufficient back-ups, and may not need to pay for the decryption key, MAZE has exfiltrated sensitive company data and personal information, and requires payment of a ransom for certification of destruction of the company data. If the company doesn’t pay the ransom amount to be assured of that destruction, the attacker leaks the company data onto the web. MAZE actually hosts a website that lists all of its victims to try to shame them into paying the ransom. If the company pays the ransom, supposedly MAZE will abide by its word and not leak the data.

The consideration of whether or not to pay a ransom is very complicated and each scenario, risk analysis and business decision is different. The operative word is complicated. It is wise for companies to consider the risk of a ransomware attack like those MAZE employs and how it would respond if it were to become a victim of that type of ransomware attack. It is also wise for companies to determine whether they have insurance coverage for a ransom payment.

Some companies consider setting up a bitcoin wallet in the event they decide to pay a ransom following an attack. Paying a ransom to criminals has serious legal implications, which companies should explore carefully with their legal counsel. It is important to know what laws apply and to consider compliance with those laws before jumping into setting up accounts, negotiating directly with the criminals or paying a ransom. Remember that MAZE and other hacking groups are criminals and dealing with them directly is not just a business transaction.

Holiday shopping is in full gear and everything seems to be an Internet of Things (IoT) device. It continues to amaze me how folks will buy IoT gadgets and plop them in their homes and have no idea that they include a speaker or camera, recording every move and word, or that they pose a security risk to the family. 

And don’t just take my word for it. Two warnings were issued this week to that you should pay attention to—one from the Federal Bureau of Investigation (FBI) and one from the Federal Trade Commission (FTC)—both agencies that seek to protect consumers.

The FBI issued a warning on “drive-by hacking” of IoT devices, stating that “hackers can use those innocent devices to do a virtual drive-by of your digital life.” This happens when consumers don’t secure the devices when they set them up in their homes. According to the FBI, “Unsecured devices can allow hackers a path into your router, giving the bad guy access to everything else on your home network that you thought was secure. Are private pictures and passwords safely stored on your computer? Don’t be so sure.”

According to the FBI, when people set up IoT devices in their home or download the app from the manufacturer to set up the device, they click through all the set-up screens, giving the app permissions, but then fail to secure the device. In the excitement of getting the new gadget up and running, security is forgotten, and data are being sent and received through the device without protecting the data. Hackers know how excited we are with new toys, and take advantage of the excitement by hacking into our lives. Security experts are urging individuals to:

  • Change default passwords on all new devices.
  • Check permissions granted with the mobile apps of these devices to see if they are operating in the background, and limit access to location or other unnecessary access.
  • Apply auto-updates when you can so they use the latest firmware.
  • Keep a list of devices connected to your Wi-Fi and disconnect devices you don’t use or don’t need.
  • Separate IoT devices on your home network—according to the FBI—“your fridge and your laptop should not be on the same network—keep private, sensitive data on a separate system from your other IoT devices.
  • Review and follow the Department of Homeland Security’s “Securing the Internet of Things” advisory notice.

The FTC also issued a consumer alert this week, “What to ask before buying internet-connected toys,” urging consumers to understand the smart toy’s feature before purchasing it. This warning includes:

  • Does the toy come with a camera or microphone? What will it be recording, and will you know when the camera or microphone is on?
  • Does the toy let your child send emails or connect to social media accounts?
  • Can parents control the toy and be involved in its setup and management?

What controls and options does it have? What are the default settings?

When evaluating a new IoT toy, determine what information about your child the toy collects while your child is playing with it. Where are voice recordings and photographs stored and transmitted, and who has access to the recordings and photographs? Is there a way to access and delete that information?

Parents may wish to consider these questions when evaluating a new toy for children, and whether the coolest new toy is worth the transmission of a child’s biometric information to unknown individuals without their or the child’s consent. Consider whether your child will be thankful for that toy, and the disclosure of his or her information, including biometric information, when the child reaches the age that he or she can consent for himself or herself.  Sometimes the coolest gift isn’t the safest gift.

It is a myth that employees hate training and education. I have seen it with my own eyes. It is very exciting to watch an audience visibly cover their mouths when real life stories are told about cyber-attacks and phishing incidents that employees’ conduct cause because they are working too fast, not paying attention to detail and just plain don’t know much about the risks of technology.

