“Ransomware,” or hacker blackmail attempts to extort money by threatening to release confidential/embarrassing information, is on the rise. “Phishing” or its variant, “spear phishing” seem to be the most common vector.
- “Phishing” is basically spam that contains a poison pill in the form of a trojan horse attachment or link to a drive by download website.
- “Spear phishing” is the same, except it’s targeted to make it more attractive to a particular organization or even a particular person.
Thanks to Ben Schorr for an interesting example: The University of California San Francisco paid hackers $1.14 million (after negotiating them down from $3 million). BBC News has a transcript of some of the negotiations.
But Jan Op Gen Oorth, from Europol, which runs a project called No More Ransom, said: “Victims should not pay the ransom, as this finances criminals and encourages them to continue their illegal activities.
“Instead, they should report it to the police so law enforcement can disrupt the criminal enterprise.”
Brett Callow, a threat analyst at cyber-security company Emsisoft, said: “Organisations in this situation are without a good option.
“Even if they pay the demand, they’ll simply receive a pinky-promise that the stolen data will be deleted.
“But why would a ruthless criminal enterprise delete data that it may be able to further monetise at a later date?”
Phishing and is worse than a nuisance: It can destroy your business. Specialized software can help, but the first line of defense is high quality training of your employees. Supplement this by testing their responses to test break-in attempts–and embarrassing the employees who show themselves to be too gullible.