Let's Talk About Ransomware Delivery...
We’re depending more and more on remote delivery these days. Food, household goods, and even healthcare, are finding their ways to us in new and novel ways. The one remote delivery no of us want, though, is Ransomware. And last week was quite the week for Ransomware.
City of Florence, Alabama will be paying 30 bitcoins (about 300,000 USD!) after a successful phishing attack by one of the biggest ransomware gangs now in operation. Australia Brewing Company Lion announced a possible beer shortage after a ransomware attack impacted the ability of employees to work remotely. The City of Knoxville, Tennessee has had to limit police response to low level incidents after a ransomware infection was delivered through phishing. The Paradise strain of ransomware continues to spread via spam using Excel IQY files. All of these attacks have one thing in common: Your end users have to decide whether to answer the door when the delivery comes knocking.
That old saw “Defense in Depth” (We’ll revisit “Defense in Depth” in future posts) can help a company or firm limit their risk of cyber disaster. However, security can sometimes be reduced to a numbers game for mid to small sized companies. Budgetary and resource restrictions often force us into a Sophie’s choice of which security measures will have the greatest impact on risk. Less expensive controls that have a greater impact get implemented. Pricier controls which have a lesser effect on risk might have to wait (Hopefully only temporarily!) until the budgetary or human capital cavalry arrives.
With respect to Ransomware, there are a few relatively inexpensive steps that fall into the high impact category for almost any company out here on the Internet. Encrypting data at rest can prevent data loss, even in the event of a successful breach. Multifactor Authentication can limit remote account takeover in the event the access control scheme is compromised. Limiting local admin and execution capabilities can prevent the initial infection or the subsequent spread of malware.
Perhaps the most important security tool that any company or firm has, though, is the end user. Again, Cybersecurity can be a numbers game. Ransomware typically spreads through spam or targeted emails containing malicious links. (Multiple international sites of automotive manufacturer Honda were also infected last week with what is likely an ICS-specific strain that uses RDP as a delivery vector, but let’s save that one for a different day). Education and training are some of the most important and effective defensive measures against this delivery vector. While your IT team (hopefully!) routinely casts a critical eye at those vile emails containing links to delivery confirmation for packages you weren’t expecting, or information about an ongoing pandemic you didn’t even ask for. Your typical end user, however, might not know enough to be suspicious. These emails are designed to prey on human emotions like fear and curiosity ( Remember what happened to that poor cat!). Your employees are the first attack surface that most Ransomware attacks will come knocking on. Training your employees to recognize these suspicious emails and providing them with tools to report and mitigate those emails is one of the most effective security measures you can implement. Regular training campaigns and simulations help to remove the initial hesitancy some employees might feel about declaring an email “bad”. Providing some timely and granular feedback, such as calling out departments with the highest detection rates, can help gamify the process. Generating that watercooler talk about whether a co-worker caught the latest test email is one of the most effective defensive achievements any Security practitioner can hope for.
Phishing education and training is a relatively low-cost effort that yields almost immediate results. As a rough yardstick, if your company or firm hasn’t sent out a simulated phishing email to its employees in the last month, you should look to jump start a program immediately. There are a number of companies that offer turnkey capabilities. If you aren’t sure which one is right for you, or need help evaluating the most effective tool for your company or firm, just give us a call. We can help.