Ransomware - Will it Stay or Will it Go?

In April 2016, the German Federal Office for Information Security (BSI) conducted a survey of nearly 600 companies.  The results showed that 32 percent, or one third of companies, were affected by ransomware.  In 82 percent of all cases, email was the gateway to the successful attack.   In 21 cases, it resulted in the complete loss of data.  Throughout the course of the year, more ransomware waves were observed, which were as dangerous as Locky.

There has been a decline in the number of simple spam emails since the beginning of 2015, but while too many spam emails in your inbox are just annoying, a single successfully delivered ransomware email represents a major security risk that can threaten the existence of the company. In the BSI study, four companies indicated that the ransomware attack threatened their very existence.

What makes Ransomware so dangerous?

Compared to traditional spam and malware, ransomware is characterized by a much more sophisticated architecture and functionality. The control of the attack waves are so granular that individual waves only last a few hours before the control component changes the structure of the code and attacks new addresses from other bot networks. Therefore, ransomware and the latest malware are constantly changing in their appearance - hash values differ or domains are registered only after the email has been sent. However, they share a common characteristic -  the malicious code is usually not in the email, but loaded via a script code in attachments or links contained in the email. Through smart social engineering or tempting and curious texts, the users are tempted to click on the link or open the attachment.

This is why intelligent email security measures are of particular importance today. Just hope that you never see a screen like the one below in your own company.

Do not put email security in the sand!

Many technology providers place great hopes in so-called "sandbox technologies."  This creates the need for large computing requirements, which means higher costs that ultimately have to be paid by the customer.  This is also accompanied by a highly delayed delivery of emails, which is simply not up-to-date in this cloud age. To avoid these downfalls, compromises have to be made and the "suspicious threshold" has to be raised, from which an additional examination by sandbox technology is carried out, so that fewer attachments have to be tested. Since sandbox technologies cannot fully execute the code due to data dependencies, the technology results in a high false-positive rate when the detection threshold is set too low/ sensitive.  In addition, all newer malware variants now recognize when they are run in a sandbox environment.  Certain components of the operating system are not visible, time manipulations are carried out, or the hooks of the sandbox are simply badly camouflaged.

Effective protection with intelligent methods

If the malicious code is mostly hidden in attachments, can I simply ban the delivery of attachments then?  With this radical measure, the problem would naturally be solved. In real life, however, it is not enforceable to simply add attachments, since many business-relevant information must be exchanged in file extensions - prohibiting Word or Excel files, therefore, is not an option. It's then necessary to decide whether an installation is to be made with intelligent criteria, depending on the sender's "confidence", the function of the recipient, the content of the message, and much more. Alternatively, a suspicious attachment can be "parked" in a queue to be freed by the administrator and automatically released by the administrator manually or time-delayed after being re-checked. Preview features, which help to display the content to the recipient, similar to an x-ray image, without the need to deliver the original file, are a special highlight.

Standards for checking the sender reputation, such as SPF, DKIM, and DMARC, allows you to determine whether or not an email has been sent by a server from your company's domain, and is thus another very effective filter to recognize and reject messages.

Encrypt your mails before crypto trojans encrypt your data!

You can gain additional security by electronically signing and encrypting the bulk of business related business transactions. If employees in businesses are accustomed to getting invoices or other important documents sent to you by email as encrypted attachments, they will automatically be more cautious about clicking on attachments from unsigned or non-encrypted messages. Powerful email security gateways can now automatically manage the required personal certificates and public keys.

Every ransomware needs an accomplice in the company

Even if the email security in companies and the protection of ransomware can be significantly increased as described above, 100 percent security will not be achieved if other attack measures are chosen or new vulnerabilities are exploited by criminals.

Therefore, any technical upgrade must always be accompanied by education and information to the user. For this to remain effective, it must be repeated on a regular basis and in conjunction with illustrative examples (media reports). This reduces the likelihood that an attacker will be able to find the necessary accomplices in the company who, with an unconscious click, will open an attachment and activate the malicious code.

Even though effective rescue procedures are now available for data encrypted by ransomware, they are nevertheless complex and also involve the risk that no recovery is possible for new variants. Therefore, the protection of the email gateway is of central importance today. Many email security gateways from well-known international manufacturers are, of course, now able to detect and block Locky (or other ransomware) infected emails. However, it has been shown that they do not provide effective protection against new emerging ransomware attacks. Here, products such as NoSpamProxy from Net at Work have a clear advantage since they can, with an innovative and intelligent appendix management, prevent the malicious code from getting into the mailbox and being activated by end users.

Author:  Stefan Cink, Product manager, Net at Work GmbH, Paderborn, Germany