FBI Gives Hollywood Hacking Victims Surprising Advice: "Pay the Ransom"

[dufus]

 FBI Gives Hollywood Hacking Victims Surprising Advice: "Pay the Ransom"

6:30 AM PDT 5/12/2017 by Tatiana Siege

 

 

Netflix isn't alone: Agencies and others are balancing demands for money against the fears of stolen data ending up online.

Phones are the lifeblood of a talent agency like UTA, but on April 11, its IT department discovered an intruder lurking in the voicemail system and computer network and quickly decided to shut them down, sending agents to conduct business on their iPads. Soon thereafter a demand from a hacker arrived: Pay a ransom or watch the agency's most confidential data get posted online.

It turns out UTA was lucky — an outside cybersecurity firm was brought in and, after conducting a forensic analysis, determined that nothing valuable had been pilfered. But the episode was one of at least a half-dozen extortion attempts against Hollywood firms over the past six months alone, say sources in the cybersecurity industry. Mirroring the audacity of the famed Bling Ring, the recent spate of strikes has left executives throughout the entertainment industry on edge, fearing that they — and all of their emails, contracts, celebrity addresses, banking information and salaries — might be the next Sony or Netflix, which saw 10 episodes of the upcoming season ofOrange Is the New Black posted to The Pirate Bay six weeks ahead of the series' June 9 launch.

Others targeted with extortion plots include ICM and WME, the latter more significantly. Says USC cybercrime expert Michael Orosz: "A hacker breaks in through various means, steals data and then holds the company over the barrel. This is becoming more and more common because it's easy to do. It's basically low-hanging fruit."

 

The frequency of the attacks has overwhelmed the FBI's Los Angeles field office, which has been unable to properly investigate all of them. The FBI's surprising advice, according to industry sources: Pay the ransom. After all, the hackers aren't asking much more than a Cannes hotel tab. In all of the Hollywood extortion cases, the hackers demanded less than $80,000. A law enforcement source says that in California, losses would need to exceed $50,000 for the U.S. Attorney's office to prosecute, thus keeping the FBI from pursuing most of these cases.

But an FBI spokesperson in the L.A. office denied that the agency is telling companies to cough up the bitcoins in cases of ransomware. "The FBI does not encourage payment of ransom as it keeps the criminals in business," says Laura Eimiller. "Of course, the individual victim must weigh their options."

"If your system is wiped and you didn't pay, then there's no way to recover it and you basically shut down your entire business, so the FBI will say it's easier to pay it than it is to try to fight to get it back," says Hemanshu Nigam, a former federal prosecutor of online crime in L.A. and onetime chief security officer for News Corp. "And if one company pays the ransom, the entire hacking community knows about it."

So far, at least one Hollywood company has paid the ransom, according to a source. Others are waiting to see if anything valuable was taken, something not evident unless a victim runs a forensic analysis, which typically costs far more than the ransom demand.

http://www.hollywoodreporter.com/news/fbi-gives-hollywood-hacking-victims-surprising-advice-pay-ransom-1001515

[steven36]

 

Quote

 

Did the FBI really say “pay up” for ransomware? Here’s what to do…

 

 

A comment made by an FBI agent at a little-noticed cybersecurity conference in Boston last week is all of a sudden making big headlines, many of them suggesting that the FBI is telling victims of ransomware to “just pay” the ransom.

 

The comments by Joseph Bonavolonta, Assistant Special Agent in Charge of the Cyber and Counterintelligence Program in the FBI’s Boston office, were first reported by The Security Ledger.

What Bonavolonta supposedly said is that the encryption used by cybercrooks in the ransomware known as CryptoWall is so good that the FBI “often [advises] people just to pay the ransom.”

 

Here’s the exact quote:

 

Quote

The ransomware is that good... To be honest, we often advise people just to pay the ransom.

 

Bonavolonta was also quoted as saying “the easiest thing may be to just pay the ransom,” and the “overwhelming majority of institutions just pay the ransom.”

