Ransomware operators have grown very skilled in targeting exactly what will compel an organization to pay up, according to Andrew Brandt, principal researcher at Sophos. On the CyberWire’s Hacking Humans podcast, Brandt explained that organizations of all sizes are at risk from targeted ransomware attacks. Earlier ransomware attacks, like WannaCry in 2017, went after any machine that was vulnerable, but newer attacks involve meticulous targeting and staging.
“We don't see quite so many ransomware attacks that target individuals,” Brandt said. “We see that the criminals have realized that they can make a lot more money by targeting organizations that have the deep pockets to pay the ransom but may not have the technical expertise to recover themselves quickly enough to sort of restore business operations. And it becomes a strategic game for the ransomware operators, where they're trying to do just enough damage that they push people into the paying the ransom decision instead of just trying to fix it themselves by recovering from backups or, you know, what have you.”
In order to penetrate an organization, attackers only need one point of entry from which to launch additional attacks and spread throughout the network. Brandt explained that organizations need to train their employees to defend themselves against these initial attacks.
“IT security, in particular, depends on, basically, everyone in the company is on the front lines,” he said. “And they need people to be their eyes and ears. And if the employees feel that they're not being treated respectfully by the security folks, being told that, oh, that was a really dumb thing to do - anybody can be fooled by a phishing attack. Even I can be fooled. I have very nearly clicked malicious links, and I do this for a living. So, if I can be fooled, anybody can be fooled. And so, you should just be open to listening to people. And when they tell you something is going on that's not right, trust their instincts and at least take a look.”
Most ransomware attacks are caused by employee error, such as falling for a phishing email or using poor authentication measures. New-school security awareness training can prepare all of your employees to face these threats.
The CyberWire has the story: https://thecyberwire.com/podcasts/cw-podcasts-hh-2020-01-16.html