It’s apparent that ransomware and its evolution into leakware is a critical threat to most businesses today. According to Palo Alto’s Crypsis IR Team, the average ransomware demand from hackers has increased to over $840,000 and in 2021 we’ve already seen the record payment demand of $10 million be overshadowed by the reported $50 million asked of Acer. If you follow cybersecurity news headlines, you might worry only about ransomware attacks. However, there is always a new approach that catches the hacker community’s eye and is exploited to the detriment of Small and Medium businesses. In 2020, that threat was Business Email Compromise (BEC) that often led to Wire Transfer fraud and the loss of 10’s of thousands of dollars per incident (sometimes 100’s of thousands). But is it bigger than Ransomware? The answer depends on who you ask, but is likely no.
The FBI’s 2020 “Internet Crime Report” tells a very different story, however, with reported ransomware payments being extremely low, at under $30 million, with other forms of cybercrime belittling this number. Businesses paid out a total of $1.8 billion in 2020 to resolve the number one rated ‘victim loss crime type’, Business Email Compromise (BEC) issues, according to the report. The problem is, it’s not truly the number one financial detriment, ransomware is. As noted in the image below, it doesn’t include cases that aren’t reported to the FBI, loss of business, third-party remediation, etc; creating an oddly low number. Another reason for the low number has to do with leakware and the US Treasury department making it illegal to pay a bitcoin ransom in the US as of Oct. 1st, 2020. Their argument is that you might be paying a terrorist organization which is 100% illegal. Take a look at the image below to get an idea of the FBI’s statistics:
Business Email Compromise
BEC, for those that don’t know, is an attack against an individual that is delivered via email, focused on creating action by deception (social engineering). The attack can be sourced from a spoofed email address or a compromised authentic address, appearing to be from a co-worker or business partner. A compromised account is valuable because it evades many protections by being sourced on a legitimate and trusted email server. BEC attacks are deployed by sophisticated attackers with mature and tested methodologies, and as FBI statistics show, they are financially lucrative to these attackers and correspondingly damaging to the victim business. One of the most common outcomes of BEC is a Wire Transfer of 10s or 100s of thousands of dollars going to the wrong account as the Hacker changes the payment information using the breached financial account at your company. The results are devastating as you can see from the FBI statistics.
Ransomware is malicious software designed to block access to a computer system, and more importantly, the critical data it contains until a sum of money or ransom is paid. Attackers ask for payment in bitcoin, making the payments largely untraceable by investigators (now illegal).
Leakware, a strain of ransomware, works like many other threats and moves through initial compromise, lateral movement, and privilege escalation. The actual encryption (and associated data exfiltration/other pressure tactics) is simply an easy way to monetize the compromise. This means that organizations that build comprehensive strategies against modern ransomware strains are protected against many other potential compromises. Those that focus on only one aspect (recovering data, for instance) are left vulnerable to the evolved ransomware threat of data exfiltration and online exposure. CyberHoot estimates that Ransomware losses were in the 10 billion range last year, dwarfing the losses from BEC.
What Can We Do?
Luckily, you and your business can defend against Business Email Compromise. It’s vital to have proper measures in place, CyberHoot recommends the following actions to protect your sensitive information:
- Train employees on how to spot and avoid phishing attacks. Adopt a Learning Management system like CyberHoot to teach employees the skills they need to be more confident, productive, and secure.
- Test employees with Phishing attacks to practice. CyberHoot’s Phish testing allows businesses to test employees with believable phishing attacks and put those that fail into remedial phish training.
- Govern employees with policies and procedures. You need a password policy, an acceptable use policy, an information handling policy, and a written information security program (WISP) at a minimum.
- Deploy critical cybersecurity technology including two-factor authentication on all critical accounts. Enable email SPAM filtering, validate backups, deploy DNS protection, antivirus, and anti-malware on all your endpoints.
- In the modern Work-from-Home era, make sure you’re managing personal devices connecting to your network by validating their security (patching, antivirus, DNS protections, etc) or prohibiting their use entirely.
- If you haven’t had a risk assessment by a 3rd party in the last 2 years, you should have one now. Establishing a risk management framework in your organization is critical to addressing your most egregious risks with your finite time and money.
- Buy Cyber-Insurance to protect you in a catastrophic failure situation. Cyber-Insurance is no different than Car, Fire, Flood, or Life insurance. It’s there when you need it most.