Ransomware and phishing: how to secure our future

Ransomware is on the rise, and phishing attacks provide its primary delivery mechanism. According to Wombat Security, 76 percent of companies experienced phishing attacks in 2017, while in the second half of 2017, 96 percent of organizations were the recipient of a ransomware-related email attack. According to Sophos, 54 percent of companies were hit by ransomware attacks in 2017, at an average cost per attack of $133,000.

Furthermore, according to the Cisco 2018 Annual Cybersecurity Report, 65 percent of email is spam and 8 percent of that spam is malicious. 38 percent of malicious files arrive via email and in Microsoft Office formats such as Word, PowerPoint and Excel. Symantec reported that in 2017, 71 percent of all targeted attacks started with spear phishing to infect their victims, attacks that install backdoor malware on devices.

All of this is a big deal for enterprises. In the U.S., phishing scams cost businesses up to half a billion dollars per year, while attackers use ever-more sophisticated ways to get users to open phishing emails: one scam, with emails disguised as airline flight confirmations, tricked employees into opening them 90 percent of the time. Phishing is a successful tactic. So much so that there are now 1.39 million new phishing sites created each month according to security firm Webroot.

My home of Hong Kong has recently been hit with major phishing attacks, with the Hong Kong Monetary Authority (HKMA) in January 2018 alerting the public to a phishing attack on banking giant HSBC, while bitcoin traders in Hong Kong have also been on the receiving end.

Why is phishing so successful?

One reason phishing has become so successful is that users and organizations are experiencing information overload, or "infobesity," through the sheer scale of data generated and transmitted every day. The knock-on effect of today's data explosion can be that users end up being less cautious about what emails they open and therefore less likely to detect phishing attempts.

Cybercriminals are astute enough to recognize this and take advantage of it, by customizing content and leveraging users' own shared social media information to create tailored, authentic-seeming emails. Users are often insufficiently trained about phishing and how it is used to deliver ransomware, and this, coupled with the sheer amount of data they handle each day, makes phishing a good "percentages" attack method.

Email security more vital than ever

Ransomware attacks are the fastest-growing cyber threat around today, and phishing is its number one delivery mechanism. The driving force behind this is simply that phishing emails are simple to create and send and provide attackers with a faster return on investment (ROI). Victims are drawn onto the hook of a social engineering scheme and lured to carry out actions with no thought for the malicious consequences – basically, the less aware the target victim is, the better the chances of the attack's success.

As has always been the case, the human factor is the weakest link in the security chain. Attackers can persuade and deceive employees in numerous ways to gain critical access to sensitive data, but one thing stands out in its consistency: email.

The future of ransomware

Ransomware's simplicity and ease of use will continue to make it a popular line of attack for cyber attackers, and its methods of approach are evolving: in the past year or two, ransomware attacks began targeting industries that have little option other than to pay ransoms, such as healthcare, small and medium businesses (SMBs), governments, critical infrastructure, NGOs and education bodies. Ransomware attackers know these kinds of industries carry valuable or sensitive data, often find it difficult to fund IT capabilities and are typically subject to regulations that can tie them up in red tape and stop them having efficient backups in place.

It looks like ransomware is here to stay and will only continue to evolve as cyber attackers become increasingly sophisticated in their activities. Enterprises must take every step they can to protect themselves against it.

What can organizations do to protect themselves?

Protecting against phishing and ransomware means a lot of training. At face value, it might seem a simple approach, but training your employees to be aware of phishing as a threat and to question emails before they open them, even if they are only remotely suspicious, is the bedrock of securing your organization against attacks. Similarly, organizations should regularly remind staff to be vigilant, think safety first, and if employees do receive what they think is a phishing email, do not open it, do not download any attachments from the message, never click links in that message, and report it.

One good countermeasure employed by CIOs is to "allow" staff to make errors within a protected sandbox environment and to learn from these "mistakes" in the real world. From a technical standpoint, the IT department can disable macros from being run on computers on the corporate network, as attackers often use macros to execute malicious code and deliver malware payloads.

Another important method of defense that companies can employ is to implement solutions that identify phishing emails upon arrival at the network perimeter and stop them from even reaching the employee's inbox.

Taken together, training, security countermeasures and the right anti-phishing solutions can make your organization a safer place. The watchword now and in the future is vigilance.

Concerned about security? Find out how you can boost your organization’s security today!

Edmund Yick
Edmund Yick

Edmund is the General Manager of Orange Business Hong Kong and Taiwan. He is responsible for developing and managing our portfolio of business solutions for multinational enterprises and provides strategic direction to support the growth of Orange Business as the leading integrated communications provider in Hong Kong and Taiwan. Edmund likes having a whisky or two during his down time to unwind when he is not driving.