Phishing and ransomware can be your worst nightmares, how can you prevent these evolving threats?
Toward resilience against phishing and ransomware attacks
Over the past years, phishing and ransomware have become the most rampant form of cybercrime and an exponentially increasing threat to organizations. The vast majority of organizations have been targeted by phishing or ransomware. Ransomware, a form of malware designed for the sole purpose of extorting money from victims; and phishing, the delivery mechanism of choice for ransomware and other malware, are critical problems that every organization must address through a variety of means. The good news is that there is a lot that organizations can do to be resilient against such threats. What makes today’s phishing and ransomware attacks among the leading concerns expressed by cyber-risk-aware decision makers?
Ransomware attacks – a growing epidemic
Are you prepared to face the evolving threat of ransomware?
Ransomware is a type of malicious software that restricts or limits users of a targeted organization from accessing their IT systems (servers, workstations, mobile devices, etc.), until a ransom is paid. Ransomware is a major and exponentially growing threat that organizations will certainly face if they are not already concerned.
We have learned from the various ransomware incidents that have happened in 2016 and early 2017 that organizations might not be as ready as they might believe to face such a threat.
Why should your organization be informed about ransomware?
Ransomware can have an overwhelming impact on businesses of all sizes. Personal and corporate data, financial and healthcare records, network share files (hosting sensitive employee data, intellectual property or customer data), and all other valuable content can be taken hostage by ransomware. The latest ransomware aftermath stories are proving that it can halt businesses, slow down productivity, and, potentially, set an entire organization up for failure.
Future trends in ransomware
The profitability of ransomware is flourishing due to the simplicity of its business model and the ease of use of its operating model. According to the latest cyber threat intelligence, ransomware attacks shifted focus to the industries that have little option but to pay, such as healthcare, small and medium businesses (SMB), governments, critical infrastructure, NGOs, and education. Spear phishing campaigns were mainly used to ship the ransomware to those industries. Attackers know that those industries hold valuable or sensitive data, are usually struggling to fund their IT capabilities, and are often subject to regulations that can thwart their ability to make an efficient use of backups.
Based on the ENISA Threat Landscape Report 2016 (published in January 2017) and latest threat intelligence reports, there have been significant improvements in ransomware variety and functionality to increase damage and accelerate the need for response:
- More comprehensive and targeted damage, including back-up files, databases, and web pages
- Use of security vulnerabilities to increase infection rates
- Methods to increase ransom in case users delay payment
- Change of communication methods to victims to better negotiate ransom amount (e.g., through chat rooms instead of fixed banners)
- Stealthier encryption of infected computers and improved techniques to evade detection
- Internet-of-Things (IoT) and smart devices are seen as new targets
Phishing is the number one delivery vehicle for ransomware
The motive behind this is that phishing emails are easy to send and lead to a faster return on investment (ROI). Phishing, as part of social engineering schemes, lures victims into executing actions without realizing the malicious drive. The less aware the targeted user is, the more fruitful the attack. Likewise, in case of targeted attacks, phishing emails are created to look like they come from a trustworthy sender, but link to or contain malicious content that executes as soon as users click it, encrypting their data and asking for the ransom.
Sophisticated phishing attacks are harder to detect by nature and sometimes even careful users can still fall into the trap.
Phishing attacks on the rise
What is phishing?
The human factor is the weakest link in the security chain. Attackers persuade and deceive employees in many ways to gain critical access, but one method stands out in its scale: email.
Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and, indirectly, money), often for malicious reasons like executing and propagating malicious content by being disguised as a trustworthy entity in electronic communication.
Why is phishing so successful?
Phishing is so successful today since users are experiencing an “infobesity” through their received emails, making them less cautious to detect phishing attempts. Cybercriminals are resourceful when deceiving users by crafting content and evading detection patterns (customization of content, copy of graphical charter, etc.). Cybercriminals also take advantage of the information users share about themselves through social media, to create tailored and more authentic email templates. Users might get insufficient training about phishing, its use to deliver ransomware, and the best practices to deal with unknown threats. In addition, many users are simply not sufficiently skeptical when it comes to receiving requests to do things like transfer funds, open attachments, or provide sensitive information. Even worse, some organizations are not considering to include user training and awareness as part of their defense strategy.
