Written by Emile Abou Saleh, Regional Director, Middle East & Africa at Proofpoint
The cyber threat landscape is continually evolving and increasing in sophistication. Nevertheless, tried and tested attacks are never too far from threat actors’ toolkits. One of these attack methods – phishing – is practically ancient in digital years, yet it remains as popular as ever. In fact, Proofpoint’s State of the Phish report 2020 found that over half of organisations encountered at least one successful phishing attack last year, illustrating that it’s a tool that’s very much still part of a cybercriminal’s arsenal.
In 2019, attackers’ modus operandi remains varied:
- 88% of organisations worldwide reported spear-phishing attacks
- 86% reported BEC attacks
- 86% reported social media attacks
- 84% reported SMS/text phishing (smishing)
- 83% reported voice phishing (vishing)
- 81% reported malicious USB drops
Whatever the method of attack, a familiar payload was delivered time and time again: ransomware. In fact, 65% of global organisations reported a ransomware infection last year. Phishing-driven ransomware attacks increased notably in 2019 thanks, in part, to popular RaaS offering GandCrab – which is estimated to have generated over $2bn in ransom payments.
The reason behind the success of these ‘traditional’ methods of attack could be the lack of understanding in how to defend against an attack and what to do when one occurs.
How much do we really know about ransomware?
When it comes to end-users, the answer to this question may come as a surprise: very little. Across the board, recognition of common cybersecurity terms is worryingly low. In fact, out of the 3,500 workers surveyed across seven countries, just 31% correctly understood the definition of ransomware. This figure is even lower among the younger generation. Just 28% of those aged between 18 and 22 understood the term, along with 24% aged 23 to 38, 33% aged 39 to 54, and 43% aged 55+.
This potential language barrier poses a significant challenge when it comes to educating end-users on how to spot and defend against such common threats. The security of our organisations depends on end-users making good decisions. They are often the last line of defence between a successful ransomware attempt and a successful ransomware infection. That so many are unfamiliar with what can be considered a relatively basic term is something of an eye-opener.
Clearly, cybersecurity teams cannot afford to hold any assumptions. Staff training and education must be regular and comprehensive. Covering not just the latest threat du jour, but also topics such as ransomware, where an element of prior knowledge may have previously been assumed.
To pay or not to pay?
Unfortunately, this lack of understanding around ransomware doesn’t end with how to spot an attack. There is just as much confusion about what to do if and when an attack is successful.
While FBI has officially advised not to pay ransoms, when speaking at a recent Cyber Security Summit, Assistant Special Agent Joesph Bonavolonta, revealed that the FBI did, in some cases, advise organisations to pay up. The thinking being that cybercriminals would not jeopardise a lucrative business model by cheating victims once a ransom is paid.
That being said, any decision to pay a ransom lies ultimately with the victim. There is a school of thought that opting to pay a ransom is a business decision like any other. It should be made having weighed up every possible option and assessing the risk versus the reward.
For service-critical organisations such as hospitals and local government, for example, paying a ransom may appear to be the fastest and most effective solution. However, this solution depends on cybercriminals staying true to their word and this is rarely the case.
Of the organisations infected with ransomware in 2019, 33% opted to pay a ransom. Fortunes were mixed. Over two-thirds (69%) regained access to data and systems after payment. Of the rest, 22% did not regain access, 7% were hit with additional ransom demands and did not regain access, and 2% paid additional ransoms before regaining access to data and systems.
Fighting ransomware – before, during and after
Just as tried and tested attacks continue to see success, so too do tried and tested defences – when implemented effectively. As always, prevention is far better than cure. A broad and deep cybersecurity defence is vital. And this starts with education and training at every level. The aim is not to create teams of end-users who can quote the dictionary definition of ransomware but to build a culture where cybersecurity is always front of mind.
This means comprehensive and continued training that goes well beyond how to spot an attack. Employees must understand the motives behind a ransomware attack, what to do if they suspect one, how their behaviour can impact success rates, and how to recover should the attack become an infection.
When it comes to the thorny issue of ransoms, there is no simple answer. Before making any decision, exhaust all other options, consult with cybersecurity professionals, restore backups, and know that paying a ransom is not a silver bullet. Despite the idiom to the contrary, there is very little honour among thieves.