by Jennifer Lyn Walker and Brett Zupan
This post was originally informed by the TLP GREEN FB-ISAO Monthly Threat Overview, distributed on 27 June 2019.
A series of recent ransomware incidents are not only highlighting just how vulnerable faith-based organizations and charities are to this type of cyberattack, these incidents also demonstrate threat actors interest in targeting organizations that are often less prepared for a cyber incident and perception they may be more willing to pay the ransom. In Auburn, WA, servers belonging to the Auburn Food Bank, a non-profit entity serving approximately 150 families per day, were infected with ransomware on 05 June. This attack locked employees out of their files and emails. Like similar non-profit and charitable agencies, they do not have money budgeted for such events. “We are going to need help paying for this,” said Debbie Christian, Director of Auburn Food Bank. While the food bank has decided not to pay the ransom, it is estimated that equipment replacement and recovery will cost about $8,000. Indicative of a lack of backups to restore systems – in addition to requesting financial donations, the Auburn Food Bank stated they welcomed volunteers who “can type” in order to manually recreate tons of forms.
Similarly, Father Bill’s and MainSpring, a Brockton, Massachusetts-based non-profit homeless shelter, recently announced its network became victim to a ransomware attempt in April. Thankfully, the organization’s antivirus software was able to detect and prevent the attack before it could infect any computers on the network. While there was no evidence of a data breach, due to the potential, the organization was required by the Massachusetts Attorney General’s office to send notification letters to anyone with a social security number stored in the shelter’s systems.”We’ve gone through all the proper procedures with a breach through AG’s office, and have done everything we need to do that’s required by the state to let people know,” John Yazwinski, president & CEO of Father Bill’s said. This task was made difficult as the shelter does not have a current address for 30% of the potentially affected individuals.
Both instances demonstrate the difficulties that smaller organizations face when confronting ransomware, whether it’s dealing with the aftermath of a successful attack or an unsuccessful attempt. As noted in prior FB-ISAO reporting, ransomware attacks are re-surging and malicious actors are developing more creative ways to part organizations from their money and proprietary information. Examples include ransom notes containing a false PayPal option in addition to the standard Bitcoin payment that is actually a disguised phishing attempt to steal the victim’s PayPal credentials, adding insult to injury, or ransom notes that promise to donate the victim’s payment to a children’s charity. With these trends in mind, FB-ISAO recommends faith-based organizations, charities, and non-profit organizations be proactive in preparing for a ransomware incident before – not if – it happens. The following are suggestions for leaders to consider:
- An ounce of prevention is worth a pound of cure. Unfortunately, Auburn Food Bank’s situation is not unique – lacking the IT budget and data backup capabilities – in not being prepared to recover from a ransomware incident. FB-ISAO urges members to heed these reports and begin delegating resources for cyber-related incidents, including ransomware, ahead of time. There are low-cost, reliable solutions for maintaining current and stable backups, which is the best way to recover from a ransomware infection when it happens without paying the ransom.
- Plan for the worst, hope for the best. Budgeting is important but providing awareness of and planning for these threats with your staff does not cost any money and offers huge benefits. Reminding staff of the latest threats, such as phishing, keeps the topic on their mind and can help when encountering a potentially suspicious situation. This habit also fosters a security-aware workplace.
- We are stronger together. FB-ISAO recommends all organizations be proactive in preparing for a ransomware incident by searching for resources and collaborating with peers and other partners. Resources, such as KnowBe4’s Ransomware Hostage Rescue Manual, have information to help you prevent infections and how to recover when you are hit with ransomware. The rescue manual explores ways you may be able to potentially recover files even if you did not have a backup and includes a Ransomware Attack Response Checklist and a Ransomware Prevention Checklist. Similarly, reaching out to local peers and information sharing organizations, including FB-ISAO, can provide a vast network that offers hard-won knowledge and experience when facing a cyberattack. Depending on the relationship, some partners may be able to provide resources such as educational materials or temporary staff during a crisis.
Jennifer Lyn Walker is a cybersecurity professional with over nineteen years’ experience supporting critical infrastructure and SLTT governments. As Director, Cybersecurity Services for FB-ISAO and Gate 15, she advises and consults on cyber threats related to homeland security for critical infrastructure and vital lifeline sectors, including WaterISAC. She is experienced in malware analysis, threat assessments, cyber threat intelligence, compliance, and cybersecurity awareness.
Brett Zupan is a Risk Analyst at Gate 15 with experience in all-hazards analysis, exercise development, and information sharing. He has supported analysis, preparedness and operations for a number of critical infrastructure communities, including support to Water and Wastewater Systems Sector, the Commercial Facilities Sector, and with Higher Education in support of REN-ISAC, among other projects. Before joining the company in 2016, he worked at the Georgia State Senate. Brett received his Masters of International Relations from American University.
Join FB-ISAO! We welcome faith-based organizations, charities and critical partners to join FB-ISAO. Access our TLP AMBER and TLP GREEN reports, join our collaborative forums, working groups, participate in leadership opportunities and take the next step in enhancing your organization’s preparedness, security and resilience!