You've got … malware. As the COVID-19 pandemic swept the U.S., attorneys at Culhane Meadows, a law firm that practices across seven states and the District of Columbia, received an email appearing to come from Johns Hopkins University School of Medicine. But a link that promised to ferry users to the program's interactive outbreak map, with the latest confirmed infection and mortality statistics, actually led them to a third-party malware site designed to gain access to corporate data.
According to Kimberly Verska, managing partner, data security attorney and CIO, it was one of three separate pandemic-related phishing attacks to hit Culhane Meadows in a single week. Fortunately, the firm's users recognized the emails as suspicious and forwarded them to security leaders, effectively evading a possible breach.
"Your weakest link is basically always going to be people, especially if they are a little discombobulated," Verska said, stressing the importance of security awareness training in mitigating ransomware threats during times of crisis.
Hackers exploit the chaos, stress and grief that pandemics and other global emergencies cause, preying on users' heightened vulnerability. Endpoint security vendor VMware Carbon Black reported seeing a surge in ransomware attacks during the COVID-19 crisis, up 148% in March 2020 compared to baseline levels the previous month. Activity spikes reportedly correlated with breaking news developments, such as public health emergency declarations. Security vendor Barracuda Networks said it saw a 667% increase in COVID-themed spear phishing emails between February and March.
"There's a deluge of opportunistic attacks," said Jinan Budge, principal analyst at Forrester Research. She cited one campaign that reportedly targeted colleagues of pandemic victims, claiming to have messages for them left behind by their deceased co-workers. "It's really, really horrible."
Kimberly VerskaManaging partner and CIO, Culhane Meadows
Tony Buffomante, principal and global cybersecurity practice co-leader at professional services consultancy KPMG, said he has observed a significant increase in phishing attacks since COVID-19 started.
"KPMG's clients are reaching out for help in responding to data breaches and malware infections. It's something they are dealing with on a daily basis," Buffomante said.
Difficult times, difficult choices
The considerable challenge of mitigating ransomware and phishing attacks during a pandemic presents unique dilemmas for security leaders, Budge said. For example, simulating pandemic-themed phishing campaigns as part of internal security awareness training efforts can be complicated. Forewarned is forearmed, supporters argue, but skeptics see such initiatives as potentially insensitive or even offensive. "These are not simple decisions," Budge said.
Thomas Johnson, CISO at ServerCentral Turing Group, a colocation, cloud and disaster recovery provider based in Chicago, said he faced some internal criticism for running a COVID-19-related phishing simulation during the early days of the pandemic response.
"Everyone was like, 'Why did you do that during our first week working from home? It's already chaos.' That's exactly when I want you to be thinking about this stuff, when your guard is down," Johnson said.
Joseph Blankenship, senior analyst for security and risk at Forrester, said his firm has had a "healthy debate" on whether their own internal phishing simulation campaigns should use COVID-19 lures.
"I think it's a really fine line that security teams must walk," Blankenship said. While organizations need to prepare users for emerging pandemic-related threats, in his opinion, they should avoid creating undue, additional stress at a time when employees are already anxious and distracted.
His advice: Never chastise users who fall for simulated phishing attacks by saying, "Wow, I can't believe you clicked on that -- you get a demerit." Instead, he recommended reiterating that such phishing attacks are out there, what they look like and to be especially careful.
Pandemic-specific security awareness training sessions are also important in preparing users for an onslaught of related phishing attacks, Verska said. However, remote learning can pose unique challenges -- especially for teams that are new to work from home and are accustomed to the built-in accountability of in-person interactions.
"You really need two things: the training itself -- with examples of real-world phishing -- and people who are listening," Verska said.
To encourage participants to pay attention despite inevitable, at-home distractions, Verska has them complete brief questionnaires that review what they learned at the conclusion of web-based training sessions. "You need to find a substitute for the face-to-face meeting dynamic," she said.
A layered approach and the cloud advantage
Blankenship said mitigating ransomware threats during a pandemic requires a layered approach, coupling security policies and awareness training with technical controls, such as email filtering and antimalware software.
"As much as we train people, they will always make mistakes," he said. "It's entirely possible that even an experienced security person can fall victim to a phishing or fraud campaign, especially during times of stress and distraction."
Advanced security tools act as a safety net, mitigating ransomware attacks that do manage to make it past the user.
James Carder, CSO and vice president at SIEM provider LogRhythm, based in Boulder, Colo., said his organization's zero-trust security framework helped it stay vigilant, even while abruptly transitioning to a fully remote work environment, in compliance with social distancing guidelines.
"We've got full visibility into where our employee base is, what's happening on their computers, etc., which has been great," Carder said. "We can see all the metadata associated with ingoing and outgoing emails, and we built detection and automation mechanisms around that."
As a fully remote firm without permanent physical office space, Culhane Meadows also found itself at a technological advantage when the COVID-19 pandemic hit, thanks to its cloud-based infrastructure and aggressive encryption policies, Verska said. Stay-at-home orders complicated normal business and security operations but didn't compromise them.
Many law firms have central services that users access via VPNs, according to Verska. Once inside, threat actors can move laterally within a network, plundering or encrypting the bulk of an organization's confidential data. "In contrast, if I click on the wrong link, someone can't use my credentials to bring the entire law firm to a halt," she said.
Blankenship agreed organizations already making use of the cloud are likely better positioned to quickly and securely meet work-from-home requirements during a pandemic, while many companies with on-premises infrastructure will struggle to enable a secure, distributed environment. Some, he added, have also had to send employees home with outdated endpoints or ask them to use their own devices -- both of which make a network vulnerable to threat actors.
"They have to force users to come back through the corporate network, via a VPN or another secure access tool, in order for their security stack to work," Blankenship said, "while those that have moved to cloud-based access can deliver security through the cloud provider."
Medicalodges Inc., an assisted living company, relies on hourly, cloud-hosted VM backups as insurance against phishing attacks and other cybercrime, according to consulting CIO Stephen Arndt. Doing so, he said, mitigates ransomware fallout should hackers successfully breach the system.
"I had a previous client get hit with [cryptoransomware], and we were able to trace the entry path and use the VM backup to restore everything to normal within three hours or so," Arndt said. "But, if you don't have something like a cloud-hosted VM backup, you're toast."