DMARC, email security, and the war on ransomware


DMARC, email security, and the war on ransomware

Matthew Kirtley

20 January, 2023

2023 has opened with a significant ransomware attack on the UK's critical national infrastructure. The latest ransomware attack on Royal Mail has shut down the postal service's global deliveries, disrupted the plans of countless businesses and families, and acted as a potent reminder of the persistent nature of ransomware threat.

It's not just national institutions at risk of incurring high costs from ransomware. IBM calculates that the average cost of a ransomware attack on an organisation stood at $4.5M in 2022, not including the price of any ransom paid. 

A terrifying part of the ransomware epidemic is that attacks often start with one of the oldest tricks in the malware book: phishing. One report from Deloitte estimates that 91% of all cyberattacks begin with a phishing email to an unwitting victim. Unfortunately, ransomware is no different, with attackers often leaning on sophisticated social engineering and imitation of email domains to trick victims into clicking a link or opening an attachment containing a ransomware package.

So, while many of us treat ransomware as a problem that demands new and sophisticated tools, much of the challenge is simply an extension of fundamental questions around email security. Given this, what email security techniques and tools can harden you against ransomware?

DMARC-ating email domains

With many phishers impersonating colleagues or managers, one of the most effective ways to combat their attempts to inject ransomware is to deprive them of the means to impersonate a company email address. Many phishing attacks are rendered impossible without the ability to send emails that imitate your domain address.

Enter Domain-based Message Authentication, Reporting and Conformance, also known as DMARC. Building on earlier authentication protocols, DMARC automates verifying the legitimacy of received emails, dramatically cutting email spoofing.

DMARC checks the domains of inbound email addresses and ensures that they contain an identifier which corresponds with one attached to a domain's public record. If the identifiers match, then DMARC lets an email proceed to an inbox; if they don't match, then DMARC automatically filters and reports offending emails to the sending domain's actual owner to flag impersonation.

However, if DMARC is so effective at curbing phishing, why does ransomware remain so prevalent? One of the primary reasons is that DMARC remains a criminally under-adopted technology, with only 14% of domains having adopted the protocol.

Because of all this, DMARC adoption is likely one of the top developments in the next stage of the war on ransomware. The upsides for this go beyond hardening security, with DMARC also helping to dramatically reduce the number of 'false positive' spam emails that end up being missed. So along with being a security boon, DMARC is also set to be an exciting development in the eternal struggle by PRs to get to the top of journalist inboxes.