Tag: Cybersecurity

Don’t pay that Ransom yet. Call OFAC first.

Who is OFAC? What is the deal here? You will learn all of that in a minute. But first, let us focus on this word Ransom, what is it?

Paying a ransom is not something new. It has been used in the early 1800s to pay for release of a prisoner. In today’s day and age, this word is very widely used in the Cybersecurity space with billions of dollars in Bitcoin being paid as a ransom for release of information that was encrypted or stolen by the bad actors (the bad guys/gals) every year.

While it is very natural for an organization or individual to make payments in the hopes of getting their sensitive data back, often times promises are not kept and there are other issues such as repeat of the same attack.

Here are few examples of ransoms that was paid 2019 to the bad guys where the organization paying the ransom was able to get its data back.


  • Park DuValle Community Health Center, Kentucky, USA
    Amount paid: $70,000
  • La Porte County, Indiana, USA
    Amount paid: $130,000
  • Jackson County, Georgia, USA
    Amount paid: $400,000
  • Lake City, Florida, USA
    Amount paid: $500,000

    There are many more…

Most of these organizations used Cyber Insurance and were able to use some part of its payout as payment to the cyber criminal. Also, most of these organizations contacted FBI or other US Agencies and worked directly or indirectly to negotiate and process the payments.

The big question to be answered comes when you are at the crossroads of whether to pay the ransom or simply accept that the data is lost and then plan to spend millions of dollars in recovering from such an incident. While the answer to this question is not straight forward like any other decision in the Cybersecurity space. It is often answered in a haste or without considering all risks. Take the example of City of Atlanta,

The City of Atlanta spent more than $2.6 million on emergency efforts to respond to a ransomware attack that destabilized municipal operations last month. Attackers, who infected the city’s systems with the pernicious SamSam malware, asked for a ransom of roughly $50,000 worth of bitcoin.

Newman, L. (2018, April 24). Atlanta Spent $2.6M to Recover From a $52,000 Ransomware Scare. Retrieved October 03, 2020, from https://www.wired.com/story/atlanta-spent-26m-recover-from-ransomware-scare/

Then there are other considerations such as organization’s reputation, continuing business operations and putting proper counter measures in place to prevent this from happening in the future. There is however one more thing that you have to consider in the form of this simple question.

Are you violating any rules and regulations of the U.S Department of Treasury’s by making a payment to the bad guys?

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) recently put out an advisory – Ransomware Advisory (Link) bringing up several important things to consider for organizations affected by ransomware or companies* who are assisting organizations hit by ransomware.

* These companies include Law firms, Cybersecurity insurance companies, or Financial institutions facilitating the ransomware payments.

Let us look at a few highlights of this Advisory:

OFAC states that these ransom payments could facilitate the bad actors and the states they may represent to support their illegal activities.

Ransomware payment that is demanded as a result of malicious cyber activities may enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims.

U.S. Department of the Treasury. (2020, September 28). Retrieved October 03, 2020, from https://home.treasury.gov/policy-issues/financial-sanctions/recent-actions/20201001

OFAC has designated these malicious actors, aka our bad guys, under its cyber-related and other sanctions programs. OFAC uses these sanctions to effectively enforce foreign policies and national security goals.

So what does it really mean? If you or an organization were to pay the ransom in any way or form to an cyber-criminal, aka bad guy, and this individual or entity happens to be in one of the sanctioned countries , then you will be violating OFAC’s regulations. Simply put these payments with the sanctions nexus (associated or connected with the sanctions) threatens the U.S. National Security Interests.

So what should an organization that actively dealing with a ransomware attack do?

The OFAC’s Ransomware Advisory encourages victims and those involved with addressing ransomware attacks to contact OFAC immediately. At the end of the document, it lists all the departments that you may need to contact, such as:

  • U.S. Department of the Treasury’s Office of Cybersecurity and Critical Infrastructure Protection (OCCIP).
  • Financial Crimes Enforcement Network (FinCEN)
  • Cybersecurity and Infrastructure Security Agency (us-cert.cisa.gov)
  • Homeland Security Investigations Field Office (ice.gov)
  • Federal Bureau of Investigation Cyber Task Force (fbi.gov)
  • U.S. Secret Service Cyber Fraud Task Force (secretservice.gov)

In recent years, ransomware attacks have become more focused, sophisticated, costly, and numerous, adding to the various risks that an organization should consider when planning their Business Continuity and Disaster Recovery programs. While this article focused on United States and affects US Persons and Non-US Persons. It will be worthwhile to research regulations and laws in your regions of business operations.

Looking for the OFAC’s Ransomware Advisory, check out this page: https://home.treasury.gov/policy-issues/financial-sanctions/recent-actions/20201001


The Social Engineering Case of the Twitter Hack


This is Episode 1 of Security Bits.

On July 17, Billions of people woke up checking their favorite NEWS sources and social applications but about 400 of them fell for a scam on twitter. Famous people like Elon Musk, Jeff Bezos, Bill Gates and companies like The Cash App, Apple and several others including some politicians, they woke up with their personal or private twitter account being used by the attackers who had left a tweet on their behalf. Which basically claimed that these individuals or companies were feeling generous and were going to double your donation through Bitcoin transactions.

I want to speak a little more detail into how the attackers hacked these accounts, then discuss what was the result of such a attack and how significant it is for a company like Apple, Shell, Etc and also how it impacts you, your co-workers, your family and friends.

Prior to the attack on the 17th, the attackers had already infiltrated the Twitters internal systems by using a technique called Social Engineering. So, what is Social Engineering? It is the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. The key words here are “use of deception to manipulate individuals”. An example would be calling you and manipulating you to provide your social security number.

So the Twitter employees were trciked into providing their administrative crentials for twitters internal system such as their usernams and passwords.

After which the attackers disabled the protections on the Twitter Accounts such as 2 Factor Authentication, changed the owners email address on file to their own email address and simply reset the passwords and then logged into the accounts. Then sent a tweet and also downloaded their personal Twitter Account Data.

A total of 130 Twitter accounts were affected and this resulted in 400 induviduals sending bitcoins worth a total of $121,000 USD to three seperate Bitcoin accounts in less than 5 hours before Twitter locked down the accounts and deleted the tweets.

So what are the lessons learned from this attack?

  • Hacks does not have to be complex or technical.
  • Insider Threat is still one of top security risks in any industry.
  • While this attack did not cause any harm to human lives, there are other platforms which can affect and touch our basic needs such as Emergency services, Utilities etc.

I will leave you with couple of thoughts.
Smartphones and Cloud Applications have created tremondous possibiliies but unable to control these can set us back both financially and mentally.

Remember, even if you have not been on twitter or Facebook or LinkedIn or maps, your apps are constantly capturing anything that is useful from within your phones, your GPS Coordinates or your conversations and create a valuable resource for them to sell and if bad guys get hold of it then they can do the same.
You are not the customer, you are the product.