Ransomware attacks are on the rise. Hospitals, schools, state and local governments, small businesses, large businesses—these are just some of the entities impacted by recent ransomware attacks. But what part does coincidence play in ransomware attacks?
Although a coincidence can sometimes bring fortune and opportunity within our personal lives, rarely does any good come from one when it comes to I.T. An ill-timed coincidence can send you journeying down the wrong rabbit hole or bring about a devastating vulnerability within your network. For instance, a server or critical network application goes down right after the installation of a round of Windows updates which ends up wasting ninety minutes of your time troubleshooting this combination of events until you realize that the timing of the two was pure coincidence.
Dangers of Click Happy Users
Sometimes a coincidence can cost IT personnel a lot more than just time. Case in point is a recent ransomware attack experienced by a law firm that I learned about in a conversation the other day with one of its partners. The firm was hiring for a new staff position. One of the partners of the firm had received an email one morning addressed to the HR staff email box to which all resume submissions are addressed. The email in question contained a zip file attachment simply called “my resume.” The partner unsuspectingly clicked the attachment (you know where this is going) which then initiated a web session and downloaded the malware which quickly encrypted the partner’s computer as well as the mapped drives located on the primary file server.
The law firm contracts with a local IT person in the area who although highly experienced in desktop support and basic LAN management lacks ample knowledge in network security. He was immediately contacted and fortunately, he had good backups and was able to quickly restore all of the lost data. All seemed well once again in Camelot.
But then a comedy of errors began as later that afternoon, another partner also read the same email ( the HR email box either is associated with all partners). The other partner opened the attachment, once again initiating a call to the contracted IT person. Be it a lack of internal communication or simply a lack of knowledge in email security protocol, the restoration process had to be repeated not just that afternoon but the next morning as well. Only after the third restoration did the IT support person and staff conduct a thorough email scan and terminated all of the malicious emails.
Exposure is inevitable
On any other given day, the partners would have simply ignored the spam email that got through but the coincidence of the timing caused the partners to lower their guard. This is a classic example of a case in which educating your users just simply isn’t enough. Although intuition and common sense are critical components of a solid endpoint security plan, it is never enough. Eventually, even the most vigilant user will be exposed thanks to an unfortunate coincidence.
Spam bots & email harvesting
So what could this law firm have done better? Well for starters they should have never exposed a staff email to the Internet. The staff email was exposed on a number of job post websites and quickly consumed by spam bots. Email addresses that are exposed in this type of manner should never be shared amongst multiple people within the company but instead should be isolated to a single user.
Perimeter Defenses
Secondly of course, the firm is lacking in perimeter defense systems. The firm did utilize an anti spam service but apparently the spam gateway features were not configured properly. An spam filter should have sandboxing technology to analyze attachments or strip away any executable attachments. Of course no spam defense utility is perfect and dangerous attachment executables can be brought into your network through more means than simply email.
What the firm lacked was a web filtering option. The firm probably never anticipated a need for a web filter. Advanced web filtering today is designed to do more than merely stop users from accessing offensive and distasteful websites. In this case, web filtering technology could have prevented a web session from connecting to the attacker’s servers in the first place, thus preventing the malware download process. It could have served as a gateway to analyze and strip away all malicious executables at the point of entry. At the very least, advanced web filtering can be a strong wall of resistance in cases where spam and endpoint protection fail to stop an intrusion.
For more indepth analysis on currently active ransomware variants, check out our 'Nuts and Bolts of Ransomware Guide"