How CIOs can avoid the next ransomware attack

No question about it, ransomware is on the rise, and the majority of enterprises remain vulnerable to inbound phish emails that often are the originators of ransomware attacks.

One recent ransomware outbreak, Petya, appears to have originated in the Ukraine. Like WannaCry before it, once it has infected a computer it attempts to spread through local area networks. But according to the Romanian national CERT (Computer Emergency Readiness Team) Petya’s initial point of entry is often a phishing email that contains a Trojan-horse document which, if opened, will infect the target computer. “Initial infection of systems is achieved through documents attached to phishing email messages that users are urged to open,” according to the Romanian publication Business Review.

Petya has wreaked havoc at global advertising firm WPP as well as Saint-Gobain in France and Evraz and Rosneft in Russia. Similarly, last month, WannaCry shut down computers at the U.K. National Health Service, Deutsche Bahn, FedEx, and many more. When Wannacry broke out, the U.S. Computer Emergency Readiness Team recommended setting up strong spam filters and email authentication in order to prevent phish from reaching end users (along with updating and patching Windows OS, naturally). Similarly, we now see security companies such as Mimecast advising clients to protect their email systems in order to better defend against Petya.

Phishing — again and again

Petya and WannaCry are not unique: Analysis of cyberattacks suggest that 91 percent of all cyberattacks start with phish. This keeps happening because, while technical solutions are available to curtail phishing attacks, they are complex and opaque, which means most companies have challenges implementing them fully.

Take, for instance, a phishing campaign directed at DocuSign users that was revealed earlier this summer. These phishing attacks, DocuSign revealed, made use of a list of up to 100 million customer names and emails that hackers had managed to exfiltrate from DocuSign’s servers. DocuSign was careful to note that its core e-signature service hadn’t been compromised, and that the only thing the hackers got were names and emails. 

However, using that email list the hackers crafted a tricky phishing campaign aimed at DocuSign’s customers. Emails looked like a request to sign a DocuSign document, but actually contained a nasty payload: A Word document with macros in it that, if run, would download additional malicious content from the web. (DocuSign has posted technical details of the attack in a PDF.)

To its credit, DocuSign has responded publicly and transparently. The company outlines some things to watch for that could indicate malicious emails:

“They may appear suspicious because you don’t recognize the sender, weren’t expecting a document to sign, contain misspellings (like “docusgn.com” without an ‘i’ or @docus.com), contain an attachment, or direct you to a link that starts with anything other than https://www.docusign.com or https://www.docusign.net.”

Further down that page, the company advises, “Legitimate DocuSign signing emails come from @docusign.com or @docusign.net email addresses.”

And here’s where things go wrong

Docusign’s recommendation to only trust emails from docusign.net and docusign.com may lead to additional security issues, because it only makes sense if email from those domains is trustworthy. And while the docusign.net domain has been “locked down” with email authentication (properly configured and set to enforcement), docusign.com has not: Its email authentication has been set up but is not configured to reject non-authenticating messages (see ValiMail’s domain checker for the DMARC status of docusign.com). 

That means that attackers can still send email with docusign.com in the “From” address, and have reasonable confidence that their messages will reach their targets’ inboxes.

This is a common mistake among companies responding to cyberattacks: They warn customers about the compromise that has just happened, but don’t lock down their domains to ensure that only authenticated senders can use the company’s domain name in email messages. As a result, hackers can extend the initial attack by sending an email to customers that appears to come from the hacked company and looks like an apology or security warning from the company’s CEO, but which actually contains a link to a malicious website.

The takeaway

Even companies that know about email authentication struggle to implement it completely. In fact, ValiMail has found that about 75 percent of all companies attempting DMARC authentication don’t get it implemented correctly or fail to get to a “reject” policy. It’s not for lack of trying. In the era of cloud-based everything, there are thousands of services that send email on behalf of companies. Managing email authentication today requires deep understanding and automated control of  the global email ecosystem.

Email authentication is not a silver bullet against all phishing attacks, but it is one of the few security technologies that is proven to be 100% effective against attacks that directly spoof your brand — protecting your executives, employees, and consumers globally. When coupled with additional service layers, authentication can also mitigate shadow email services and improve deliverability. And since so many cyberattacks start with phish, it’s a good place to start building your defenses.