I am constantly amazed the number of people of all ages who have no idea about the risks posed by the use of technology, and how they can put themselves and their companies at risk by one click.

Arming employees with tools to protect your digital perimeter gives them a sense of purpose and pride. In my experience, employees do not want to be the one who clicks on the link that introduces malware or ransomware into the company system. I have never seen a victim who has enabled an infiltrater into the system feel anything except horror. Employees in general really do want to do a good job for their company and do not want to harm it.

That’s why employee training and education in data privacy and security continues to be so important as a mitigating factor to the risk of cyber intrusions. According to a survey of cybersecurity professionals in financial firms, in their opinion, employee education and training on data privacy and security is the best defense against cyber-attacks—over network security breach prevention, or securing the cloud. This is because “[P]rotective measures on a firm’s computer system can still fail if a worker click on a link or downloads an email attachment carrying malicious code.” So true.

Employees don’t understand the risks until you show them and tell them real stories that they can relate to, learn from and not replicate. Face to face training works wonders for increasing the culture around data privacy and security and empowers employees to assist companies in promoting practices to protect data. Try it—you will be surprised at how engaged your employees can be when they are part of fixing the problem.

One of my favorite lines when I conduct employee education about data privacy and cybersecurity is “Keep Your Day Job.” The context of the comment is when I tell audiences about the dumb moves of employees who think they can steal their company’s data and use it, sell it or do nefarious things with it without getting caught.

Why do employees continue to think that their employers don’t monitor their email usage? It is a basic premise that your company will monitor your email traffic when you are terminated or resign. So when I say “Keep Your Day Job” I mean, “Don’t send company data to your private email account or disclose it or steal it or sell it.”

It continues to amaze me how often this happens. And it puts both the company and the employee in a precarious position.

Take the former litigation associate of a major law firm who was arrested late last week on an extortion charge. Although the associate was smart enough to go to law school, he wasn’t very smart in his scheme.

This associate threatened the law firm that he would release confidential and sensitive data that he stole from his superior’s email account unless the firm paid him  $210,000 and give him a piece of art.

What? Really? How did he not think he would get caught?

The tip for this week: Keep Your Day Job. Don’t steal or disclose your company’s data. Don’t sell it or extort your company. Chances are you will get caught and no longer have a job or be employable.

So I have been in the data privacy and security world for the past 16 years, and I am still amazed at how savvy hacksters are, and how vulnerable we are to their antics. And…how much havoc they can wreak personally and to our employers.

This week’s privacy tip is about phishing. No, not fishing, I am an avid bass fisherman, and no, not the band Phish, which has quite a following. Why are we talking about phishing? Because phishing has become a huge issue with individuals and companies and is predicted to get worse.

In the past, we used to get emails telling us “You have won the Nigerian lottery!” and in order to win, we need to click on a link. It wasn’t very effective, because the email was full of misspellings and terrible grammar. Really, anyone could figure out it was a hoax and we all immediately deleted it.

Not so true anymore. Last week, I received an email from “my IT department” indicating that they needed to update my security, and to send my password so they could implement the security patch. I didn’t recognize the name of the individual and took a casual glance at the url, and it was clearly not my “IT department.” I sent it to my “IT department” and confirmed it was a phishing attack. Luckily, I knew enough not to click on it and to send it straight to my internal experts.

Just yesterday, I received a text from the “Apple help desk” indicating that I needed an update and to click on a link to get the update. Well, of course, I knew it wasn’t legit, so I immediately deleted it.

Unfortunately, many individuals and employees don’t realize the havoc clicking on these links can wreak on their personal devices and their employers’ systems. Phishing attacks are now sophisticated and frequent. Be vigilant in analyzing any email or text you get that tries to get your user name or password. Don’t give your password to anyone. Your “IT department” isn’t going to ask for such information in order to provide you with security updates. Neither is Apple.

Many companies are sending out internal phishing expeditions to catch their employees (pun intended.) Don’t get hooked and reeled in. You will be an unwanted catch.

Enough of the puns. Seriously, stay alert. When in doubt, enlist your IT professionals to confirm that an email or text is legitimate or not. No question is a bad one, and they will be so happy when you check before you click. It is way better to be safe than sorry.