We were happy to sponsor the latest research report from Osterman Research, How to Reduce the Risk of Phishing and Ransomware, which included a survey of cyber professionals in mid to large size organizations. The results confirmed a lot of what we here at Trend Micro have been seeing over the past year and I wanted to share some of the results and comment on them.
Phishing and ransomware are two of the threats that we see targeting our customers every single day and can lead to significant challenges for the victim organization. From the survey we see both being a top concern by respondents:
The latest ransomware attack we saw targeting Kaseya customers utilized a vulnerability, but if you look at most attacks today, many will start with a phishing email targeting employees. Interestingly our data has shown a shift from these emails containing either a weaponized attachment or a malicious link, to having both now. Malicious actors apparently are hoping an employee falls for one or the other.
As a side note, as I was reading this report, which was written not too long ago, I saw this statement and thought it was quite prophetic as we’re currently dealing with the Kaseya attack that started the Friday afternoon of the July 4th holiday weekend:
Cybercriminals are also embracing underhanded guerrilla-warfare tactics to create massively disruptive encryption events at the worst time possible for an organization—such as late in the evening just before a major holiday weekend or vacation, or the day before school starts in the education sector. Such timing increases the social pressure on everyone who has a say in the resolution, making payment of the ransom seem like the easiest way out of the immediate problem.
Modern ransomware attacks now follow a model where the targeted victim’s network is infiltrated first using a method like phishing, then the actors will laterally move to their critical business systems to deploy the ransomware. In fact, ransomware is usually the last attack on the network since it is so visible. Prior to executing the ransomware they may have exfiltrated data in a double extortion effort. So in many cases, these two threats are part of a single campaign against an organization and need to be viewed as such.
Somewhat concerning from the survey was that 37% of organizations believed they were highly effective at counteracting 11 or more of the phishing and ransomware threats. This means almost two thirds of these organizations felt they weren’t very effective at countering these two threats. Part of the challenge is how well employees are educated about these threats. From the survey, less than half (45%) were fairly or completely confident that all employees could recognize an email-based phishing threat. This was even worse for recognizing malware or ransomware attempts (39%).
From a defense perspective, we’ve seen Artificial Intelligence and Machine Learning (AI/ML) become mainstream technologies in defending against both of these threats. In fact, ML scanners are detecting ransomware so well that malicious actors now routinely have to turn off security agents running these to ensure endpoints get infected with their malware. But a troubling stat from the survey found only 6% of organizations continually use these defense technologies. We’ve also seen in many cases where infections have occurred that customers have not enabled our AI/ML within the solutions that support them. My recommendation for any organization who wants to improve protection against these threats is very similar to what is recommended within the report:
To protect against phishing attacks:
- Enable multi-factor authentication on email accounts to minimize the risk of employee accounts being compromised and used in attacks
- Enable AI/ML within your email security solutions, especially if you are using Office365
- Educate your employees about phishing and help them recognize suspicious emails. One item to hammer home, if they get an account login pop-up screen after clicking on an email link or opening an attachment, DO NOT enter their credentials. This is 99.9% likely to be a phish.
To prevent ransomware attacks:
- Enable multi-factor authentication for your administrative accounts, as well as any accounts on an internet facing device
- Patch your applications and operating systems, and utilize virtual patching to help
- Utilize EDR/XDR solutions that may help identify early-warning activities that lead to a ransomware attack
- Deploy a 3-2-1 backup strategy
- Develop and run a corporate wide security awareness training program, especially ensure new employees and contractors go through rigorous on-boarding cybersecurity training
Ransomware and phishing will continue to be utilized and likely will see increases in their usage by malicious actors in targeting their victims. The report has much more information that is helpful to know as it is likely to have similar responses if you were to answer the questions. Follow the advice above and within the report to improve your response to these threats and let’s ensure these bad actors cannot gain a foothold into your network.