Email Security Blog

WannaCry Ransomware Attack – Not Targeted but Simply Opportunistic

Markus Jakobsson May 12, 2017 Cybercrime
Fallback Featured Image

Earlier today, a range of U.K. health institutions were hit by a ransomware attack. There are no signs that these institutions were specifically targeted – in fact, in Spain and Portugal, where the same Trojan is also wreaking havoc, the victims are enterprises in other sectors. In other words, chances are that the victims were not singled out in any sense — maybe the only thing that led to them being attacked was that the criminals were able to get email addresses for these organizations.

While it is still unknown who the attackers were, it is clear that their goal was to monetize a scattershot style attack in which massive numbers of victims pay a relatively small amount to obtain the decryption keys to recover their computer systems. As such, it appears that they have been relatively successful, which of course means that we will see more of the same in the near future.

The WannaCry Trojan, in its current incarnation, was first documented in late March of this year. Unlike most ransomware threats that use social engineering techniques to convince the recipient to click, it was not delivered by email. With ransomware attacks, unless the recipient is protected by updated anti-virus software, his or her computer is encrypted as a result of clicking and a $300 ransom note is delivered. At that point, there is really no option but to pay, unless you have all your data backed up.

Relying on end-user awareness to spot these email attacks is a tenuous countermeasure, as it only takes one person in an organization to duped, and common attacks typically have a success rate of 10-25% per potential victim. It doesn’t take many employees for this to translate into near-certain success (for the attacker, that is).

The best way to prevent this type of attack is a layered approach that involves both email security technologies and anti-virus (AV) technology. While neither of these individual technologies is a silver bullet, together they are a meaningful defense. AV technologies block known threats, and commonly also use sandbox technologies to identify undesirable attachments. Email security technologies identify incoming emails that are sent from strangers, or from familiar accounts that appear to have been compromised, and which contain high-risk attachments.

However, it is important to note that not all AV products are equal, nor are all email security technologies. For example, AV technologies that focus squarely on blacklisting are easily circumvented by motivated attackers, and are only effective if patches are installed. Moreover, many organizations still are under the impression that spam filters can protect them against malicious emails. This is a grave misunderstanding. Spam filters, somewhat oversimplified, look for emails that contains words like “Viagra” – which ransomware emails, of course, do not. Instead, typical ransomware emails mention a neglected invoice, an important memo or a salacious news item, hoping that the recipient will be tricked into clicking on the link or attachment.

Leave a Reply

Your email will not be published. All fields are required.

Agari Blog Image

July 10, 2019 Ronnie Tokazowski

‘Til Death Do Us Part… Romance Scams and the BEC Game

When we think of business email compromise (BEC), the first thing that comes to mind…

Agari Blog Image

June 5, 2019 Crane Hassold

From One to Many: Scattered Canary Evolves from One-Man Startup to BEC Enterprise

There is no denying that business email compromise (BEC) is big business, with losses exceeding…

Agari Blog Image

April 25, 2019 Crane Hassold

Bitcoin: The Next Evolution in BEC Cash Out Methods?

Historically, business email compromise (BEC) threat actors have used wire transfers as a means to…

Agari Blog Image

April 18, 2019 Ronnie Tokazowski

Do You Know Where Your W-2 Is? Probably Where You Left It

It’s like clockwork. Every year around tax time security vendors (even us!) push out warnings…

Agari Blog Image

April 4, 2019 Crane Hassold

Evolving Tactics: London Blue Starts Spoofing Target Domains

In December, the Agari Cyber Intelligence Division (ACID) published a report on a business email…

mobile image