We recently asked renowned Ransomware Expert Allan Liska: “How To Spot and Stop Phishing Attacks?” see his response in this video, and in case you’ve missed it, here’s the transcript:
Scott Bekker:
So let’s talk about phishing, one of the most common ways for attackers to initiate a ransomware attack. What is phishing at a high level?
Allan Liska:
So phishing, people often confuse spam and phishing. Spam is any unwanted email. Phishing attacks are unwanted emails that have malicious intent. So whether they have an attachment that if you open it will install malware, in our case ransomware, or a link to download ransomware or some other type of malware, that’s generally a phishing attack and yes, phishing campaigns are very popular amongst ransomware actors.
Scott Bekker:
And some of the terms you also hear with phishing or spear phishing, whaling, are those ransomware related attacks or generally not?
Allan Liska:
So whaling generally no, we see whaling a lot in business email compromise where you pretend to be the CEO, or an attacker pretends to be the CEO and sends a note to somebody in accounting saying hey, I need you to wire me $50,000 but you can’t tell any about it. That’s where we tend to see whaling in these attacks.
We do see what I think would meet the definition of spear phishing in ransomware attacks in that a lot of ransomware attacks will contain attachments that have invoice on them or something that is designed to be attractive to somebody in a business situation. Hey, this invoice is overdue, please pay this. It doesn’t quite exactly meet the definition of spear phishing but it’s close enough.
Scott Bekker:
Gotcha.
Allan Liska:
And we certainly don’t want to quibble over terms, we want to stop the attacks.
Scott Bekker:
So pivoting to stopping those attacks, what are the essential things to do about phishing?
Allan Liska:
Phishing training is really important, and keeping employees aware what they have to do in order to what they should be looking for for a phishing attack. But it’s better if the phishing email never gets to an employee in the first place. So prevention mechanisms are really important and that can do additional email filtering obviously is good. There are third party services that will do some of that more advanced filtering for you, especially attachments. We live in a world of attachments, so it’s really hard to distinguish between what is legitimate and what isn’t legitimate, but some of the filtering software out there have gotten really good at that and they often have sand boxing capabilities so that the email runs through a sandbox first. And if it has signs of a phishing email then it’s stopped and it never reach the employees. But there are other things you can do to protect yourself inside the network as well. So a lot of phishing is still delivered through Microsoft Office documents and macros.
Scott Bekker:
Okay.
Allan Liska:
And I get in trouble for this when I say it but I’m going to say it anyway.
Scott Bekker:
Please do.
Allan Liska:
I’ve never met anybody who uses macros in Microsoft Office documents that I like, so I just disable all macros across the organization. And as of a couple weeks ago Microsoft agrees with me, they’ve announced that Excel 4.0 or the next version of Excel will ship with macros disabled by default. Ransomware actors love to use macros because it’s not malicious, macros are an allowed tool and so when you run a macro you’re not going to set off your antivirus or your EDR or any of the other security protocols that you have in place. But if you can disable that across the organization like we talked about with patching, you want to make sure that you’re keeping your Microsoft Office and other common exploit vectors for phishing emails fully patched and up to date. And again, continue with that trend of training employees to know what to look for in phishing emails.
Scott Bekker:
So if I’m hearing you right we really want to layer on additional filters, disable macros across the organization if that’s a possibility with your corporate culture, and training is important but it’s really a last line of defense, you don’t want the message us to get to that point.
Allan Liska:
Absolutely.
Scott Bekker:
Yep, great. Thanks Alan.
Allan Liska:
Thank you.
Interested in viewing more videos about Ransomware? Visit our Ransomware Video Gallery
