And their role dictates that they have to read these emails and open file attachments. And any one of these e-mails could contain that all important piece of malware that launches a ransomware attack against the business.
They are also really attractive targets to cyber criminals.
The HR department of any organisation holds vast amounts sensitive personal data and financial information that may be of value to criminals. There’s personally identifiable information such as home addresses, bank details, dates of birth and National Insurance numbers that criminals can collect and use for their nefarious activities. Not only can they attack, or target employees personally, but also use this information to launch phishing attacks against the business or its partners in the future.
In fact, this is exactly what happened in 2018 when a well-known UK business’ online recruitment system became the target of a cyber-attack. The following data leak exposed biographical and contact details stored in their databases, which subsequently affected other parts of their organisation.
The cost to the business is estimated to have been in the hundreds of thousands of pounds to fix.
Simply put this is a malicious attack against a network where the criminals get access to data and either steal it, threaten to delete it, or encrypt it. The criminals will then demand a payment for the return of the data. Imagine how this could affect your HR business. Sensitive applicant and staff data as well as financial details for the companies you represent could all be compromised or lost.
The reality is that ransomware is now viewed as a business model and many entities behind these attacks will present themselves as being on the same side as the victim. So, in return for the payment your organisation will often be supported through a process which will return the data that has been encrypted / stolen. It is worthy of note that paying the ransom does not guarantee the return of the data and certainly does not guarantee that it won’t be sold on or published at some point in the future. Also, your network will still be infected, and you are more likely to be targeted again in the future.
The paying of the ransom has moral and ethical undertones that may not be immediately apparent when you are faced with such an attack. Consider the fact that you may be financially supporting terrorists or criminals by paying the ransom.
This is a recent example of cybercriminals posing as job applicants as part of a phishing campaign to infect victims in corporate human resources departments with ransomware.
The initial email contained a short message from the fake applicant, directing the victim to two attachments. The first was a cover letter within a PDF which doesn't actually contain any malicious software but is intended to reassure the target that they're dealing with a standard job application. However, the second attachment is an Excel file supposedly containing an application form but which in fact contains the malicious Goldeneye payload.
Upon opening the Excel attachment, the target is presented with a document which claims to be 'Loading' and requires them to enable Macros to view the file. When Macros are enabled, Goldeneye executes a code and begins encrypting the users' files before presenting them with a ransom note.
Like many ransomware strains, this one emanated from Russia. But the important lesson here is that you should never open a link or attachment on an e-mail unless you have verified the source. As explained above this is really difficult for the HR business as it is the cornerstone of their operating model.
As demonstrated in Goldeneye, ransomware is always preceded by an attack on the network itself, commonly through a phishing e-mail or brute force attack. These attacks are increasing in complexity and sophistication meaning that defence against these dark arts needs continual review.
But the key points for protection to remember are:
The impact of a successful attack against your website or network can be catastrophic and lead to website downtime, loss of data and permanent loss of reputation. But all is not lost.
So, what can I do?
Here at the centre, we would advise you to do the following now
Click to Open Code Editor