Facts that ransomware blackmailers don’t want you to know

As the number of organizations targeted by ransomware hits all-time highs, it is reasonable to assume that an increasing number of victims will inevitably see their data get encrypted. The University of Calgary is the latest prominent institution to fall victim to ransomware. In June 2016, their mail server and part of their IT infrastructure was rendered entirely unavailable by an attack. The University determined that their only way out was to pay the ransom ($20,000 CAD in this case) even though they had absolutely no guarantee that the blackmailers would come through and provide the decryption key. Fortunately for them, they actually did.

While universities, government agencies and health institutions are top targets for ransomware attackers because of the valuable data they handle, it is so easy for scammers to anonymously setup and deploy a ransomware attack that no organization is safe (ever heard of “ransomware as a service”?) Kaspersky Lab found in Q1-2016 that ransomware was now the most prolific cyberthreat of 2016, while Symantec pegs Canada as the 4th most commonly targeted country. Since ransomware is a very effective scam that brings in good returns, it’s not about to go away. Just as users are not about to stop clicking on suspicious URLs or opening malicious attachments. So how can you, as an organisation, make sure that you don’t end up on the ever-growing list of victims? Here a few facts that will help you think more clearly about what prevention requires.

FACT #1. Email is the #1 threat vector.

Because email is where the typical user spends roughly 30% of the day, it’s no surprise to see it under constant attack from hackers, malware authors, phishers and organized crime. Email acts as both the container for malware and as the avenue through which Web-based malware can enter an organization, as in the case of blended threats. Preventing such emails from even entering the network perimeter, i.e. by blocking them in the cloud, is the best way to prevent infection.

Having a solution that can detect your average spam and phishing emails is a basic requirement, but to prevent the really dangerous and harmful threats such as ransomware, extra protection is needed. The MUST list includes: detection of renamed or zipped executable files, recognition of spear phishing attacks, blocking of infected macros buried within old versions of Microsoft Office documents and special anti-phishing rules customized for any payment processor or financial institution. Those are just some of the ways in which a premium solution can help secure the email vector and prevent advanced threats from reaching your inboxes.

FACT #2. Individual users are IT security systems’ weakest link.

So your Anti-Spam has blocked thousands of suspicious emails with potentially dangerous links or harmful attachments, but your users still have access to that content and have the rights to release it? If this sounds risky, it’s because it is. Research proves it, humans are responsible for up to 95% of all cyber security breaches occurring today. No matter how strong and reliable your firewall and Anti-Spam defenses are, there will always be a gaping vulnerability: your own users.

Remember that criminals are using the latest social engineering techniques to make sure their messages produce the desired results and exploiting data publicly available on social networks and company websites to craft campaigns specifically tailored for certain individuals. Because of human curiosity and social reflexes, as well as the average user’s lack of cybersecurity expertise, hackers keep successfully penetrating IT security barriers. One favorite approach is sending executable files with an extension that has been zipped or renamed to appear harmless in an email with a common work-related subject such as ‘’Unpaid invoice’’, ‘‘Voice message’’ or ‘‘Daily report’’, etc. One wrong click is all it takes.

Once you have acknowledged the fact that employees represent an important risk, you are in better position to take action. By limiting who can access the quarantine and keeping this responsibility only in the hands of your most knowledgeable users, you are creating what is called a ‘’human firewall’’ for your organization.

Individual user risk factor

FACT #3. In addition to protecting email, restricting access to the quarantine should be item #2 on your to-do list.

Here at ZEROSPAM, we call it smart quarantine management. In practice, this simply means that there will be no automatic configuration of individual quarantine accounts for all your users. However, individual quarantines are fully supported. These are available in a manual creation mode (when only selected users will be granted quarantine access) or self-subscription mode (when all users must be granted quarantine access).
Another aspect of ZEROSPAM’s quarantine management involves visual clues that point out dangerous phishing emails and messages sent with executable attachments. These visual clues alert users with individual quarantine accounts that those messages should NOT be released from the quarantine.

FACT #4. An agile provider is your best protection against zero-day threats

At this point, any security vendor who declares they can guarantee complete immunity against cyber threats is probably not going to be able to live up to this claim. While solutions keep getting better, threats are also getting more sophisticated, and they’re doing so faster than vendors can keep up. When a new virus or malware campaign comes out, it takes a little while for antivirus agents and security vendors to adjust. The same is true in the medical world. When a new virus or bacteria is discovered (and these too keep morphing), at first, there is no vaccine for it. There can be no prevention for a new unidentified threat. It’s just as true in the IT security world as it is in the medical world. When a new IT threat comes out and it is not detected by any current system, it’s called zero-day.

ZEROSPAM has developed an easy to install Outlook plugin that is used by customers to report undetected spam back to us. Hundreds of thousands of users contribute to this feedback look so new threats are uncovered and reported rapidly. Our team of rule masters reacts immediately to inject new rules or modify existing ones to block the new campaign. This agility often enables us to beat virus signature updates by as much as 24 to 48 hours.

FACT #5. Having an excellent back-up system is your best ransomware protection

If you do get hit by ransowmare, make sure your data loss will be minimal by automating regular back-ups of all crucial information. That way, you can ignore the cybercriminals, wipe the infected computer and go back to the latest saved back-up.

There is hope, friends. If you are able to create user awareness of cybercrime and warn your users about dangerous email messages, implement an excellent back-up system, filter incoming email with a specialized high-performance security solution AND to create a “human firewall”, i.e. limit the ability of the individual user to destroy the security you have implemented, you will have secured the most important infection vector.

Useful links

" In my opinion, one of ZEROSPAM's key strengths is their technical expertise and the service that comes with it. It's a precious advantage that really sets them apart from other providers. Dealing with professionals who can give you clear and precise explanations when there is an issue... it’s priceless. I can then go back to my customers and tell them exactly what is happening with their email. "

- F. Lessard Novacom