[BreachExchange] Ransomware can be an expensive phishing lesson

Audrey McNeil audrey at riskbasedsecurity.com
Mon Feb 29 19:24:46 EST 2016


http://techcitynews.com/2016/02/29/ransomware-can-be-an-expensive-phishing-lesson/

At the end of 2015, a critical attack that caused power outages at Israel’s
power grid was traced back to ransomware. Then, in January, the UK’s
Lincolnshire County Council held its hands up after its systems were
maliciously encrypted, forcing it to suspend a number of public services.

The latest instance saw the US-based Hollywood Presbyterian Medical Center
reverting to communicating in person or via fax as its systems were held to
ransom. The tragedy is these are not isolated cases with many more
companies joining this sorry register of Ransomware victims.

To pay or not to pay?

The primary purpose of ransomware is to make money for the criminals behind
it. They send their code, typically via a phishing message, that tricks an
unwitting victim into installing the malicious program on systems,
encrypting the data, and demanding a ransom be paid to reverse the damage.

While there a have been a number of iterations, CryptoWall is arguably the
most successful ransomware. It was so lucrative during its prolific career
that the Cyber-Threat Alliance claimed it had netted nearly £214m worldwide
during its short life span.

While Lincolnshire council took a firm stance, refusing to meet the
criminals’ $500 demands, Hollywood Presbyterian opted to hand over $17,000
to secure the decryption keys and remove the shackles from its systems. Of
course, parting with cash isn’t a guarantee that the criminals will honour
the agreement, as ProtonMail found to its detriment last November.

However, the size of the ransom isn’t actually the issue everyone should be
preoccupied with. Nor whether it’s right or wrong to reward the criminals
for their ingenuity. Instead, focus should be on how to stop ransomware in
the first instance.

With all the various technologies ring fencing enterprises, or at least
they should be, how can ransomware still take such a choke-hold on systems?

Point of infection

The sad truth is that phishing emails laden with ransomware can easily slip
past filters and arrive into email inboxes. This leads many to argue that
antivirus applications are the first line of defence. However, Lincolnshire
County Council had anti-virus installed, plus other security software, but
its systems didn’t detect the malware as it went about encrypting its
network.

In the council’s defence, the strain of ransomware was a previously unseen
program so the various software deployed were not looking for it – a well
documented flaw with this approach.

Technology alone cannot solve the problem of phishing and security teams
are not the only line of defence. It takes all hands on deck.

Activate your human defences

There is hope, as ransomware has an Achilles’ heel. In nearly all cases,
someone has to interact with the program to trigger the attack. As humans
are attacking humans, it stands to reason that humans can defend against
the attack.

By conditioning the workforce to recognise the criminals’ methods, they can
actively deflect them and keep the enterprise secure.

Of course, this doesn’t happen instantly so here’s the three layers that
transform employees into an impenetrable human phishing defence:

Layer one: Suspicion as standard

Inboxes are viewed by criminals as an exploitable point of entry so
employees need to be empowered as active participants in security –
spotting not just ransomware, but anything that looks to steal data, shut
down entire IT systems, interfere with critical communications and even
extort money.

Regularly checking a person’s vulnerability to phishing messages, and
providing immediate feedback at the point that they’re found to be
susceptible, is far more likely to change behaviour than training employees
for a few hours each month, or providing them with a leaflet to the risks
of phishing.

Repeated over time, employees become conditioned to question their inbox
and respond appropriately.

Layer two: Intelligence collecting

While preventing every employee clicking links and opening attachments is
the ideal, it’s also unrealistic.

As employees become increasingly perceptive, able to correctly identify
these malicious packages, collecting this information provides the incident
or security team with immediate, company-specific phishing attack
intelligence.

Providing positive reinforcement when a successful phish is reported
encourages repeat behavior so make sure you congratulate positive
identification.

Layer three: Detect and deflect

Harnessing this unique, human-derived intelligence, allows security teams
to manage and prioritise alerts, speed incident response and ultimately
take evasive action when necessary.

Every workforce has within it the problem-solving skills to identify
malicious emails that, partnered with automated identification, can slam
the door closed on cyber criminals and their ransomware. Rather than undo
the damage of the next ransomware attack, organisations should turn
employees from weakest link to a powerful human phishing defence.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160229/587fca3e/attachment.html>


More information about the BreachExchange mailing list