Earlier today, a range of U.K. health institutions were hit by a ransomware attack. There are no signs that these institutions were specifically targeted – in fact, in Spain and Portugal, where the same Trojan is also wreaking havoc, the victims are enterprises in other sectors. In other words, chances are that the victims were not singled out in any sense — maybe the only thing that led to them being attacked was that the criminals were able to get email addresses for these organizations.
While it is still unknown who the attackers were, it is clear that their goal was to monetize a scattershot style attack in which massive numbers of victims pay a relatively small amount to obtain the decryption keys to recover their computer systems. As such, it appears that they have been relatively successful, which of course means that we will see more of the same in the near future.
The WannaCry Trojan, in its current incarnation, was first documented in late March of this year. Unlike most ransomware threats that use social engineering techniques to convince the recipient to click, it was not delivered by email. With ransomware attacks, unless the recipient is protected by updated anti-virus software, his or her computer is encrypted as a result of clicking and a $300 ransom note is delivered. At that point, there is really no option but to pay, unless you have all your data backed up.
Relying on end-user awareness to spot these email attacks is a tenuous countermeasure, as it only takes one person in an organization to duped, and common attacks typically have a success rate of 10-25% per potential victim. It doesn’t take many employees for this to translate into near-certain success (for the attacker, that is).
The best way to prevent this type of attack is a layered approach that involves both email security technologies and anti-virus (AV) technology. While neither of these individual technologies is a silver bullet, together they are a meaningful defense. AV technologies block known threats, and commonly also use sandbox technologies to identify undesirable attachments. Email security technologies identify incoming emails that are sent from strangers, or from familiar accounts that appear to have been compromised, and which contain high-risk attachments.
However, it is important to note that not all AV products are equal, nor are all email security technologies. For example, AV technologies that focus squarely on blacklisting are easily circumvented by motivated attackers, and are only effective if patches are installed. Moreover, many organizations still are under the impression that spam filters can protect them against malicious emails. This is a grave misunderstanding. Spam filters, somewhat oversimplified, look for emails that contains words like “Viagra” – which ransomware emails, of course, do not. Instead, typical ransomware emails mention a neglected invoice, an important memo or a salacious news item, hoping that the recipient will be tricked into clicking on the link or attachment.