How does a ransomware attack start?

When you read about the ransomware attacks, such as those on Honda, Garmin, Toll, Fisher and Paykel and Lion, it’s easy to think these attacks only target large enterprises. Unfortunately, that would be a mistaken view. The reality is that all businesses are under ever increasing attacks – not just more attacks but also more sophisticated attacks.

Naturally, you wonder where these attacks start. Recent reports such as the Verizon 2020 Data Breach Report tell us that 65% of all breaches come from hacking/email phishing attacks.

We were alarmed to read that over 200 of the world’s most prominent brands are being spoofed by hackers setting up fake login pages to collect credentials. 5% of these pages are polymorphic making them very hard to isolate. These pages have slight changes such as detail of the content, layout or so on to make it harder for protective software to identify them – in particular the emails sent to you and your colleagues can be subtly different to try and fool your mail washing software.

Most of these pages are financial, governmental, or large tech like Google, Facebook and Microsoft. The stats we saw showed 11,000 fake PayPal login pages and 9,500 fake Microsoft pages. All of these businesses have security teams looking for these fake pages and trying to get them taken down but it will be like “whack-a-mole” and the hackers will do anything they can to get your colleagues to enter their details on these pages and even try to collect your MFA credentials for a quick minute – just long enough for them to login to the real site and inject some malware or the like.  What that means is that even MFA (multifactor authentication) isn’t fool proof. It makes it harder for a criminal to hack against you, but nothing makes you immune.

There are layers of security and the measures that seemed excessive even a year ago, like KARE for Security, are now the minimum and actually we have to keep adding additional layers as they become available.