Keep Your Business Safe From the $10 Billion Ransomware Industry

Author: Dave Bell, President of Cyber Solutions, LLC

By now, you’ve likely heard the term “ransomware”.  Maybe even experienced it first-hand.  If neither of those are true, let me quickly bring you up to speed with a short story.

Judy is the Office Manager for a construction company.  On Friday afternoon, she receives an email from FedEx that a delivery cannot be made without her release.  She can agree to the release by clicking a link in the email.  Being late on a Friday, Judy simply clicks on the link, but nothing happens.  She figures the link is broken and deletes the email.  Unfortunately, simply clicking the link has infected her computer with ransomware.  This ransomware goes to work immediately and encrypts any files it can find on her computer including pictures, Excel spreadsheets and Word documents.  In effect, it puts them all in a lockbox.  It also puts any files on network drives that reside on the server in that same lockbox.  And since ransomware has no mercy, it even grabs files in DropBox, OneDrive or other file syncing software and tosses them in the lockbox.  During this process, the ransomware sends the key needed for the lockbox back to a remote hacker who holds the key until you pay the ransom.

The above attack is called a “phishing email” attack.  A hacker has crafted the email to look amazingly legitimate and then sends it out to thousands, even millions of email users.  With those numbers, the odds are pretty good that someone will take the bait.

Let’s take this a step further with something called a “spear phishing” attack.  We’ll pick on Judy again.  This time Judy receives an email from a vendor requesting a change in banking information.  Since Judy pays this vendor electronically, she needs to do a bit more research to be sure it’s legit.  The sender’s name checks out.  The logo and email signature check out.  And since Judy has learned her lesson from the previous story, she reviews the sender’s email domain which also checks out.  Thinking she’s verified everything, Judy makes the changes that are requested in the email to the new banking information.  Unfortunately, the new banking information is that of the hacker.  Any payments from this point on are sent to the hacker.

Why do we call this a “spear phishing” attack?  Well, as you can probably tell, it’s a very targeted attack.  The hacker took the time to create an email specific to Judy’s vendor including logo and email signature.  Also, (and I conveniently failed to share this with you above) the hacker registered a domain that was extremely close to the vendor.  For example, if the vendor’s email domain was constructioncompany.com, the hacker may register constructionncompany.com.  Notice the two n’s in the 2^nd one.  So, when Judy checked the email domain, she didn’t notice the extra “n”.

In this particular case, the attack is not necessarily on Judy’s company but rather the vendor.  The hacker uses the vendor as bait, and then sends a spear phishing attack to all the vendor’s business associates.  This is actually a true story that happened to one of our clients.  The attack was focused on a vendor and emails were sent to the business associates including our client.  Thankfully, our client was savvy enough to pick up the phone and make a call to the vendor.

Depending on who you listen to, it’s estimated that the ransomware industry will top $10 billion this year.  If you’re not ready, you’ll add to that number.