With a rash of ransomware attacks on high-profile American companies in recent weeks, the government is urging businesses to fortify their defenses across all verticals. Ransomware has recently gone beyond holding a single business’s data hostage and is now creating mayhem by disrupting critical infrastructure.
We’ll be looking at some of the ways hackers are deploying ransomware in the weeks ahead. All it takes is one employee clicking on one link in one malicious email to unleash a scenario nightmares are made of.
More than just critical infrastructure targeted by ransomware
“That is what keeps me up at night, the thought of ransomware disrupting services and interrupting our ability to serve clients,” an IT supervisor at a non-profit center in New York that helps adults with learning disabilities, told Smarter MSP. The ransomware danger is so high right now that the White House issued an urgent warning for businesses to fortify their defenses.
There are many ways ransomware’s payload can be unleashed. And there is one in particular that gets ignored: the telephone. The phone is often overlooked by CISOs and MSPs who are instead focused on traditional network security. Twitter was a victim of a high-profile phone phishing breach last summer.
“Hackers are growing increasingly sophisticated. They can often be very convincing using a blend of social engineering, old-fashioned bravado, and seamless spoofing to get the keys to the castle,” Jackson Johnson, a cybersecurity consultant in Austin, Texas, tells Smarter MSP. Sometimes, as with the Twitter breach, the scams will involve actual “call centers” that seem very legitimate.
“The call center fake employees will really lay it on thick and act the part quite well,” Johnson says. “I know of a lumber company in Washington State where a high-ranking executive was tricked, through a phone call, into downloading a supposed bill of sale. That unleashed ransomware for which the company ended up paying $80,000 in Bitcoin.”
Johnson adds that people who fall for these phone calls often do so because the hackers are really good at what they do. They’ll often deliberately time the call for maximum effect.
“For instance, the hackers targeting the lumber company knew from casing his social media accounts that he was preparing to leave for an upcoming conference. He was likely distracted, and the hackers took advantage of that. This approach, while more labor-intensive for the hacker, can be highly effective,” advises Johnson. Part of the phone phishing approach relies on the very nature of the phone itself.
People have gotten increasingly savvy about ignoring emails. Still, a phone call that catches someone off-guard along with a very realistic email directing someone to an actual staffed call center where a real human being walks them through clicking on a link or entering an account number can be very convincing.
“There is a trust with the telephone, and its use conveys a level of personalization that people will fall for in our increasingly impersonal world,” Johnson points out.
Johnson says that even the most seasoned cybersecurity experts can fall prey to a well-hatched hacking attempt because they can be so realistic.
“If something doesn’t seem fake, then there’s no reason for someone not to fall for it. It’s that simple,” Johnson asserts. He advises MSPs and CISOs to take the following steps:
Steps to neutralize the phone
As part of basic cybersecurity training, employees should under no circumstances conduct unsolicited business over the phone.
“If someone calls you and wants a password, wants you to download something, asks you for an account number or a phone number, ask for a phone number to call them back,” Johnson says.
And don’t stop there. Once you have the phone number, do research to make sure it is legitimate. More and more companies are adopting a “two-person sign-off” policy.
“The thing is that it is relatively easy to breach one person, but two is tougher,” Johnson states. Having two people involved before an account number is given, passwords are handed over, or purchases are paid for creates internal checks and balances.
“Of course, this system has to be used selectively. You don’t want to create something so cumbersome that simply paying a bill is unwieldy. Whatever system you come up with has to be streamlined,” he advises.
MSPs have a role to play. “An MSP can’t police every person all the time, but as part of continuing training and education, awareness can be raised about the dangers posed by phone calls that are part of targeted phishing campaigns. Often it is the simple act of raising awareness that can be the firewall between a safe, secure business and one forced to pay a ransom,” Johnson says.
Another area Johnson stresses is for people to simply use the built-in privacy controls on their social media accounts. “There is no reason why the whole world needs to see where you are heading on vacation,” he conveys.
While a company can’t mandate an employee keep an account’s settings private, MSPs can educate and inform employees about the dangers of not doing so. “The less information about a person that is out there, the less likely a hacker will be successful,” Johnson states.
Limiting personal cell phone usage at work is another helpful tool. And one last tip: “If you don’t recognize the number calling your mobile phone, don’t answer it,” he concludes.
Photo: Pixels Hunter / Shutterstock