How To Stop Employees From Helping Ransomware Seize Data?

Ransomware attacks on organizations with employee involvement are a growing threat to Middle Eastern entities. Yazen Rahmeh, Cyber Security Expert at SearchInform, explained how to address the challenge.

What is Ransomware?

Ransomware is one of the most common, fastest-evolving and harmful cyberthreats to organizations: 46% of security professionals estimated suffered losses of $1-10 million in terms of ransom fees, lost revenues, and brand damage.Despite84% of victims paying ransom, only 47% got their data back uncorrupted. Ransomware is a type of malware that infiltrates a device or network, and blocks access to a system or files. However, employee assistance is often required for ransomware to be allowed inside the network.

According to data, 36% of companies in the Middle East reported incidents when their own employees consciously or unconsciously helped adversaries by their actions or inaction.

There are three ways ransomware can penetrate corporate networks, either through deliberate or accidental employee involvement: phishing attacks, referral systems and compromised credentials. To overcome these threats an organization should neutralize human factors and prevent employees from assisting attackers. 

1. Phishing attacks

• 52,3% of all ransomware attacks last year were the result of email or phishing attacks.
• Cybersecurity Council recorded over 38 million phishing attacks in the UAE.

Phishing attachments mailed to employees continue to dominate as the primary entry point for ransomware, as it is difficult for an untrained employee to detect them, and antivirus (or firewall) often does not recognize phishing as a threat. These malicious attachments can come in various formats such as PDF, ZIP, or Microsoft Office file formats.

The key sign of any malicious email is a call for action:open a file, click on a link, scan a QR code, etc.  Cybercriminals often masquerade as partners, customers, and even your system administrators and top-managers. Besides, phishing can be contained in advertisements and pop-up notifications, and even on legitimate websites.

How to fight? The primary tool is cyber literacy training.

When training employees, it is necessary to achieve several goals: to increase staff awareness of modern threats and methods of combating them; to make employees recognize their role in ensuring information security and the impact they have on it by ignoring security rules; to make caring for data protection the responsibility of entire personnel both at work and in their free time.

The training should not be a one-off: regular briefings, webinars, training sessions, and newsletters will significantly increase employees’ chances to recognize fraudulent communications and not fall for the bait of cybercriminals.  

An important aspect of training is to explain in detail the mechanisms of attacks and how workers themselves can counter this threat. For example, to ensure that the employee will recognize a phishing email, explain how to verify the sender through the email attributes.

To prevent phishing attacks don’t refuse to deploy specialized anti-phishing software. There are a lot of such on the market, including those for scanning incoming emails for signs of fraud, suspicious sender addresses and links to known phishing sites.

2. Refferal system

• This type of ransomware attack implies that the employee colludes with attackers to consciously infect the corporate system with ransomware and receive a reward. To do so, the insider receives from the ransomware operators a so-called referral link, which is specifically accessed from a corporate device.

After the criminals receive the ransom, the malicious insider is paid, for example, 10% of the amount. Employees may cooperate with criminals not only out of greed but also out of revenge and resentment against their employer, as well as other interests.

• According to data, 65% of organisations said that their employees have been contacted by ransomware operators in an attempt to recruit insiders. Most of the employees were offered more than $500,000 for assisting the attackers, and some were offered up to $1,000,000.

How to fight?    To exclude employee deliberate assistance to hackers, an organization must ensure its internal security system is strong and well-organized. That’s why alongside software against external attacks (antiviruses, NGFW), solutions for insider risk prevention must be implemented. The DCAP and DLP class solutions are basic ones to address insider risks.

The DCAP system conducts file system audits and restricts access to confidential information, minimizing the risk of transmitting valuable data to intruders. But what’s more important in referring to fighting ransomware, the system brings the order to storage and removes valuable data from folders (including publicly available ones) in which it should not be stored. Thus, the solution reduces the chances of ransomware operators to seize valuable data.

The DCAP system also creates data smart-backups (backup only files with specific content) in case attackers manage to capture and encrypt data. 

The DLP system prevents sensitive information transmission (data leaks), so the malicious actors cannot receive data directly from within (ransomware operators might be especially interested in credentials and network topology). It also detects suspicious incoming communications and enables Information Security professionals to investigate incidents.

3. Compromised credentials

• Credential leaks are another common vector of ransomware attacks on organizations, accounting for 18% of all incidents in the Middle East.
  • With compromised credentials of employees, ransomware operators can move within the network and get access to any device and data. Then, ransomware infiltrates the network, blocking functions of PCs or encrypting sensitive files.

Employee credentials fall into the hands of extortionists, in part because they use the same password for personal and corporate accounts, create passwords that are too simple and violate the rules of credentials storage (for example, putting a sticker with the password on the screen). It also happens as a result of data leaks and low level of internal security protection.

How to fight? Develop security policy; deploy SIEM-system;

The organisation must adopt an internal information security policy that employees must sign and follow.

The policy should contain rules for strong password creation, their safe storage, and prescribe using two-factor authentication (2FA), where it is possible and convenient to implement. Among other things, security policy must contain procedures for installing software (if permitted) and non-disclosure agreements on certain types of information (trade secrets, developments, personal data).

The SIEM system, in its turn, detects abnormal activity. The UEBA capability of SIEM solutions helps to establish a behavioural baseline of expected activity for all users and entities. In ransomware attacks, when a user account is going to exhibit unusual activity, SIEM instantly identifies such activities as anomalous and alerts the security analysts. The solution is also effective in detecting password-guessing attempts.

Conclusion

From the nature of ransomware, we can see that, even though such an attack comes from an external source, to be successful, it requires the direct participation of an insider, either malicious or accidental. To minimize risks of employee involvement, a comprehensive security system to protect against internal risks must be built up.

Software with the functions mentioned above will become a solid foundation for your information security system and, along with competently organized training, will minimise the risk of not only ransomware attacks but also other types of both external and internal data-related incidents, including data leakage, corporate fraud, theft of tangible and intangible assets and other violations.