And he said: “You do get your access back” (to your files once you pay).

 

It’s true that CryptoWall and some other variants of ransomware tend to get the cryptography right, which means you can’t undo the encryption without paying.

 

It’s also true that a lot of institutions and individuals do pay the ransom – one study in the UK suggested that up to 40% of victims of CryptoLocker – the forbearer of today’s file-encrypting ransomware – paid to unlock their files.

 

Even police departments that have had their files scrambled by ransomware have paid to get them back – such as one municipal police department in Massachusetts, and a sheriff’s office in Tennessee.

And it’s true that the crooks often provide the encryption key to decrypt your ransomed files, once you pay somewhere in the range of $300 to $600 in bitcoins.

 

The ransomware gangs’ business model seems to depend on good “customer service,” if you can call it that – they even offer to let you decrypt one file for “free” as proof that they’ll follow through on the bargain.

 

However, paying the ransom does present an ethical dilemma: by paying up, you support a criminal enterprise, making it more likely that others will be caught up in the same trap.

 

That seems to be why so many headlines are blaring about Bonavolonta’s statement – could the FBI really be encouraging people to pay off the criminals, something they would never do if a ransom were demanded in a hostage situation?

 

Actually, the FBI’s officially sanctioned advice about ransomware doesn’t explicitly mention paying or not paying the ransom – the bottom line in the  FBI’s ransomware information page from January 2015 is that victims should contact the FBI.

 

A FBI spokesperson sent me the following statement:

 

Quote

The FBI doesn't make recommendations to companies; instead, the Bureau explains what the options are for businesses that are affected and how it's up to individual companies to decide for themselves the best way to proceed. That is, either revert to back up systems, contact a security professional, or pay.

 

The FBI website has some pretty good advice about preventing ransomware that comes close to what Naked Security advises, including:

• Keep your anti-virus active and up to date. That means you’re more likely to block malware attacks proactively.
• Patch your operating system and applications promptly. Many attacks rely on exploiting security bugs that are already have available fixes, so don’t make yourself low-hanging fruit.
• Be suspicious of unsolicited emails, no matter how relevant they may seem. Avoid opening attachments and clicking on links in emails too, especially if you’re not expecting them.
• Make regular backups, and keep at least one offline. That protects you from data loss of any kind, whether caused by ransomware, flood, fire, loss, theft and so on.

As Sophos security expert and Naked Security writer Paul Ducklin explained in an excellent post about the pay-or-not dilemma, it’s pretty easy for people whose precious data isn’t at risk to take a strong position that “you should NEVER pay.”

But if it’s YOUR family photos or financial documents on the line, what would you do?

Our simple advice is summed up here:

1. Don’t pay if you can possibly avoid it, even if it means some personal inconvenience.
2. Take precautions today (e.g., backups, proactive anti-virus, web and email filtering) so that you avoid getting into a position where you ever need to pay.

We’ve got a lot more advice on dealing with ransomware in the Sophos Techknow podcast below.

(Audio player above not working? Download, or listen on Soundcloud.)

 

https://nakedsecurity.sophos.com/2015/10/28/did-the-fbi-really-say-pay-up-for-ransomware-heres-what-to-do/

It dont sound like anything new too me?  it just sounds like something the FBI said before, and this post is proof.. the paparazzi waits for anybody to say anything to write about and call it news.   ..Someone can give someone 15 choices and tell them it's up too them what too do and the paparazzi will  twist the facts and make it click bait too get hits and take one little quote someone said and write a whole article on it  

 

But leave the rest of the what was said from the speech from a person out. So unless you watched the whole speech live you really don't know what was said! That's the difference in watching it live and reading about it on internet were most news has a agenda.

[dufus]

On 14/05/2017 at 4:40 AM, steven36 said:

Someone can give someone 15 choices and tell them it's up too them what too do

exactly  point is shud choices from agency be pay the criminal shud be we have the expertise and tech to catch swines jail them