Skip to content

Ransomware can be an expensive phishing lesson

Man on laptop

Aaron Higbe is co-founder and CTO of cybersecurity training firm PhishMe. In this article, he explores what ransomware is and how companies can ensure they don’t fall victim to it.

At the end of 2015, a critical attack that caused power outages at Israel’s power grid was traced back to ransomware. Then, in January, the UK’s Lincolnshire County Council held its hands up after its systems were maliciously encrypted, forcing it to suspend a number of public services.

The latest instance saw the US-based Hollywood Presbyterian Medical Center reverting to communicating in person or via fax as its systems were held to ransom. The tragedy is these are not isolated cases with many more companies joining this sorry register of Ransomware victims.

To pay or not to pay?

The primary purpose of ransomware is to make money for the criminals behind it. They send their code, typically via a phishing message, that tricks an unwitting victim into installing the malicious program on systems, encrypting the data, and demanding a ransom be paid to reverse the damage.

While there a have been a number of iterations, CryptoWall is arguably the most successful ransomware. It was so lucrative during its prolific career that the Cyber-Threat Alliance claimed it had netted nearly £214m worldwide during its short life span.

While Lincolnshire council took a firm stance, refusing to meet the criminals’ $500 demands, Hollywood Presbyterian opted to hand over $17,000 to secure the decryption keys and remove the shackles from its systems. Of course, parting with cash isn’t a guarantee that the criminals will honour the agreement, as ProtonMail found to its detriment last November.

However, the size of the ransom isn’t actually the issue everyone should be preoccupied with. Nor whether it’s right or wrong to reward the criminals for their ingenuity. Instead, focus should be on how to stop ransomware in the first instance.

With all the various technologies ring fencing enterprises, or at least they should be, how can ransomware still take such a choke-hold on systems?

Point of infection

The sad truth is that phishing emails laden with ransomware can easily slip past filters and arrive into email inboxes. This leads many to argue that antivirus applications are the first line of defence. However, Lincolnshire County Council had anti-virus installed, plus other security software, but its systems didn’t detect the malware as it went about encrypting its network.

In the council’s defence, the strain of ransomware was a previously unseen program so the various software deployed were not looking for it – a well documented flaw with this approach.

Technology alone cannot solve the problem of phishing and security teams are not the only line of defence. It takes all hands on deck.

Activate your human defences

There is hope, as ransomware has an Achilles’ heel. In nearly all cases, someone has to interact with the program to trigger the attack. As humans are attacking humans, it stands to reason that humans can defend against the attack.

By conditioning the workforce to recognise the criminals’ methods, they can actively deflect them and keep the enterprise secure.

Of course, this doesn’t happen instantly so here’s the three layers that transform employees into an impenetrable human phishing defence:

Layer one: Suspicion as standard

Inboxes are viewed by criminals as an exploitable point of entry so employees need to be empowered as active participants in security – spotting not just ransomware, but anything that looks to steal data, shut down entire IT systems, interfere with critical communications and even extort money.

Regularly checking a person’s vulnerability to phishing messages, and providing immediate feedback at the point that they’re found to be susceptible, is far more likely to change behaviour than training employees for a few hours each month, or providing them with a leaflet to the risks of phishing.

Repeated over time, employees become conditioned to question their inbox and respond appropriately.

Layer two: Intelligence collecting

While preventing every employee clicking links and opening attachments is the ideal, it’s also unrealistic.

As employees become increasingly perceptive, able to correctly identify these malicious packages, collecting this information provides the incident or security team with immediate, company-specific phishing attack intelligence.

Providing positive reinforcement when a successful phish is reported encourages repeat behavior so make sure you congratulate positive identification.

Layer three: Detect and deflect

Harnessing this unique, human-derived intelligence, allows security teams to manage and prioritise alerts, speed incident response and ultimately take evasive action when necessary.

Every workforce has within it the problem-solving skills to identify malicious emails that, partnered with automated identification, can slam the door closed on cyber criminals and their ransomware. Rather than undo the damage of the next ransomware attack, organisations should turn employees from weakest link to a powerful human phishing defence.

The latest issue of Tech City News Magazine focuses on the topic of cyber security. To get your free copy, enter your details here.