The current digital landscape has brought the subject of cyber security into greater focus as businesses and citizens alike are concerned about the sovereignty of their data. Cyber security company Sophos actively analyses the methods that cyber criminals use for their malicious attacks.
One of the recently discovered trends is the employment of well known local brands as part of targeted attack schemes. We discuss the implications of this with Sophos senior security advisor, John Shier.
TechSmart Business: What key change have you identified with the use of ransomware for malicious attacks?
John Shier: With the increasing use of ransomware we are seeing less reliance on vulnerabilities in applications such as Java and Flash. Instead, criminals are relying on users being fooled into clicking on links and opening unsolicited attachments in phishing emails that are incredibly difficult to spot by the average user.
TSB: It appears cyber criminals are becoming more savvy in their attack methods. What makes ransomware such a popular method of attack?
JS: Criminals aren't necessarily more savvy but simply relying on good social engineering tactics to fool people into infecting themselves. Ransomware is very popular due to the high rate of return on investment. They are making a lot of money distributing ransomware and that simple fact alone is making ransomware a viable 'business'.
TSB: SophosLabs has discovered that cyber criminals are crafting customised spam to target users in foreign countries. Can you explain this process?
JS: The criminals are using well known, local brands as decoys in their phishing emails. Using Geo-IP information the criminals will serve content that is in the local language and often free of grammatical and spelling errors. They do this by stealing imagery and content from the brands themselves and often use translation services to ensure the language is correct. The criminals' server will have a representative set of phishing emails for each country they target and those emails will be delivered to users based on their geographic location.
TSB: How can users safeguard themselves against ransomware attacks? Are there any signs they need to look out for?
JS: There are technological safeguards such as using up to date antivirus, performing regular backups of their data (and storing it offline) and making sure their systems are fully patched. They also want to ensure they are not clicking on links in emails and opening attachments from unknown sources. If they do open an attachment accidentally, they should not enable macros. Users must also realise that most important communications will not be delivered via email, especially anything involving financial services.
TSB: These ransomware attacks often impersonate local organisations to fool users. Is there anything local organisations can do to ensure their information is not used for ransomware?
JS: Unfortunately there's nothing an organisation can do to prevent a criminal stealing their images and content. But companies can train their staff to reduce the amount of sharing on social media such as LinkedIn and Facebook which makes it easier for criminals to gather potentially privileged information about the company. They could also put prominent notices on their websites about the dangers of phishing emails and possibly include notices in mailings.
TSB: Looking forward, how does Sophos see the nature of ransomware evolving, and is there any way to combat against it?
JS: It's always difficult to predict what the criminals will do next but anything that increases their income is always possible. Whether that means going after targeted high value targets, broader operating system support or even non- traditional devices (e.g. IoT devices, cars, etc) remains to be seen. As long as the money keeps pouring in they will continue to deliver ransomware. Aside from some of the advice already given about dealing with email, users can follow these tips for preventing ransomware.