Pandemics, like the one of we're currently facing, present the perfect opportunity for malicious actors to threaten organizations and users with cybersecurity attacks. Coronavirus-themed phishing and ransomware have emerged as security challenges that infosec professionals must quickly be able to respond to and prevent. Embedded in this guide are links that will help you learn more about identifying and dealing with the latest COVID-19 cybersecurity threats.
Impact of coronavirus on cybersecurity
COVID-19, the disease that results from the novel coronavirus, is being used as a lure for pandemic-related ransomware and phishing attacks. Since the outbreak began in China in late 2019, coronavirus-themed malware has wreaked havoc on network and user security -- so much so that members of the infosec community formed a cross-vertical volunteer coalition to monitor, analyze and block global pandemic-themed threats.
Security pros are specifically looking at ransomware, which is a subset of malware, that locks data on a victim's computer until a ransom is paid. Attackers often use encryption to block access to the information and demand payment in a virtual currency, such as bitcoin. Phishing is a strategy to lure users with targeted emails or disinformation campaigns so they will give up credentials or click on a link, setting off a ransomware or other malware attack.
Addressing the malware threat can be a costly endeavor for companies and individuals. The FBI reported that between the fall of 2013 and 2019, approximately $144.35 million in ransomware payments were made specifically in bitcoin.
Ransomware has increased dramatically since COVID-19 first appeared, including a 148% surge in March compared to February. Attacks have included stealing financial information, valuable personal information or turning a computer into a crypto-mining zombie, according to data collected by VMware Carbon Black.
The global nature of coronavirus means its impact will be widespread and long lasting as one of, if not the largest coalescing of cyberattack types around a single theme. The healthcare, manufacturing and pharmaceutical industries are among the more heavily targeted industries, along with educational institutions, and city, state and local governments.
As the "Risk & Repeat" podcast explained, bad actors are getting more efficient in their use of malicious URLs, lures and misinformation campaigns to spark ransomware and phishing attacks.
Malware strains are becoming more damaging and tailored to specific users, and malicious actors expect high-quality targets versus a large volume of attacks. As a result, infosec professionals must be able to recognize the types of attacks coming their way and have heightened network and email security policies and procedures, strong risk management and incident response strategies, and a well-informed, savvy user base.
How to recognize phishing scams and ransomware attacks
Phishing emails come in all varieties -- asking recipients to click on a malicious link, featuring attached files masking malware, or simply looking for a reply to begin information gathering. One security researcher chronicled his experience with a phisher who used an email that seemed to be from the researcher's supervisor to attempt a malicious attack.
Phishing scams have an established lingo, including spear phishing (the type of attack the security researcher experienced) where email spoofing appears to be from a user's manager or other known entity. The goal is to acquire critical information, such as trade secrets or client information, hence the user's reply starts the relationship-building. Whale fishing refers to phishing scams that target members of the C-suite.
The tactics in phishing scams rely heavily on social engineering, where a human is tricked into doing something such as clicking on a link, hovering over an image, replying to the message or offering up personal or corporate information. Instead of needing to use brute force to infiltrate systems, hackers only have to convince users to unwittingly give up their credentials or unleash malware that can log keystrokes and commit other malicious activity.
Nearly all cyberattacks rely on human interaction to work -- 99%, according to a report by security company Proofpoint. Later in this guide, you'll learn how to inform users about their role in stopping threats.
Phishing-as-a-service has emerged as an alternative platform for attackers to host malicious links. These cloud-based services, which are attractive to amateur and experienced cybercriminals alike, offer kits to help phishers develop evasive attack methods -- such as inspection blocking, HTML character encoding and hiding URLs in attachments.
Once malware, including ransomware, is unleashed, it can prove devastating. For instance, a malware attack against a network of pediatric offices in Boston crippled infrastructure so badly that patients were forced to reschedule appointments. While system administrators were able to quarantine the affected machines, it took time to fully restore operations.
Coronavirus hackers are taking advantage of users' quests for knowledge and their fears about COVID-19 to send nefarious emails pretending to be from the trusted sources, such as the World Health Organization and the Centers for Disease Control and Prevention. Some hackers attach pandemic-themed malicious files disguised in PDF, DOCX and MP4 formats. Others embed a malicious link or image in the email that, when clicked, will install Trojans or keyloggers to track and harvest credentials.
Experts worry that users' intense interest in pandemic information will lead them straight into ransomware traps, escalating the risk from personal security to organizational security.
Mobile phishing opens users up to an even wider array of threats. As example, when employees travel, they try to find a strong Wi-Fi connection by searching for available networks. Signing on to a malicious access point could lead them directly into a malware trap.
How network security and better data backup prevent threats
Network security plays an instrumental role in preventing, detecting and mitigating pandemic-themed cyberattacks.
Setting up your network for a better posture in the event malicious actors try to target your network is not that difficult. Here are some basic rules:
- Patch your network and make sure all software is up to date.
- Deploy advanced malware tools that deal with non-signature and cloud-based threats. They should also have whitelisting, monitoring and blocking capabilities.
- Discuss a backup strategy that can mitigate the damage if your data is encrypted and held for ransom.
