Why phishing and ransomware should be at the top of your c-suite's security concerns

With research showing bad actors are focusing more on ransomware and phishing, what is the link between phishing and ransomware and why will they continue to be prominent threats in 2021?


This is a contributed article by Phil Richards, Chief Security Officer at Ivanti.

 If you still thought that ransomware was a hobby criminal's pastime, it's time to rethink your risk profile.

Five years ago, ransomware criminals were 'spray and pray' merchants, distributing their wares via phishing attacks to anyone whose email address they happened across. This software would lock up a victim's files, which could just as easily be family photos as sensitive business documents. Those days are mostly over. Welcome to the even more complex world of ransomware 2.0.

Today's ransomware operations are far more strategic. Groups such as REvil (also known as Sodinokibi) and Netwalker write increasingly sophisticated malware, but they then grant affiliate groups access to that code. These groups are the ones that seek out and infect potential victims using complex techniques.

These groups now target specific companies. While large enterprises are on their list of victims, ransomware mitigation company Coveware also found that small and medium-sized businesses are a common target for ransomware criminals.

When engaging their victims, ransomware affiliates use the kinds of attack chains traditionally associated with advanced persistent threat (APT) groups. These include advanced reconnaissance techniques to understand their targets, followed by malware attacks carefully crafted to hit their targets' weak spots.

These attacks might take more time and effort to plan, but for those on the wrong side of the law, the rewards are often worthwhile. This precision model has prompted a marked rise in both the size and volume of ransom pay-outs as companies find themselves with no alternative but to pay for lost data.

Coveware found that in the third quarter of 2020, the average ransom payment increased over 31% from the quarter before to reach over $233,000. An analysis by cryptocurrency forensics company Chainalysis also found that ransomware payments using cryptocurrency rose 311% overall in 2020.

Tracking the high cost of ransomware

In some cases, the data that ransomware encrypts is crucial to operations. Even if companies are able to recover their data, the whole process can cost millions in lost business, legal fees and consulting costs.

Phishing is a major attack vector for ransomware crooks, reports Coveware, making up over a quarter of infections in Q3. That's a problem for companies trying to build cybersecurity awareness among lots of employees, it takes just one error to infect a network.

Phishing is also a particular danger for board-level executives. The C-suite is an ideal target for the phishing attacks that often carry ransomware. Research carried out in May 2020 by MobileIron (acquired by Ivanti) revealed that the C-suite is the most likely group in a company to ask for relaxed security protocols. According to the 350 IT decision makers surveyed, almost one in three of these high-ranking executives did so. That spells trouble for companies targeted by ransomware criminals. Over half (60%) of IT decision-makers believe that C-suite executives are the most likely targets for a malicious attack, according to the MobileIron (acquired by Ivanti) research. That number rose to 78% when asked specifically about phishing attacks.

Protecting the C-suite

Ransomware business models are now expanding into another lucrative area: double extortion. Not content with merely encrypting data, ransomware criminals are now exfiltrating it first. They will lurk on infected networks for weeks or even months, moving laterally through the system and grabbing sensitive files. They will steal the information to give them another monetisation opportunity. Even if a victim can recover the encrypted files, the criminals threaten to publish the information unless the company pays up.

Once compromised in this way, victims can find themselves subject to repeated blackmail attempts, not just from the original perpetrator but from their affiliates. We have seen multiple examples of these attacks and they are becoming more frequent. Coveware found approximately half of all ransomware attacks used exfiltration in Q3.

The C-suite's tendency to request relaxed security controls makes them especially vulnerable to phishing attacks. These executives also devise strategy, determine direction and make the biggest decisions. Arguably, this makes their data more sensitive and thus more desirable.

For these reasons, companies should sharpen their focus on C-suite security now. A multi-layered approach to security should include a data backup plan, but it should also address awareness among senior executives, a thorough risk analysis, and a focus on process controls. These measures will help ensure that board-level executives don't become the soft underbelly of your company, ripe for attack.

Phil Richards is the Chief Security Officer at Ivanti. With more than 20 years' experience, he has previously served as the Head of Operational Security for Varian Medical systems, CSO for Fundtech Corporation and as Business Security Director for Fidelity Investments. In his security leadership roles, Richards has created and implemented information security policies based on industry standards, and led organisations to clean PCI DSS and SSAE SOC2 compliance certifications and has implemented security awareness training.