by Jennifer Lyn Walker and Omar Tisza
This post was originally informed by a TLP: GREEN FB-ISAO report distributed on 14 February 2019.
Like every other business type, faith-based organizations (FBOs) are susceptible to digital extortion attacks. History has shown many cyber criminals are not selective in their targets - they exploit vulnerabilities in people, processes, and technology regardless of industry or sector.
What is Digital Extortion?
At its core, digital extortion is a psychological tactic designed-through social engineering-to elicit an emotional response primarily through fear, embarrassment, or humiliation, and often aims to profit through ransom payments. According to the FBI, in 2018 extortion by email complaints increased 242%, totaling $83 million in losses.
Some types of extortion threats are credible, in so far as the threat actor is able to inflict, or has already inflicted disruption or damage to some degree; however, there has also been an uptick in non-credible extortion-based threats during the past year. These empty threats may use personal information, such as passwords or email addresses as intimidation, but are nothing more than hoaxes. While ransomware may be the most well-known type of extortion attempt, there are many variants including the increasingly popular "sextortion" campaign.
Below is an overview of common types of digital extortion, including ransomware and sextortion, that faith-based organizations are likely to encounter.
Potentially Destructive, but at the Very Least, Disruptive
Nary a week goes by without reports of organizations who have fallen victim to ransomware. Ransomware is malicious software (malware) that encrypts files on infected computers, making the files inaccessible until (presumably) unlocked with a decryption key. The malware displays a warning message along with a ransom demand and instructions for payment. The ransom is usually requested to be paid in Bitcoin or other cryptocurrency in exchange for 'said' decryption key - which may or may not work, let alone be provided.
In many cases, organizations have had to rebuild their computers and file systems from scratch, costing valuable time and money - and causing many headaches. Recently there has been a spate of incidents affecting cities, municipalities - and other government entities, charities, non-profit organizations, and FBOs, including a food bank, and a catholic archdiocese.
Non-Credible Extortion Threats
In the past year, other extortion-based threats have been known to be non-credible, such as bomb threats and hitman scams. In December 2018, emails containing bomb threats and hitman schemes went viral. These messages gained worldwide attention and awareness for the hoaxes they were, but not before causing major disruptions to countless businesses and individuals.
The majority of email extortion complaints to the FBI were comprised of sextortion. While not a "credible" threat, perpetrators are adept at crafting sextortion emails that appear believable enough to evoke fear or concern. A recipient receives an email purporting that the scammer has compromised their computer and stolen all their files, including contacts and browser history. The email further threatens the victim with public disclosure of unsavory pictures or videos to family, friends, and colleagues (allegedly captured with malware they placed on an "adult" website they visited) unless a ransom is paid for the scammer to keep quiet. These fraudsters do not have the "dirt" they claim; nonetheless, some include personal details to make the ruse seem more credible to increase the chance victims will pay the ransom. There is even a variation that looks like it comes from your own email address as the fraudsters want you to think they have also compromised your email account.
In addition to ransomware, FB-ISAO believes that FBOs are likely to observe sextortion-based attacks. Given the personal and sensitive nature and appearance of impropriety, malicious actors would victimize the community of faith on what could be perceived as the need to protect image and reputation by succumbing to ransom demands. Yet, contrary to the majority of FBI complaints, for those same reasons, it is plausible that sextortion emails in the faith-based community are likely to go unreported.
It is also important to report digital extortion incidents to the appropriate authorities and share with the broader faith-based community to improve security and resiliency.
o Report all incidents to the FBI through the Internet Crime Complaint Center (IC3)
o If there has been a financial loss, you should (and in some cases, may be required to) contact local law enforcement
o Report the incident to FB-ISAO for broader awareness among the Community of Faith
Jennifer Lyn Walker is a cybersecurity professional with over nineteen years' experience supporting critical infrastructure and SLTT governments. As Director, Cybersecurity Services for FB-ISAO and Gate 15, she advises and consults on cyber threats related to homeland security for critical infrastructure and vital lifeline sectors, including WaterISAC. She is experienced in malware analysis, threat assessments, cyber threat intelligence, compliance, and cybersecurity awareness.
Omar Tisza graduated from American University in 2017 with a bachelor's in International Relations. After a brief stint in business development on the federal market, he began his role as Jr. Risk Analyst at Gate 15 in 2018 and currently supports the Health Information Sharing and Analysis Center (HISAC) and the Healthcare Sector Coordinating Council - Cybersecurity under the leadership of Executive Director Greg Garcia, former Assistant Secretary for Cyber Security and Communications at DHS.
Join FB-ISAO! We welcome faith-based organizations, charities and critical partners to join FB-ISAO. Access our TLP AMBER and TLP GREEN reports, join our collaborative forums, working groups, participate in leadership opportunities and take the next step in enhancing your organization's preparedness, security and resilience!
Originally published at https://faithbased-isao.org.