Is spear phishing the new ransomware?
In a 2016 survey on ransomware, 43% of North American consumers said they did not know what ransomware is. That's despite the fact that ransomware activity had increased 300% during the same time period. Toward the end of 2016, ransomware attacks against businesses were taking place every 40 seconds. For individuals, that number increases to once every ten seconds.
The number of people unaware of ransomware attacks is surely smaller now. With global attacks and prime-time ransomware-centered TV shows, ransomware is creeping its way into the minds of computer users and savvy consumers everywhere. Businesses are creating ransom and cyberattack budgets, stockpiling bitcoin, and detailing procedures and thresholds on when to pay.
It looks like spear phishing is taking the same convoluted path through the consciousness of the public. In a recent survey of IT decision makers, only 25% felt confident that users would identify a phishing attempt, though in another survey, 54% of respondents were able to identify phishing emails. Meanwhile, the number of spear phishing attacks continue to increase, and the criminals are getting better at research and impersonation.
So is spear phishing the new ransomware? Let's take a look at a few similarities:
Both types of attack are growing.
Spear phishing has been part of some of the largest cyberattacks in history, including the Target and Sony attacks, and the number of attacks keeps going up. Earlier this year, the Anti-Phishing Working Group (APWG) reported that the total number of phishing attacks in 2016 had increased by 65% over 2015. Spear phishing is consistently rated as a top security concern among technology and business managers, and according to one survey, the average cost of an attack was $1.6 million. The same survey revealed that one in six companies reported a decline in stock prices after a spear phishing attack.
Ransomware attacks are also on the rise, and in 2016 these criminals took in more than a billion dollars from their victims. Ransomware isn't new, but experienced criminals have recently built turnkey businesses around some ransomware families. Ransomware-as-a-Service has made it easy for new criminals to get in on the racket, and ransomware "support" desks are available to help victims pay. Meanwhile, many victims have suffered some serious and high profile consequences, and the fallout from the NotPetya attack in June is still being uncovered.
Both attacks lead to other types of fraud and attack.
Spear phishing is an attack that is intended to lead to some greater crime. Think of it as someone trying to trick you into opening a locked door so they can gain entry and commit a crime. Once you open that door to your network, the attacker can steal your data, drop malicious code on your server, or engage in reconnaissance to learn more about your company.
While ransomware is usually headlining an attack, it is also used to commit other crimes. In 2015, one attacker dropped ransomware on one server and created scheduled tasks on another server. While security is busy responding to a ransomware attack, the criminal is exfiltrating data from the network. According to one report, the WannaCry attack was a diversion from a parallel attack to steal credentials and to drop a backdoor on to the affected systems:
“Worse, the [diversionary] assault, which has never been reported before, was not spotted by some of the nation’s leading cybersecurity products, the top security engineers at its biggest tech companies, government intelligence analysts, or the [US Federal Bureau of Investigation] (FBI), which remains consumed with the WannaCry attack,”
Jeff Pollard, principal analyst at Forrester, has given similar warnings about making sure that the ransomware represents the entirety of an attack. The criminals always want their ransom, but they may want other things too.
Both require advanced protection to prevent attacks.
When University College London was attacked a few months ago, the media reported that UCL didn't know which family of ransomware was in play, but that it was something that hadn't been seen before:
The university believes the malicious software may have infected its systems through a phishing email that was clicked on by a user. The system’s virus checkers did not pick up on the malware, which has led UCL to warn that it may be facing a “zero-day” attack – exploiting a vulnerability that has not yet been patched or picked up on.
A business is attacked by a ransomware variant every 40 seconds, and the number of ransomware variants grew by a factor of 30 in 2016. Phishing email attachments remain the number one delivery mechanism for ransomware, and as we mentioned above, phishing attacks continue to increase at an alarming rate.
Many types of ransomware and other malware have sandbox evasion capabilities, which means that they are designed to avoid certain types of detection. Sandboxing is a threat detection technique that opens suspicious email attachments in a safe space (the 'sandbox') in order to evaluate whether that attachment is an attack. Sandbox evasion techniques prevent the malware from running in a sandbox or sandbox-like environment. This is meant to delay the identification of the attachment.
Machine learning, artificial intelligence, and the use of heuristics makes it possible for threat protection technologies to defend against these advanced threats. Without these technologies, security systems would not be able to stop attacks that have not previously been observed and defined.
So what does it all mean?
Obviously, spear phishing and ransomware are two different beasts. Spear phishing is an attack that relies on human interaction and social engineering, and it sometimes carries a payload of ransomware with it. Ransomware is malware that that can be set out into the world to do it's job, and sometimes it is smart enough to evade detection or hide other attacks. Both will continue to evolve with new technologies and techniques. In fact we are already seeing criminals using 'doxing' in ransomware attacks, which is an attempt to collect ransom from victims who refuse to pay. As more people deploy robust and reliable data protection, fewer are willing to pay a ransom for a decryption key. These new doxing ransomware attacks involve uploading a copy of the victim's data to a server owned by the criminal, with a threat to send the data to multiple third parties if the ransom is not paid.
We can emphasize enough how important it is for you to deploy multiple layers of security, including a comprehensive data protection solution. Your users should also be trained well enough and often enough to maintain a skill and awareness level that will significantly reduce the likelihood of a successful attack. You should also be checking for latent threats, to make sure that the malware isn't already on your network waiting for a time to strike.
For more information on ransomware, visit our ransomware blog here and our corporate ransomware site here. To learn more about protecting yourself from spear phishing attacks, visit the spear phishing blog here and Barracuda Sentinel corporate site here.