Ransomware, Act I

The first documented ransomware attack was delivered by the postal service in 1989 when 20,000 floppy discs loaded with malware were sent to AIDS researchers across the globe with the promise of advancing research. When loaded in computers, the discs installed malware and displayed a ransomware message demanding payment to restore data and systems. The attacker, an AIDS researcher himself, took advantage of other researchers to capitalize on the urgency and uncertainty of the AIDS epidemic.

Cybercriminals continue to employ similar scare tactics today, using coercion, matters of necessity and social engineering to dupe unsuspecting people. Instead of using snail mail, cybercriminals use unprotected domains to send spoofed emails for deploying ransomware.

What is Ransomware?

The Cybersecurity and Infrastructure Security Agency (CISA) defines ransomware as a type of malware “cyber actors use to deny access to systems or data. The malicious cyber actor holds systems or data hostage until the ransom is paid. After the initial infection, the ransomware attempts to spread to shared storage drives and other accessible systems. If the demands are not met, the system or encrypted data remains unavailable, or data may be deleted.”

Since the first exploit in 1989, ransomware attacks have unfortunately grown to become headlines we see all-too-often, whether it’s an educational institution, healthcare, or an essential service or infrastructure organization. That ransomware has such significant payouts means that cybercriminals have fine-tuned their tactics and discovered ways to capitalize on system and human vulnerabilities.

Ransomware Made Easy

The malicious software has reached a level of maturity that has led bad actors to adopt Ransomware-as-a-Service (RaaS) as a business model on the dark web. Cybercriminals lacking development and technical knowledge can surf the dark web and subscribe to RaaS. The rise of crypto currencies has also made it easier for cybercriminals to be paid and to make away with untraceable ransomware payments. Add to that a safe space some countries afford for ransomware operations and you have ideal conditions for ransomware to abound.

That’s why we’re seeing the highest reported number of worldwide ransomware attacks. In Percentage of organizations victimized by ransomware attacks worldwide from 2018 to 2021, Statistica reports that 68.5 percent of organizations in their study sample succumbed to a ransomware attack—the highest number on record. Historically, over half of the organizations surveyed say they have been the subject of a ransomware attack.

And the price of dealing with the consequences are getting steeper and steeper. Sophos’ Ransomware Report 2021 found that the financial cost increased from $761,106 in 2020 to $1.85 million in 2021. A White House brief reports that 2020 ransomware payments were over $400 million; already in the first quarter of 2021, payments reached more than $81 million.

DMARC on the Frontline

Because phishing attacks are the leading attack vector for installing ransomware, CISA recommends that users and email operators “enable strong spam filters to prevent phishing emails from reaching the end users and authenticate inbound email using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent email spoofing.”

A Switzerland-based agriculture and food production company with 17,000 employees in 100 countries reported that after deploying DMARC, their email flow “went from over 75% of illegitimate traffic to less than five percent. Our IT management recognizes the benefit of DMARC and dmarcian; by using the dmarcian dashboard, it was easy to highlight the progress in protecting our domain.”

Built upon SPF and DKIM, DMARC is a foundational protection against ransomware. DMARC allows domain owners to protect their domains from unauthorized use by fighting ransomware’s attempted delivery by email.

DMARC’s utility as an anti-spoofing technology stems from a significant innovation; instead of attempting to filter out malicious email, why not provide operators with a way to easily identify legitimate email? DMARC’s promise is to replace the fundamentally flawed “filter out bad” email security model with an “allow only good” model.

When strong security controls are deployed against fraudulent email, delivery is simplified, brand reliability increases and visibility is granted to domain owners on how their domains are being used around the internet. Organizations with a DMARC record of p=quarantine or p=reject in place along with DMARC requirements for their vendor management practices contribute to a safer email landscape against ransomware attacks.

dmarcian is committed to spreading DMARC across the internet to stop ransomware attacks proliferated from unprotected domains. If you need help with your DMARC project, test drive our DMARC Management Platform or get in touch with us.

Want to continue the conversation? Head over to the dmarcian Forum