Keeping Ransomware Out of the VAULT
October 7, 2015 Alex Woodie
Cyber-criminals are increasingly targeting small and midsize American businesses with ransomware that encrypts the contents of a PC or a server until the victim pays $500, $1,000, or more in untraceable Bitcoin. After several of United Computer Group‘s VAULT400 customers were hit with ransomware scams, the company decided to team up with the security training company KnowBe4 to teach VAULT400 customers how to avoid falling victim to a ransomware scam.
A ransomware epidemic is spreading across the country, impacting organizations of all shapes and sizes. “Never before in the history of human kind have people across the world been subjected to extortion on a massive scale as they are today,” the security software company Symantec says in its recent whitepaper on ransomware (pdf).
UCG chief executive Jim Kandrac tells IT Jungle that several VAULT400 customers succumbed to ransomware attacks recently–mostly by clicking on malicious emails sent as part of a spear phishing attack. The compromises didn’t involve the IBM i servers or data. Instead, the attacks resulted in the hard drives of Windows PCs and servers being encrypted.
While UCG could have helped the customers by recovering their data from backups stored by VAULT400 (the company backs up up data from Windows servers and other platforms too), most of the victims choose to pay the ransom rather than recover their data. According to Kandrac, the problem comes down to lost time, which is lost money in the business world.
“We can wipe their system and restore the data, but it takes a bit of time–two to three days if they don’t have high availability,” Kandrac says. “The other thing is, they can pay the ransomware, but if they don’t have a Bitcoin account, that can take up to three days to set up.”
Kandrac was hesitant at first to get involved. “This isn’t our marketplace,” he said. “This isn’t what we do. But more and more it affected us, and we genuinely felt bad because we’ve got the data protected, but these guys are getting hit.”
So UCG turned to KnowBe4, a Tampa, Florida, company that specializes in training employees how to identify and not fall victim to the various cyber-scams circulating on the Net. Today, all VAULT400 customers get access to KnowBe4’s ransomware awareness training for 25 to 50 users as part of the base subscription.
As KnowBe4 CEO Stu Sjouwerman explains, sophisticated cyber-criminal gangs are getting rich exploiting the digital naivetÃ© of workers at small and medium-sized businesses in the U.S.
“The human is the weak link in IT security–always has been and always will be,” Sjouwerman tells IT Jungle. “You need to train them and constantly test them and make sure they’re on their toes with security top of mind. And that’s what we do.”
The first step in KnowBe4’s regimen involves sending a simulated phishing attack to all the workers in a company. On average, 15 to 20 percent of the employees click on the malicious link, which in a real attack would have resulted in a piece of malware being loaded onto their PCs or server that encrypts the hard drive.
The next step involves training the workers, showing them how the bad guys operate, and how to avoid falling victim to their increasingly crafty attacks. Sjouwerman teamed up with Kevin Mitnick–the notorious hacker who was convicted in the late 1990s–to build his KnowB4 curriculum. “He essentially gave me enough data so I could distill his 30 years of hacking experience into a 30-minute course,” Sjouwerman says. “We cover the most-used attack vectors that the bad guys currently use and we constantly update those courses.”
The message at the end of the day is “think before you click.” Many phishing emails are incredibly polished and look legitimate, but they will take you to a malicious website, often run by the Eastern European cyber mafia, Sjouwerman says. “Phish-prone equals click happy,” he says. “It’s not so much that we’re teaching people not to click on links, but be smart about it. You need to hover, and see if it goes where it says it goes.”
Thanks to the rise of the bring your own device (BYOD) phenomenon and the associated breakdown of perimeter security, ransomware is increasingly showing up on employees’ smartphones. Problem is, you can’t hover over a link on a smartphone like you can on a PC. Instead, KnowBe4 advises clients to press the link and hold it down until a window pops up that shows you where the link actually goes. Unfortunately, there’s no way to validate links sent in texts, so be extra cautious with links sent that way.
After KnowBe4’s clients complete their Web-based training, they will typically be penetration tested with additional simulated attacks. Employees who fail to recognize the scam at this point are taken to a Web page with the word “Ooops” and the failure is logged.
“You don’t want to be on the electrified fence to learn your lesson,” Sjouwerman says. “The approach is very effective, but some people might have to learn by clicking on a few of these simulated attacks and get the ‘Oops’ page, and that will teach them to not click.”
After a year’s worth of training, the “click happy” rate typically drops below 1 percent. At this point, repeat offenders will be identified and sent to additional training sessions. Sjouwerman hasn’t heard of anybody getting fired for failing one of his tests, but at least one bank fired an employee after he or she didn’t show up for mandatory training.
Today’s cyber-criminal enterprises are very good at what they do, and will use the telephone to reel in their victims. KnowBe4 knows this, and will throw in a few spoofed telephone calls to try to trip up overly trusting employees.
After all this training, if a client still falls victim to a ransomware scam, KnowBe4 will pay the ransom as part of a guarantee. The company has a Bitcoin wallet already set up, which dramatically reduces the time a victim must spend setting up their own Bitcoin account. The Bitcoin guarantee has been used once out of more than 2,000 enterprise accounts, Sjouwerman says.