- Segment your network to ensure an attack doesn't take down your entire enterprise.
- Lock down your endpoints and enforce security policies using firewalls and other security controls.
- Separate credentials attached to network storage so even if the network is compromised, storage isn't, and recovery will be possible from a backup.
- Assess your vulnerabilities from the vantage point of phishing and ransomware. Document your findings and work to alleviate weak points.
Monitoring performance metrics, such as mean time to detect and mean time to repair, is another way security teams can help to prevent cyberattacks. Make sure to review, including testing, your security policies and procedures. Lastly, train cybersecurity team members on all the security mitigation resources available to them.
Don't be surprised if traditional malware detection methods have a hard time keeping up with emerging threats, such as pandemic-related cyberthreats. Malicious actors have proven expert at obfuscation, requiring security teams to think past hash-based or signature-based malware detection.
You also need to rethink traditional hardware-based cybersecurity systems that protect employees when they are on premises because, for most organizations, network perimeters have disappeared. Instead, you should institute mobile security, including multifactor authentication, that follows employees wherever they go, including home during pandemics. The protections you put in place should address the vast amount of data that employees have access to from their remote locations.
A zero-trust model helps companies stay alert as they transition to a largely remote workforce. An organization can use zero trust to see all the metadata associated with ingoing and outgoing emails and then build threat detection and automated mitigation mechanisms around that.
Ransomware recovery and data backup processes
One way to lessen the impact of a ransomware attack is to ensure your backup and recovery processes are top notch. Having backups is only half the battle, though. Organizations must perform periodic testing of their recovery procedures. As part of this, make sure your organization has adequate bandwidth to support the backups prioritized for recovery.
All of this should be part of your ransomware incident response plan. A tabletop exercise focused on testing your organization's response to a cyberattack should be a requirement as well. Note the security and storage tools that have ransomware prevention, blocking or recovery functionality. After the exercise, assess how well you were able to recover to a known good state, and work to eliminate the obstacles you encountered.
If the recovery process isn't going to work, then difficult decisions await. Either you pay the ransom, rebuild the systems or file a report with internal oversight committees or government authorities. None of these options is ideal, and each has its pros and cons to be considered.
Organizations must also account for the perils of cloud storage, which are not immune to ransomware threats. Security teams should ask their vendors about their testing, evaluation and upgrade strategies to prevent cyberattacks. Specifically, organizations will want to know about their plans for ransomware detection, quarantine and removal.
Questions to ask include the following:
- What tools are they using?
- What is the detection rate?
- What is the file-loss rate?
- How fast do these tools detect ransomware?
- What is their defense-in-depth posture?
Email security and COVID-19
Spear phishing has an even more nefarious subset: evasive spear phishing. The two differ in that attackers spend more time and resources researching and gathering intelligence to ensure their efforts stay undetected. For instance, spear phishers often use a single-use email address, and their messages are sometimes sent from within a system -- such as a supply chain partner -- to achieve credibility. Their typical file types are older-generation Microsoft Office documents or PDFs. Unfortunately, email security tools available on the market today cannot detect evasive spear phishing attacks.
That said, it's always good policy to take precautions with email. Kevin Tolly, of third-party validation and testing service The Tolly Group, recommended reviewing existing configurations, hardening logins to protect credentials, verifying threat intelligence networks, utilizing mailbox intelligence and performing deep link inspections, among other processes.
Email security gateways are helpful in keeping noncompliant email messages from reaching their destinations. Gateways exist in many different formats, including as a server, on-site hardware appliance, on-site virtual appliance, cloud-based service and a hybrid of on site and cloud. They provide more sophisticated detection and prevention capabilities than legacy antivirus or antiphishing tools.
User awareness training
Pandemic-themed phishing and ransomware attacks put a spotlight on the need for heightened user awareness. Malicious actors use lures that prey on people's fears and thirst for information about COVID-19 and its impact. Some emails are even taking advantage of users by promising updates on stimulus check delivery and other economic issues surrounding the outbreak.
From the day they start with the organization, users should be trained in the basics of how to recognize and avoid phishing attacks. Infosec teams should hammer home these best practices:
- Never reply to a suspicious message or click on its attachments or links.
- Never trust an email that asks for personal, corporate, financial or other sensitive information.
- Never copy and paste links from suspicious emails.
- Never click on untrusted, shortened URLs as they might be masking a link to malware.
- Always look for typos because many phishing emails contain grammatical errors and misspelled words.
- Always check the sender's address, and if you don't recognize it, be wary.
Organizations can amp up their warnings by performing tests that simulate a phishing attack. The results show which users responds to the lure and provides an engagement point to help them understand the severity of the threat.
An in-house phishing campaign is an important part of your security awareness training to alert users about the danger presented by cybercriminals. Free tools are available online, but paid phishing products and services offer more value. One approach in security awareness training is to use an email domain similar to your organization's domain to see if users pick up on the slight difference. You also can inject misspellings and grammar errors to highlight typical signs of a phishing email and show users how to be on the lookout for suspicious messages.
Malicious actors will always take advantage of pandemics and other extreme events to extract some reward from users and organizations. But following cybersecurity management best practices as listed throughout this article will help mitigate the success of bad actors.