What are the main phishing types?
- Spear phishing
Spear phishing is a more sophisticated and elaborate version of phishing. Threat actors gather information on key people in a targeted organization to craft a personalized and believable email to encourage specific targeted user(s) to provide confidential information or deliver certain malicious content (ransomware delivery, polymorphic URLs, drive-by downloads, silent malware, etc.)
Spear phishing emails are so personalized that traditional spam and reputation filters repeatedly fail to detect the malicious content within.
Business email compromise, also known as CEO fraud or whaling, is also part of the threat landscape.
In these attacks, the threat agents typically impersonate an email account belonging to a high-profile executive and then use it to send an email to the organization’s employees with financial authority, asking them to transfer money into bank accounts controlled by the attackers. CEOs, directors, and executive-level, payroll, or human resources staff are part of the company’s big fish.
What are the most common phishing emails in use?
Cyber threat reports define highly effective phishing emails that end-users need to be vigilant about:
- Corporate emails: look like official corporate communication (e.g., benefit enrollment messages, full mailbox notifications, etc.)
- Commercial emails: business-related emails that are not organization-specific (e.g., wire transfer requests, insurance notifications, shipping confirmations, etc.)
- Consumer emails: emails the general public gets on a daily basis (e.g., social networking notifications, gift cards, etc.)
- Technical emails: such as error reports and bounced email notifications
- Cloud emails: business-related emails including messages related to cloud services (e.g., asking to download documents from a cloud service, redirection to an online file sharing service, etc.)
Major trends in phishing
Several studies and media headlines are confirming the following major trends:
- The main purpose of most phishing emails today is to deliver, directly or indirectly, some form of ransomware
- Phishing campaigns with the highest click rates use content that targeted users would assume to come across during their everyday job tasks
How can you protect your business from phishing and ransomware?
Rethink your protection against ransomware
Traditional protection methods relying on malware signatures and basic rules for protection has revealed to be ineffective against ransomware threats. Indeed, attackers design their ransomware to bypass traditional web and email protection, which are prone to have “set and forget” configurations.
The ransomware threat should be handled with a comprehensive assessment of the organization’s countermeasures to understand if they are really capable of responding to the latest threats. This assessment includes, but is not limited to the following:
- User awareness
- Backup and recovery strategies
- Vulnerability and patch management processes
- Use of privileged accounts and access controls
- Content and Whitelist filtering
- Security configurations of endpoints
- Incident response processes
- Use of threat-intelligence solutions
Define your phishing defense strategy:
The prompt awareness and responsiveness on phishing and ransomware has encouraged threat actors to reiterate their tactics, techniques, and procedures (TTPs) on both payload and delivery campaigns. This continued persistence demonstrates that the technological focus, emphasized by acquiring, deploying, and tuning security solutions, is not enough.
Without a phishing defense strategy, organizations are prone not only to the ample phishing emails used to deliver ransomware, but also to the less observable emails used to deliver the same malware that has been used for years.
By getting ready for these phishing attacks, users can be empowered to act as both “human sensors” for spotting phishing attacks and partners in thwarting threat actors from gaining a foothold in the organization.
Implement best practices for user behavior and tailored awareness
There are a variety of best practices that organizations should follow in order to minimize their exposure to phishing and ransomware.
Organizations should implement a strong security awareness program that will help users to make better decisions about the content they receive through email, on what they view or click in social media, how they access the web, and so forth. It is essential to sufficiently invest in employee training so that the “human firewall” can provide an adequate first line of defense against increasingly sophisticated phishing and ransomware.
Furthermore, organizations should occasionally test their employees to determine if their security awareness training is effective. Those tests should trigger an action plan and measure the organization's successes and failures.
As far as business email compromise is concerned, organizations should create communication “backchannels” for executives and other key staff that might be targeted on this attack schema.
Awareness programs such as Deloitte’s Phishing as a Service including highly customizable simulation and response components are generally more effective than merely walking users through theory without any practice.