In another highly visible ransomware event, Techcrunch recently reported that Congress was warned about ransomware attacks that were impacting the House of Representatives. While ransomware is by no means new, Congress was warned that these attacks were personalized and are specifically targeting third-party email services such as Yahoo or Gmail. Additionally, Congress was warned that their machine could be encrypted by simply clicking the link within the message.
While there is measurable risk to Congress or any other enterprise when it comes to ransomware, we did want to add some insights into the threat vector. First and foremost, while the risk to all organizations is very real, and, historically, very successful, these attacks are by no means targeting only third-party email services. Our PhishMe Intelligence team has been analyzing this threat for years, and these malware based phishing attacks continue to target all organizations – not just third-party email services. We believe that the personalized nature of these emails is the continued soft targeting of recipients that threat actors have been adopting more frequently over the past few months. Delivery utilizing soft targeting includes information that attempts to socially engineer the recipient to believe that it’s legitimate and to interact with the message. Once the user has done this, the malware will begin to perform its task, which, in the case of ransomware, begins to encrypt the machine as well as any network shares that the machine is connected to.
The challenge that Congress or any enterprise has is, once again, the constant adaptation of attackers tactics and their effectiveness in bypassing technical controls. The infection point for Congress may have been those third-party email providers, which, obviously, wasn’t against their Acceptable Use Policy at the time, and therefore allowed. One of the largest challenges for any IR team is the blending of corporate culture/policy versus enterprise security. In allowing access to third-party email, the security requirements shift for an organization from their own email protections to the hosting provider, as well as to their outbound network controls blocking the network activity. Unfortunately, in the case of many organizations, things still get through, and they end up with an outbreak to contain.
We strongly encourage organizations to work with their employees to be aware of the risks, as well as condition them to remain vigilant when reading their email. That conditioning will not just apply to their corporate email; those employees leverage the same level of scrutiny against their personal email as well.