The latest edition of Social Engineer Newsletter includes an article on the psychology behind ransomware. The author, Mike Hadnagy, talks about why people fall for ransomware attacks and then gets into some methods that help protect people from this crime.
Hadnagy uses a few different examples, but the one that stands out is something that happened to his friend a few months ago. She was at work processing invoices, and she opened an email that looked legitimate. The attachment was supposed to be an invoice, and she didn't notice that the email wasn't sent by a legitimate party. Shortly after opening the email and attachment, she was presented with a Cerber Ransomware instruction screen.
What happened here is easy to see: the victim was involved in her work and automatically started processing her next task (the email) without realizing that task had been poisoned by an attacker. We've blogged about this before here and here: the user is the weakest link in the organization because the user is subject to fatigue and distraction. Criminals know this, so they do their best to reach specific individuals with an email based on a believable premise.
By the end of 2016, it was clear that phishing was going to be the new preferred method for delivering ransomware. The botnets and compromised websites are still popular, but the ransomware – phishing combo attack has moved up in the charts. One anti-phishing company has found that 93% of all phishing emails contained ransomware as of March of this year. And in the same time period, that company measured 6.3 million phishing emails. That's a lot of potential ransomware attacks.
Many of these phishing emails are only slightly customized and sent in bulk to a large group of recipients. An example of this may be a phishing email to “HR Directors” or “Hiring Manager” with an attachment titled “Resume.” If this is sent to an HR Department, it's not unreasonable for a recipient to think that there may be a legitimate resume attached. Even if the recipient is unimpressed by a resume sent to the wrong person, he may open it out of curiosity. That's all the attacker needs to get his foot in the door. How many copies of these emails might be sent when the criminal sends them out to generic department addresses, like “HR@companyxyz.com?”
The type of phishing in the above example has a low success rate of about 30%. The success rate is lower if aimed at a company with a proper email security gateway that stops these attacks in the cloud. The more sophisticated attack used against Mike Hadnagy's friend is more successful and more dangerous. This attack is called “spear phishing,” and it's constructed after detailed research by the criminal.
The spear phishing attack attempts to impersonate a legitimate message and convince the recipient to do something. Open a malicious attachment, send a payment to a third party, enter personal or company credentials into a compromised website. The personalized nature of the email makes the message believable, and the results can be devastating. Due to the higher rate of success over phishing, these spear phishing attacks are on the rise. Over 90% of cyberattacks and breaches in 2016 were due to a successful spear phishing attack. By the end of last year, spear phishing attacks had increased 55% over the year before.
Osterman (pdf), SANS Institute, and other research groups confirm the growth of spear phishing and ransomware as an effective and damaging combination. Details aside, it's safe to say that the risk of a spear phishing attack is real, and the odds are good that the attack will have ransomware in the mix. And speaking of “mix,” it's important to remember spear phishing attacks bring more than one risk:
- The exposure of personal or corporate credentials, which could lead to unauthorized access and use of associated accounts
- The delivery of an Advanced Persistent Threat on the network, which will remain in stealth mode to perform reconnaissance on everything the APT can find
- The theft of data from the network, which might not be noticed until the criminals have released or sold it
- Botnet software that allows the criminal to hijack computers for malicious purposes
… and more that I haven't listed here or that haven't even been invented yet.
Hadnagy's article lists four specific actions you can take to help minimize the risk, and he gives you information on how to contact authorities if you are a victim. I won't repeat that info here because I think you should go read his article. What I will do is reiterate the importance of multiple layers of security and data protection, as well as end-user training and awareness. Constant awareness is a critical piece of training in order to keep your end-users mindful of these attacks.
For more information on how Barracuda can help you deploy multiple layers of security and data protection, visit our corporate site here. For specific information on how we protect you from ransomware attacks, visit our corporate ransomware site here and our ransomware blog here.
If you'd like to connect with Mike Hadnagy, you can find him on LinkedIn here.