A ransomware flop, thanks to security awareness

Mathias Thurman

People like to ask the security manager, "What keeps you up at night?" My usual answer: "Employees." And there's good reason. About 95% of the security incidents my department responds to are a result of an employee doing the wrong thing, whether it's clicking on an evil link within an email, installing a malicious program or sending a sensitive document outside the company.

Sometimes when they do the wrong thing, you can't really blame them. And sometimes you get evidence that employees are really paying attention when you tell them not to do things that are likely to lead to trouble. We just had a ransomware situation (which didn't turn out too badly in the end), and I have to admit that how it arose was quite understandable, a case of one person trying to streamline aspects of his job that don't really require his attention and another person trusting that first person. Here's what happened.

A director in the sales organization gets a lot of emails that contain faxes (or links to faxes held by a third-party fax service) from customers. The faxes might be purchase orders, contracts or other business-related documents. This sales director isn't directly responsible for any of those things, so he simply passes the emails on to the people who are. At some point, though, he grew tired of all that forwarding, so he started auto-forwarding all emails containing the word "fax" in the subject line to predefined distribution lists. And that was working out just fine -- until last week.

That was when a sales associate on the sales director's auto-forward distribution list received an email from him containing a Dropbox link. Since the email was forwarded to her by someone she knew, she figured that it was legitimate and clicked on the link, expecting it to take her to a fax document. Instead, there was a slight pause, followed by a noticeable performance problem with her PC. Then a box popped up explaining that all the files on her hard drive had been encrypted and that in order to regain access, she would need to install a program that would allow her to pay a fee to unlock the files. Of course, it was too late by the time she called the help desk and got security involved.

Fortunately, she had kept a copy of the files on her computer synchronized with a network file share, which was not affected by this event. We decided to wipe her computer and restore her files from the network file share. No ransom payment necessary.

Meanwhile, we checked with the other people on the sales director's distribution list to make sure that no one else had fallen victim to the ransomware scam. We also searched our email archive for emails containing keywords consistent with this particular attack. As a result, we found about 25 users who had received emails with that bad Dropbox link. Only a few of them had opened the email, and none of them had clicked on the link. How to explain that delightful outcome? They all remembered what they had been taught during security awareness training!

1  2  Next Page