Ransomware Attack Shuts Down NC County Servers

Ransomware attacks have been in the news quite a bit as of late, and this newest attack has shut down a North Carolina Counties’ offices. Offices in Mecklenburg County, North Carolina have their servers taken hostage by an unknown hacker, according to officials.

Tuesday afternoon, the county experienced a county-wide outage. During a meeting just after 6:00 pm on Tuesday, December 5^th, officials made public the attack, saying that their servers were being held for ransom.

It was confirmed by officials to the local CBS news affiliate that the hacker was asking for $23,000 by 1:00 pm Wednesday to get the server access back. The county was considering whether or not to pay the ransom.

The attack has shut down all IT services for the county including email, printing, and other ways business is conducted at most county offices. The attack started when a county employee clicked on an attachment within an email, exposing the files.

Did you know that 93% of all network breaches include a phishing or spear phishing attack? The perimeter of most vigilante organizations is reasonably tight, for the most part. Firewalls are in place; servers are patched, and physical security is in place. However, email is a giant gaping hole in your network defenses. Email is the vector for all the bad things that keep you up at night.

What’s worse is that the bad guys are using email to target every IT person’s greatest weakness: their employees. If you think that your organization is safe from email-borne attacks just because you have set up Office 365 with email security packages such as EOP, Proofpoint, McAfee or Barracuda you need to think again. These security packages will not reliably stop spear phishing or zero-day attacks.

84% of organizations said that a spear phishing attack successfully penetrated their organization in 2015. 71% also indicated that they already have some form of email security technology in place.

The problem is two-fold. The first problem is the technology. Most email “security” systems are really just glorified spam filters. They were designed to stop known mass email attacks. The underlying architecture of these solutions isn’t suitable to catch zero-day threats or one-off spear phishing emails. The second problem is the people. Most employees will click on or respond to a well-crafted phishing or spear phishing email if it lands in their email box. Despite education efforts, 20-30% of recipients open standard phishing messages that arrive in their inbox and 12-20% of those click on any enclosed phishing links. These rates are already high, but they double when looking at spear phishing emails.

PHISHING

Phishing is a hacking technique that “fishes” for victims by sending them deceptive emails. The “ph” replaces the “f” in homage to the first hackers, the “phone phreaks” from the 1960’s and 1970’s. Virtually anyone on the internet has seen a phishing attack. Phishing attacks are mass emails that request confidential information or credentials under false pretenses, link to malicious websites or include malware as an attachment.

Many phishing sites look just like the sites that they are impersonating. Often, the only difference in many spoofed sites is slight, and easily missed, the difference in the URLs. Visitors can easily be manipulated into disclosing confidential information or credentials to the hacker if they can be induced to click the link. Even blacklisted phishing sites can often get by standard filters through the technique of time-bombing the URLs. Then the URL will lead to an innocent URL initially to get past the filters but then redirect to a malicious site.

Although malware is harder to get past filters, recently discovered and zero-day malware stands an excellent chance of getting through standard filters and being clicked on, especially if the malware is hidden in a non-executable file such as a PDF or Office document. This is how many of the recent ransomware attacks were pulled off.

Despite the lack of personalization, an astonishing 20% of recipients will click on basically anything that makes it to their inbox.

SPEAR PHISHING

Spear phishing is an enhanced version of phishing that takes aim at specific employees of the targeted organization. The goal is usually to gain unauthorized access to networks, data, and applications. In contrast to the mass emailing of a phishing attack, which might see hundreds of attack messages sent out to random recipients within the space of a couple of hours, spear phishing is methodical and focused on a single recipient. Often the initial email will contain no URL or attachment. Instead, it will simply try to invoke the recipient into thinking that the sender is legitimately whomever they say they are. Only later on will the hacker request confidential credentials or information, or send a booby-trapped URL or attachment.

The additional customization and targeting of a spear phishing email, along with the lack of easily recognized blacklisted URLs or malware customization results in click-rates in excess of 50%!

IMPACTS ON BUSINESS

Some phishing attacks are often just the first part of a much larger hacking campaign. Once inside, hackers can do devastating damage by rifling through confidential customer lists, intellectual property, and emails and even deleting critical data or encrypting it with ransomware. Companies that fall victim to phishing schemes enabled by spear phishing face risks of reputation damage, loss of market value, competitive disadvantage, and legal liability and compliance problems. Of course, individual executive careers can suffer in the wake of this.

• Financial Services

At risk of theft includes inside trading information, personal information, credit card numbers and bank account information. The impact includes financial loss, legal liability, and regulatory penalties.

• Retail

Retailers are vulnerable to hacks that leak customer information including credit card information. Investigators are now revealing the existence of large-scale theft operations that steal merchandise from e-commerce sites and ship abroad.

• Intellectual Property-based Businesses

For businesses such as pharmaceuticals and technology where digital information may represent massive investments, spear phishing may have an especially costly impact. Competitors can gain access to confidential intellectual property that took years and cost billions of dollars to develop.

• Manufacturing and Defense

These companies are part of an actual war, a war on cybercrime. These companies tend to keep these attacks as quiet as possible. A serious attack could endanger national security and affect a company’s ability to secure further defense contracts.

• Health Care

HIPAA-regulated industries are bound by extensive, rigid compliance guidelines. They face stiff penalties, financial and legal, for data breaches.

SO NOW WHAT?

The problem is that standard email-filtering systems built for Office 365 such as EOP, Barracuda, Proofpoint, and McAfee will NOT catch your typical spear-phishing email. The architectures of all these email security systems were originally built to stop spam. Therefore they focus on mass emails, using a signature technique to block suspicious emails and known malware attachments and phishing URLs.

These processes, while great at fighting spam, are not very useful against spear phishing. A one-off well-written email will generally get past most corporate spam filters since they match to known “signatures” that signify malevolent. Today’s enterprise needs a purpose-built email security system that will stop at all types of email-borne threats…not just a glorified spam filter.