Los Angeles-based Hollywood Presbyterian Medical Center made headlines recently when it revealed its systems had been encrypted by ransomware. The tragedy is it’s not the first to fall victim to this type of attack, and almost certainly won’t be the last. In January the UK’s Lincolnshire County Council admitted its systems had been maliciously encrypted, forcing it to shut down its PCs and servers in a bid to contain the attack. Even the recent critical attack against Israel’s power grid turned out to be ransomware.
CryptoWall, arguably the most successful ransomware, was so lucrative throughout its prolific career that the Cyber-Threat Alliance claimed it had netted nearly £214 million worldwide during its short life span.
To pay or not to pay is a hotly debated question. The UK council took a firm stance refusing to meet the criminals’ $500 demands, while Hollywood Presbyterian is reported to have handed over $17,000 to secure the decryption keys and remove the shackles from its systems. Of course, parting with cash isn’t a guarantee that the criminals will honour the agreement as ProtonMail found to its detriment last November.
However, the size of the ransom isn’t actually the issue everyone should be preoccupied with. Nor whether it’s right or wrong to reward the criminals for their ingenuity. Instead, focus should be on how to stop ransomware in the first instance.
With all the various technologies ring fencing enterprises, or at least they should be, how can ransomware still take such a choke-hold on systems?
Ransomware – it doesn’t act alone
Ransomware in action
Although there have been a few variants of ransomware found hosted on websites, in the vast majority of infections it is almost always traced back to a phishing attack.
While we wait for Hollywood Presbytarian to confirm the source of its outbreak, both the critical attack against Israel’s power grid and Lincolnshire County Council’s outage were confirmed as having arrived via a phishing message.
The sad truth is that phishing emails, laden with ransomware, can easily slip past filters and arrive into email inbox’s. This leads many to argue that antivirus applications are the first line of defense. However, Lincolnshire County Council had anti-virus installed, plus other security software, but its systems didn’t detect the malware as it went about encrypting its network. In the Council’s defense, the strain of ransomware was a previously unseen program so the various software deployed were not looking for it – a well-documented flaw with this approach.
Technology alone cannot solve the problem of phishing and security teams are not the only line of defense. It takes all hands on deck.
You have a human phishing defense – so use it
The critical flaw with ransomware is that, in nearly all cases, someone will have had to engage with the malware to trigger the attack and it’s this notion that organisations need to wake up to - humans are attacking humans.
Organisations need to take steps to equip the people in the enterprise with the conditioning needed to avoid falling victim to attacks and actively help the organisation deflect them. Here are the three steps needed to turn the workforce from weakest link to an impenetrable human phishing defense:
Step One: Change Behaviour
With the right conditioning, people can be empowered to be active participants in security – spotting not just ransomware, but any that look to steal data, shut down entire IT systems, interfere with critical communications and even extort money.
Regularly checking a person’s vulnerability to phishing messages, and providing immediate feedback at the point that they’re found to be susceptible, is far more likely to change behaviour than training employees for a few hours each month, or providing them with a leaflet to the risks of phishing.
Repeated over time, employees become conditioned to question their inbox and identify the tell tale signs that all is not as it seems.
Step Two: Report Attacks
Of course, preventing all employees from clicking links and opening attachments is the ideal but nothing is fool proof. Instead, organisations need to harness the identification of suspicious emails as they arrive.
As employees become accustomed to identifying phishing attacks, having them report these suspect packages to the incident or security teams provides real-time, company-specific phishing attack intelligence that can be auctioned.
Just as Pavlov’s Dog proved the theory of conditioned behaviour, providing instant feedback when a successful phish is reported provides positive reinforcement that encourages repeat behaviour.
Step Three: Take Evasive Action
Having gathered this unique human-verified intelligence, security teams need to be able to manage and prioritise alerts, speed incident response, and ultimately take evasive action when necessary.
Having a human phishing defense, which has the problem-solving skills to identify these e-mails, partnered with automated identification, remediation and sharing of phishing-specific threats, will slam the door closed on cyber-criminals and their ransomware.
Aaron Higbee is the co-founder and CEO of PhishMe.