Ransomware attacks are the latest pandemic, changing and evolving like a digital disease to find new ways to infiltrate and steal from victims. We are seeing ransomware variants popping up to take advantage of any vulnerability and security oversight out there, making our need for network detection and response (NDR) functions more necessary than they have ever been.
Phishing has been a popular form of ransomware infection for as long as email has been in existence, as it’s the easiest and shortest path for ransomware to the valuable core of your business. Many enterprises are turning to professional threat hunting tools like NDR and endpoint detection and response (EDR), to protect their enterprise from the threat of ransomware. Let’s drill down to get a clearer picture of what ransomware is, how it works, and what tools and solutions you will need to defend against it.
Ransomware As A Service RaaS
Ransomware is a lucrative business in 2021, due to the simplicity of its business model and invisible connectivity of the IoT. Ransomware is created, updated, sold and shared across the world, targeting the most vulnerable industries, notably in 2021, healthcare. You can even avail for Ransomware As A Service which is creating a nightmare for the global business leaders Read more on RaaS over in Forbes business article.
But no one is safe from the threat of ransomware, even those with expansive threat hunting tools like NDR, EDR or secure web gateways. Ransomware is obviously employing new and powerful attack methods, proven successful with SMBs, government, NGOs, tech and education industries. The ENISA Threat Landscape Report 2021 ranks the top 10 attack methods as:
- Malware
- Web-based attacks
- Phishing
- Web-application attacks
- Spam
- DDoS
- Identity theft
- Data breach
- Insider threat
- Botnets
IT security teams and threat hunters are seeing more comprehensive and targeted attacks in 2021, with back-up files, databases and webpages affected. The use of vulnerabilities to increase infection rates has been increasingly common, in addition to the trend of increasing the ransom or selling stolen data on the dark web, when payment is delayed, or even when it is paid. Ransomware operators have also been changing the communication methods between the attacker and victim, using chat functions, email and websites to negotiate ransom payments. Finally, ransomware is becoming stealthier when infecting computers and evading detection, infecting both PCs and IoT and smart devices.
Phishing has always been one of the top delivery methods of ransomware, and for very good reasons. It is, and always has been, the easiest path for ransomware to take into your network. While malware and web-based attacks take manpower, experience and powerful hardware and software, a phishing attack needs only a single click, and it’s an easy click to get from unsuspecting employees. Let’s explore why phishing and ransomware are a match made in hell. Let’s explore what phishing actually is, and how NDR and its threat hunting abilities can protect against it.
What is Phishing?
While enterprises can plan and control technology, they have yet to figure out how to control the human element. Humans are the weakest link in the security chain, and attackers use phishing to take advantage of the human condition to steal usernames, passwords and even money or payment details. Threats like this are becoming so common in 2021, businesses need help setting up more powerful threat hunting mechanisms, to protect themselves from disaster. Phishing involves an attacker sending a simple email, embedded with a ransomware virus, set to deploy when the email recipient clicks the link.
Phishing emails are easy to send, can be sent in bulk, and lead to a huge ROI, with just one click enough to potentially get attackers in the door. Victims are lured into clicking on the malicious link using social engineering schemes, designed to play on human feelings of fear, happiness and curiosity. Many phishing emails use tactics including posing as a financial institution or member of the same company to ask for passwords or personal information. Some exploit people’s fears of things like the pandemic, to entice people into clicking on malicious links. In short, even the simplest phishing techniques are difficult to avoid, meaning more sophisticated attacks are much harder to anticipate and avoid.
Why is Phishing so Successful?
Modern phishing techniques are so successful because they go farther than their predecessors to manipulate people. Phishing operators use people’s social media data to craft emails that speak directly to the insecurities of the recipient. This type of email is also able to pass web security gateways, because its signatures seems legit. Gone are the days when a general, form email was sent to millions, littered with grammatical mistakes and misspellings. Modern phishing includes the use of first names, personal information like age or birthday, or even doctored documents from different companies. In short – phishing is becoming quite sophisticated.
In addition, many companies supply insufficient training to company employees about the dangers of phishing and best practices to avoid falling victim to ransomware or phishing ploys. It’s important that all users are taught what to look for when opening emails. Requests for sensitive information, transfer of funds or the request to open attachments should always be greeted with a high level of scepticism, something you can train your employees to use. Let’s explore a few of the types of phishing emails NDR solutions find regularly.
Most Successful Phishing Types
There are a few types of phishing emails NDR and EDR solutions are designed to look for, including:
- Spear phishing – a more sophisticated form of phishing, targeting key organizational leaders with access to valuable information. This type of phishing email is carefully crafted by a professional writer, and contains malicious content like ransomware, drive-by downloads or malware. This type of phishing email will typically be personalized enough to fool spam and content filters.
- Business email compromise – often known as CEO fraud or whaling, is when ransomware operators impersonate an email account belonging to a high-level executive. These emails are typically sent to more Jr. employees with requests for information, funds transfers or for passwords or log-in info. These emails typically incorporate a level of time sensitivity, to fluster the Jr. employee and manipulate them into making quick mistakes.
There are several elements that NDR seeks out, and that attackers often include in phishing emails. Looking for these elements before clicking could make all the difference.
- Corporate emails about benefits, finances, mailbox notifications, or business-related emails that aren’t organization-specific (wire transfer requests, insurance notices, shipping confirmations, etc.).
- Consumer emails to the general public from social networking sites or pertaining to gift cards or discounts.
- Technical emails including error or breach reports and bounced email notifications asking for further clicks or processes.
- Cloud emails pertaining to cloud services (asking to download documents or redirection to an online file sharing service, etc.)
Ransomware protection using NDR
Enterprises are increasingly turning to equally powerful protection tools to enable better cyber threat hunting capabilities – and they are finding it with network detection and response (NDR) solutions, like Sangfor Cyber Command. This type of solution will jump into action when someone accidently clicks on a malicious link, like those found in phishing emails.
NDR is a combination of advanced analytical techniques designed to detect ransomware or suspicious network activity, and respond to threat in real-time, and is rapidly gaining popularity due to the threat hunting tools that allow it to detect malicious activity that other tools will likely miss. NDR is different from EDR, or endpoint detection and response, in that it focuses on protection of just the endpoints, while network detection and response provides all-around threat hunting and mitigation in all areas of the network. Secure web gateways, or SWG’s, are also in increasing demand, working effectively with both network security solutions to control all access to the network.
For more information on how a network detection and response solution like Sangfor Cyber Command can protect your enterprise from the risk of ransomware infection through phishing emails, visit us online today, or email us directly, and let Sangfor make your IT simpler, more secure and valuable.