One of the more irritating aspects of being hacked is dealing with the attacker’s sense of humor. It’s not enough for a malicious actor to steal your data or ruin your IT assets. If it’s not something dumb, like malware named after Los Pollos Hermanos (The Chickens’ Brothers), a restaurant from TV’s “Breaking Bad,” it’s something intellectually pretentious. Some hackers want you to know that they are better read than you as if their crime is actually some sort of philosophical act. So it went in last month’s massive Cerber ransomware attack on Office 365 users.
Cerber, named after the mythical multi-headed “hound of Hades” from Greek mythology, delivered a famous Latin quote along with its ransom demands. Each victim, after being held hostage for $500 in Bitcoins, was told “…Quod me non necat me fortiorem facit.” (“What doesn’t kill me, makes me stronger”). How cute.
The Problem with Treating Malware Like a Biological Virus
Annoying as it may be, the message can serve a purpose for those looking for more effective ways of dealing with this type of threat. “What doesn’t kill me, makes me stronger” is a good way of describing how a vaccine works. Inject the patient with a small dose of the virus and the patient’s immune system “learns” the virus and develops antibodies to fight them.
This “learning by infection” process is not unlike how most anti-malware software works. These solutions typically learn to block malware once they’ve learned to recognize their digital signatures. It works… eventually. But a lot of bad things can happen in the time between the first attacks and the response. Especially if your company is included in the first wave of attacks.
Cerber Ransomware: A Case Study
Cerber spreads itself through infected document attachments. It’s sent via email and takes advantage of social engineering tricks to get users to open the Office macro-enabled files. This method of attack, known as Phishing, is hardly unique to Cerber. 91% of network attacks include some element of phishing or its more targeted cousin spear phishing.
According to SC Magazine, the Cerber attack on Office 365 affected more than half the organizations that use the cloud-based service. That’s about 9 million malware-bearing emails delivered. Microsoft stated that it was able to identity the signature of the malware and issue a patch within a few hours. Some observers believe that it took Microsoft until the next day to fully block the attack.
These kinds of attacks are on the rise. McAfee Labs reports that macro malware cases jumped from 300,000 in the first quarter of 2014 to 450,000 in Q1 2016.
Email Security Vulnerability Exposed
The Cerber attack reveals a serious vulnerability for firms that outsource email security to large standardized cloud security services. These standard security protections left many companies and users exposed. Why?
The problem is that standard email security, including Microsoft’s Office 365 Exchange Online Protection (EOP), relies on being told what the various threats look like. It needs to compare an incoming threat with known attacks. Clever variations or brand new attacks can get past this type of signature-based protection relatively easily. One could argue that Microsoft responded extremely quickly to the problem by blocking this new signature within a day… However, the relevant issue is not Microsoft’s response, it’s the architecture of their email security solution.
Office 365 Phishing Protection: A Better Solution
In contrast to standard signature-based email security platforms, Vade Secure offers a solution that detects even brand new attacks starting with the first email. It employs heuristic analysis to spot malicious emails whether or not they include an attachment or URL. Our artificial intelligence system has been trained with a massive data set covering hundreds of millions of email boxes over a ten-year period. This prevents your users from being exposed to attack during the time that the bad guys launch a new threat and the threat being identified and an immunizing signature added to your system.
Vade Secure represents true zero-day protection.
The really good news? Vade Secure offers a solution that works hand in hand with Office 365 and that can be instantly used instead of, or layered on top of, your existing email security system.
Contact us or give us a call at 415-745-3630, if you want to discuss how you can quickly add anti-phishing measures to your current email setup.