Ransomware is an on-going threat to organizations and their data around the world. It can strike at multiple points in an organization – network, equipment, and employees. It targets industries, governments, for-profit companies, and nonprofits, large and small. Channels for distribution of the malware include compromised peripherals (e.g., printers or external hard drives), email phishing, insecure use of Remote Desktop Protocol (RDP), and common software application security vulnerabilities. Either form – crypto that locks files, or locker than locks the device – can be deployed through multiple means.
No one is immune to the risk of ransomware. Here is the latest information on trends in ransomware.
One of the fastest growing segments in ransomware is attacks targeted at mobile devices. This threat persists across multiple platforms and operating systems. This increase is due to several factors.
- An increasing number of people spend an increasing amount of personal and professional time accessing sensitive data (banking, healthcare, etc.) on their mobile phones and tablets.
- Mobile devices offer multiple attack vectors. Payloads can be delivered via email, SMS, and apps.
- Wearables and smart home devices are two of the fastest growing areas of technology. Many people sync these with with their mobile devices, offering a trove of data to target.
- Mobile devices and the associated applications are often rushed to market without proper design and testing for security.
What can you do to stop a ransomware attack from infecting and protect your mobile device?
- Install all updates to your mobile device when they are provided by vendor: Just like with your desktop or laptop computer, stay current on security updates.
- Use an antivirus program designed for mobile: Your mobile device should have an antivirus program installed to help stop the most common threats.
- Backup the data on your mobile device on a regular basis: Whether you backup your data to the cloud, to a file file hosting service, or to an external hard drive, be sure to keep at least one copy of it outside of your mobile device.
- When in doubt, do not click!: Do not click on the links in text messages if you are not sure of the sender. Do not click on the links or pop-ups in applications or in-app advertising.
- Do not purchase or download applications from unknown or untrusted sources: Do not use third-party app stores. Always acquire your apps from trusted sources. Update your phone security settings to not allow unapproved application installations.
- Do not borrow anything that can be plugged into your devices from anyone else: Any peripherals that can be plugged into a device can be used to hack the device. You should also avoid using another’s Bluetooth device, since they can also be used in an attack (bluesnarfing and bluebugging). It is also a good reason to avoid buying those cheap chargers.
- If you issue mobile devices to your employees, or allow them to Bring Your Own Device (BYOD) for work, you need to provide instruction on how to harden these devices, as well as security awareness training as to the risks of using mobile devices and working externally to your company’s network.
Vendor Email Compromise
Vendor Email Compromise, or VEC, is a version of a Business Email Compromise (BEC) that is specifically targeted at the supply chain. The use of this attack method is on the rise. Although they take longer to execute, the payouts in a VEC scam can be significant.
In a VEC attack, the hacker
- begins by sending a credential grab phishing email that is targeted at an employee who is a link in the supply chain, usually in accounts payable or the CFO office, with the goal of getting login credentials,
- when they have harvested the credentials of a user, the attacker creates a fake email account and has the compromised user’s emails forwarded to an account controlled by the attacker,
- the attacker takes time to observe the activities and habits of the compromised user and their inbox, as well as the type and structure of items such as invoices and vendor payments which pass through the account,
- the attacker sends email correspondences from the compromised account to build a connection to possible client targets,
- once they have enough information, the hacker creates a fake invoice that mimics a real one with updated payment instructions and send it from the legitimate email address to a client of the company they have breached,
- the client then unknowingly pays the invoice to a bank account controlled by the hacker.
A VEC has specific characteristics which sets it apart from other BEC scams, ones that make it incredibly difficult to catch. Having the phony invoice be modeled on known examples, as well as being sent from a legitimate email address with a known tone/voice and as part of an observed process, can snag even the most careful employee.
What can you do to mitigate the risk of a VEC attack?
- Train your employees to recognize the sign of a VEC/BEC, including the creation of a false sense of urgency or the changed payment instruction.
- Execute phishing simulation testing to expose your employees to different variants of email threats.
- Implement a step in your payment transaction process which requires verification of any changes to payment instructions or unexpected invoices. Require a secondary means of verifying changes, such as a phone call to the vendor, especially for wire transfer payments (a popular option for attackers who tend to operate overseas) or Bitcoin payments.
- Require the use Multi Factor Authentication (MFA) on all payment systems.
- Provide access to a Virtual Private Network (VPN) to be used for payment correspondences.
- At the start of a new vendor contract, review the process of submission for payment with your client and agree how any changes to payment instructions will be communicated (hint: not via email).
- Apply the Principle of Least Privilege (PoLP) when granting access to files, directories, and networks.
New FBI Warning
In a recent Public Service Announcement from its Internet Crime Complaint Center (IC3) titled High Impact Ransomware Attacks Threaten U.S. Businesses and Organizations, the FBI notes that “Ransomware attacks are becoming more targeted, sophisticated, and costly, even as the overall frequency of attacks remains consistent. Since early 2018, the incidence of broad, indiscriminate ransomware campaigns has sharply declined, but the losses from ransomware attacks have increased significantly, according to complaints received by IC3 and FBI case information.”
As in the previous PSA on ransomware issued in September 2016, the FBI “does not advocate paying a ransom, in part because it does not guarantee an organization will regain access to its data. ”The FBI does note that ultimate responsibility for the decision of whether to pay or not pay lies with the organization, “when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers”
The new PSA also encourages victims to “report ransomware incidents to law enforcement. Doing so provides investigators with the critical information they need to track ransomware attackers, hold them accountable under U.S. law, and prevent future attacks.” Victims of a ransomware attack should contact law enforcement, whether or not they choose to pay the requested ransom.
As noted in the PSA, the best defenses against a ransomware attack, no matter the device or attack channel, is to have a “robust system of backups”, a strong, well-vetted and well-tested Business Continuity and Disaster Recovery plan and a strong focus on awareness and training.