Ransomware attacks via email – Things you should know


Ransomware attack is an attempt to extort money from a company by denying access to its data. Ransomware is a type of malware that encompasses all types of malicious code, such as computer viruses and worms.

Ransomware is most likely one of your company’s most dangerous cyber threats. Why? Because, over the last few years, criminal gangs that create malware and run ransomware as a service have perfected a new, more targeted approach to these attacks — for which metrics are much more difficult to come by.

Just because some criminals are focusing on remote-access-enabled servers as a ransomware attack vector doesn’t mean you should ignore the others. Email attachments are still being used by some criminals to install malware that serves as the first stage of a compromise that leads to ransomware.

They could use this vector to deliver downloaders that install malware on the machine of the email recipient or gain access to a networked machine within an organization. As is often the case with targeted ransomware attacks via RDP, that foothold can be used to attempt to steal valuable data and encrypt files throughout the organization before demanding a large ransom.

Email is one of the most common vectors for botnets like Trickbot, Qbot, and Dridex, which use Microsoft Office documents with malicious macros as the initial intrusion and ransomware as the payload. Emotet has previously been linked to Qbot, Trickbot, Ryuk, and Conti; Dridex has previously been linked to FriedEx (aka BitPaymer); Nemucod has previously been linked to Avaddon, Dridex, Ursnif, and Trickbot; and SmokeLoader and Zloader have previously been linked to LockBit and Crysis. Emotet was shut down by law enforcement at the start of 2021, resulting in a significant drop in the number of downloaders spread via email.

Malicious actors using compromised macros remained the top email threat in 2021, despite a significant decrease in downloaders. Dridex and Emotet downloaders were discovered due to an increase in emails delivering malicious Office documents in January.

Trickbot, another popular botnet, was disrupted in October 2020. Nonetheless, it appears to have been a one-time setback. In January 2021, its operators launched a new phishing campaign for legal and insurance firms in North America. It appears that additional efforts will be required in the future to finally get rid of Trickbot.

Filtering all incoming emails for spam and phishing messages is the first line of defense when it comes to protecting your organization from ransomware attacks via email. Even before email became a conduit for ransomware, there were several good reasons to do so, and many organizations already have basic spam filtering and phishing detection in place.

You might want to take it a step further and implement blocking of all attachment types that your company does not normally expect to receive via email; however, the suitability of this strategy will depend on the type of company you run, and it may require some changes in work habits. Employees have a habit of sending each other Excel spreadsheets and Word documents via email. In that case, the company may need to first implement a secure file-sharing solution or collaboration framework and train employees on how to use it before implementing stricter email attachment filtering.

Ensure that all endpoints are protected with high-quality endpoint protection (EPP) software, which will prevent employees from visiting web pages that contain malware. For an extra security layer, you might want to use web content filtering. A web content filter can prevent employees from visiting websites deemed inappropriate for work use and block malicious websites.

Your EPP should be managed centrally to enforce relevant security policies, such as limiting the ability to turn off endpoint protection or introducing removable media. Ascertain that all endpoints are running the most recent version of the product and that updates are being successfully downloaded. If your EPP vendor offers a cloud component, ensure it’s turned on so you can react even faster to new threats.

Ransomware can be spread via email attachments or drive-by downloads if operating systems and applications are patched quickly and thoroughly. A secure configuration can also be beneficial. Consider using Group Policy to completely disable Microsoft Office macros, for instance. Although this may not be possible if the organization’s workflow relies on macros, it will reduce your ransomware attack surface.

Security is, without a doubt, a shared responsibility, so ensure your employees’ cybersecurity training is up to date and reflects the latest threat landscape trends. Allowing employees to know what to look for and avoid when it comes to phishing and other malicious content can help your company reduce the number of malware incidents it faces.

Instruct employees to immediately report any suspicious messages or attachments to the help desk or security team. Early warnings can help the organization tweak its spam and content filters, as well as strengthen its firewalls and other defenses, in addition to the potential to prevent or limit the damage.