Getting A Head Start Against A Ransomware Attack

Over the past few years, the headlines have been peppered stories related to companies, states – cities – and now countries dealing with a ransomware attack. As we close out our 2022 Annual State of Phishing Report series, we address ransomware as it relates to phishing. While we very rarely see ransomware delivered directly via an email campaign, there are plenty of tactics used by threat actors as a leading entry into the organization. As we have repeatedly addressed, we can’t stress enough that credential phish, at 67%, remains the number one phishing threat today. Preparing organizations to identify and report suspicious emails has become even more critical.

Resiliency is key to defending against Ransomware

Author: Tonia Dudley, strategic advisor, Cofense

As we look at the attack chain specific to ransomware, there are several precursor steps that take place before the ransom note is delivered. The key to building a resilient workforce is providing them with relevant phishing simulation training that aligns to current threats hitting their inbox. When you’re assessing your simulation program, putting focus on the right metric is key. When it comes to defending against a real phishing campaign, reporting is key to early detection and mitigation. Therefore, your phishing simulation metrics should also focus on the report rate and how quickly users are reporting.

Zero Days are in play

As threat actors in the ransomware community have built up their resources, they are now able to step into the zero-day arena to further their attacks. A Microsoft zero day published in late May that has been weaponized by the QakBot group. Recently, researchers have been able to determine a link between QakBot and ransomware groups, shifting the dynamics of the uses of the campaigns.

Don’t forget about older malware or threat groups. Cofense has observed a tactic that we have only seen twice in the past five months. A banking trojan, known as IcedID, is being used to steal information such as credentials. What’s interesting about this campaign is the fact the threat actor leveraged an email from 2017, also using the reply-chain tactic. A reply-chain…