Resist the Ransom

August 29, 2016  |  Erich Kron

Ransomware is growing, malware is dropping in networks at an alarming pace and “The Breach of the Week” is a common thing. I have heard it said that it’s “not if, but when” the breach will happen to you. That all sounds a bit defeatist to me. I am going to challenge you not to give up and accept that as fact, but rather to focus on the right areas to protect yourself and your data.

While technical controls are important, there is more to be done. With 91% of APT attacks starting with spear phishing emails, this is really not something you can ignore. While you can’t eliminate the threat completely, you certainly can manage it.

What are the bad guys after? Generally, it is all about the money. How they get paid can vary though. Ransomware is huge right now because the rate of return on investment is extremely high when compared to the cash value of individual compromised accounts or credit card info. CEO Fraud (a.k.a. BEC or Business E-mail Compromise) is proving very lucrative for the scammers as well with 14,032 US victims netting losses of $960 million in the past 3 years.

What can you do?

Defense-in-depth is the most effective approach. You cannot rely any single approach to stop the attacks. These are my key focus points for defense:

  • Spam Filter – Make sure you have a reputable spam filter. This can greatly reduce the initial number of malicious emails but certainly not all of them. This is especially true for spear phishing emails which are much harder for the filters to detect.
  • SPF records – Enabling SPF records for your email domain makes it much more difficult for attackers to spoof emails to your domain. This is very helpful in combating the CEO Fraud cases.
  • Anti-virus – Keep your anti-virus up to date, but do not depend on it to stop everything. Even the best AV will not stop everything. Many file embedded macros will not even show as a threat with anti-virus and with the rate malware variants are being released each day it simply cannot keep up. The Virus Bulletin RAP quadrant demonstrates this issue well.
  • Limit access – Make sure users have the least amount of privilege needed to perform their job. This means not only permissions on the servers, file shares or workstations, but to the network as well. This is where network enclaves are your friend. Your accounting workstations do not typically need access to the same network as your SQL servers. Likewise, developers’ workstations don’t typically need access to the finance department workstations. This can greatly reduce the ability of malware to spread, or ransomware to encrypt network files in the event of an incident. It can also create “choke points” where network traffic can be analyzed more easily by an IDS or IPS. For example, the Banner Health breach (3.7 million individuals impacted) started with the POS machines that were on the same network as the clinical systems.
  • Analyze network traffic – Deploy IDS sensors in key network locations to watch for IoCs (Indicators of Compromise) that can report suspicious activity. These are best used with a SIEM to correlate events and create alerts along with actionable intelligence. Time is worth more than gold during an incident response and the sooner you are aware of the issue and are able to act with good intelligence, the better off you are.
  • Have good backups – Do not assume your backups are good. If the ransomware or threat manages to get past all of the layers of defense, a good backup can save your day but you need to test them often and regularly. Knowing that they are good, that you can restore them (do you have enough space available?) and how long it takes to restore them is critical information. Will it take days or weeks to get back up and running? What will that cost you in downtime and lost revenue? These are all important things to know when it comes time to decide if you will pay the ransom or not and you need to know them quickly. Most ransomware has built in timers and many will start deleting files as the timer expires.
  • Training – Train your users! This is one of the most powerful and least expensive things you can do to reduce your risk to phishing attacks, malware, ransomware and CEO Fraud attacks. Many regulations require security training on at least an annual level. Often this is ineffective because it is just done for compliance reasons or it is done through “death by PowerPoint” training. By leveraging self-paced, interactive training with ongoing simulated phishing attacks, you can turn that required training into the biggest phishing and ransomware preventative controls in your toolbox.

How big? In a study of over 300,000 aggregated users KnowBe4 found that 15.9% fell for the initial phishing campaign emails and clicked an embedded link. A year later, this was reduced to just 1.2%. How big is that really? (Warning, math follows:)


  • 156 million phishing emails are sent each day
  • 16 million make it through spam filters
  • 8 million are opened
  • 800,000 links clicked
  • 80,000 people fall for a scam every day

Reducing the number of clickers from 15.9% to 1.2% would reduce the click rate of 800,000 to just 60,000 and if the numbers stay constant, it would mean only 6,000 vs 80,000 people falling for the scams each day.


By following these recommendations, you can greatly improve your chances of avoiding a catastrophic malware or ransomware infection, or successful CEO Fraud attack in your organization.

Learn more about KnowBe4’s proven approach to reducing clicks in phishing attacks:

Erich Kron in Twitter:

Share this with others

Get price Free trial