A Ransomware Information Sharing Experience

FB-ISAO works closely with members and trusted partners to maintain awareness of threats and incidents across all-hazards. When it comes to cybersecurity, we work closely with partners to share potential threat information that could have implications to an organization. Each day, our team reviews alleged ransomware incidents for victims from our community or third or fourth parties that may impact our members. Additionally, we work closely with our friends and sponsors at Advanced Intelligence (AdvIntel) and Gate 15 to notify members of suspected activity that could be indicative of an imminent ransomware attack. Based on recent observations and Indicators of Compromise, there have been more frequent cyberattacks, particularly in the form of ransomware, on non-profits. Non-profits are especially vulnerable because of their limited resources and the fact that they often allocate those limited resources to activities that support their mission. Unfortunately, security of their assets is not typically a priority item for non-profits.

Last week, AdvIntel notified Gate 15 of several likely ransomware attacks. One of those affected is a Canada-based faith-based organization (a Chinese Christian church). FB-ISAO reached out to the organization to try to communicate the threat information with them. Regrettably, these conversations are often really difficult. Those non-members we reach out to sometimes suspect we’re either attempting to sell them something or even that we’re the attackers! In this engagement, those receiving the call attempted to direct us to the right person in the organization. Unfortunately, they told us the sole contact was out of office until after Thanksgiving and the only option was to leave a voicemail. We did that, and offered to be available if there were any questions or concerns.

This resource can be a useful tool to educate on ransomware: https://www.cisa.gov/stopransomware/general-information. With ransomware, and other threats, quick response is often needed. We’ve been glad to have successful engagements where organizations received threat reports and took action to prevent attacks. Too often, that isn’t the case. One of the lessons this recent effort reminds us of is the importance of having clear primary and alternate contacts and means for reaching them or emergency situations. FB-ISAO members are encouraged to consider if they have clear communications protocols for cyber and physical security and to think if those contacts and procedures are clearly understood by those who are most likely to receive initial contact when someone calls or emails member FBOs.

Have a plan. Train the plan. Exercise the plan.

Have contacts. Inform your team of how and under what circumstances to contact them. Practice those procedures.

We hope we never have to call your organization with imminent threat information. But, if we do, we’ll always reach out to our members directly.  In the event that the designated contact is not available, we hope your team knows who and how to contact the right person so the threat can be addressed quickly and effectively.

In early 2022, the Faith-Based Information Sharing and Analysis Organization will be embarking on a Cyber Road Show (CRS). The CRS is intended to provide an entry-level opportunity for Faith-Based Organizations (FBOs) to gain a greater level of understanding relating to both general cyber security terms and threats and a specific cybersecurity threat, Business Email Compromise (BEC), and best practices. You can learn more about the CRS here.