Public shaming, in my opinion, is a really under-appreciated approach to behavior correction. I can already hear ExtraHop's director of HR saying, "John, it's not okay to embarrass people in the workplace." I get that. However, when it comes to raising awareness of ransomware threat vectors, I can think of no better way of getting the message across, short of climbing atop every employee's desk screaming, "Don't click those links!"
Most ransomware relies on people clicking links, clicking a pop-up, or opening an attachment they shouldn't have clicked on. (Of course, there are also the lesser-known "drive-by attacks" and infected media approaches, but that's for another blog post.) Whether it's a link embedded in an email from what appears to be a trustworthy source, or a bombardment of pop-up alerts, the natural tendency for every user is to click. Click, click, click. We're all guilty, myself included.
Phishing with John
The main approaches for raising awareness of these threats haven't really evolved much. Like a lot of IT folks, running my own phishing tests has historically proven to be one of my favorite approaches. I did this once at another company and got into a bit of trouble, mostly because I didn't tell any of the executives about it ahead of time and ended up catching a few of them.
I simply sent out a link asking everyone to fill out a survey about mold in the office (from a spoofed email that looked kinda real … but not). The link instead took them to a page that said, "Hey, you've been phished! You just exposed the company, and we need you to be more cautious in the future."
Everyone was really upset. I answered the CEO, and everyone else who was angered by it, the same way: "I don't care. I needed to get your attention."
I still feel that way. If anyone has a better way to train people to stop clicking on whatever appears on their screen, I'm wide open to suggestions. Until then, what else can IT do? Sure, we could just send out company-wide updates alerting users on the types of threats they should be aware of. But the truth is, nobody reads emails from IT. Personally, I've long felt that the employee who clicks on the link should be made to pay the ransom, but I don't know if I'll get that through the legal department.
Watch & Learn
Here at ExtraHop, we've developed a solution that gives IT greater leverage in how to respond to ransomware attacks. Ransomware is notoriously elusive to track after it enters your perimeter. Most vendors in the ransomware-prevention space use the same recipe for the happiness cake they want to sell you. They look for signatures, bad IP addresses, evil locations (all great and necessary defenses for most malware …but not 100 percent effective), and some sort of source derivation to block those inbound emails before they enter the network.
This is all fine and good, but what do you do with the malware that does manage to sneak in? (Because something always will.) What you're left with is a set of activities happening among devices that are inside your perimeter. Those activities do not necessarily look abnormal, because it's perfectly normal for files to get encrypted. The difference is the rate of encryption and how many files are being encrypted.
Observing behaviors, instead of looking for signatures, is the core of ExtraHop's approach to ransomware. This allows us to detect when ransomware has been activated inside your environment, and to respond very quickly. When used in conjunction with an orchestration layer, IT teams can actually detect ransomware in action and auto-respond to sequester those infected machines.
Protecting your organization from something like ransomware requires a certain amount of vigilance and paranoia from both IT and users. IT can certainly do its part with solutions such as ExtraHop. Until then, let's all stop being stupid. Just because it's on your screen doesn't mean you need to click it.
If you're an existing ExtraHop customer, you can explore the ransomware bundle on our Bundles Gallery.
Read a true story of how ExtraHop helped a healthcare coverage provider stop a ransomware attack in progress.
If you are reluctant about clicking on those links (and I suspect you are), please use our website and browse to the above items.