How DMARC Can Protect Against Ransomware

Domain-based Message Authentication, Reporting, and Conformance (DMARC) began gaining traction a few years ago as a way to validate the authenticity of emails.

Now it may have an even more important role to play: preventing ransomware attacks.

These malicious encryption attacks that take your data hostage are the most financially harmful attacks for companies.

Rampant Ransomware Attacks

Ransomware attacks have been surging in 2021, with the highest-profile one the Colonial Pipeline attack that nearly shut down the U.S. East Coast. Attackers have targeted critical and vulnerable sectors such as manufacturing, financial, transportation, healthcare, government administration, energy, and more, including a couple of $50 million attacks on the likes of Acer and Quanta.

The costs of ransomware attacks can be massive, including downtime, data loss, and significant psychological damages for the teams.

Cyber extortion is a common concern. Hackers target large and small businesses alike, but small businesses may be easier ransomware targets – and more easily put out of business. The attack can be either the first step in a master plan to reach more prominent companies or just a way to target more companies simultaneously.

Many ransomware attacks seem brutal, cruel, and deceptive. Some hackers do not hesitate to ask thousands of dollars from tiny companies when those organizations can neither pay the ransom nor lose the data. The attackers might destroy the data while the victim is sending the payment just to prove they are not bluffing to all other potential victims.

Email is a Critical Ransomware Attack Vector

Hackers can target any of your employees with a fraudulent, “spoofed” email or several people in a specific department with a phishing campaign.

If any of them unwisely open the attached files, it’s game over! The malware can spread to the entire system in hours and to your customers and partners, impersonating your identity. That makes employee training a critical ransomware defense too (see Best Cybersecurity Awareness Training for Employees in 2021).

One such scenario involving a user with high privileges happened to a major electronics manufacturer for defense and communications markets in 2020. Communications & Power Industries (CPI) paid a ransom of $500,000, and it took the Californian company several months to recover data and services partially.

Once you lose the integrity of your data, the only option left is to pay the ransom. Unfortunately, there’s no guarantee you will recover all data after paying the attackers. It’s not uncommon for most data to remain encrypted or corrupted.

A ransomware attack can spring from a single email.

It’s not so difficult to fake an email, including the From address. You can forge a From address with a one-line command or only a few lines of code in many programming languages.

Fortunately, DMARC can give you a way to stop email with fake From addresses. When DMARC is correctly configured with the appropriate policy, forged emails shall not pass.

How DMARC Works to Stop Ransomware

DMARC is based on email authentication, and much of the responsibility rests with senders and their DNS text resource records.

With the Sender Policy Framework (SPF), the system can automatically check whether an email comes from a trusted source or not. You can use online tools such as mxtoolbox to check if an SPF is correctly set for your domain.

For example, hackers may forge a fake email, impersonating the CEO or any director, but SPF checks whether the sender has an approved IP address in the SPF record and blocks the email if it doesn’t. For example:

  • IPv4: v=spf1 ip4:8.8.8.8 ip4:8.8.4.4 -all
  • IPv6: v=spf1 ip6:2001:4860:4860::8888 ip6:2001:4860:4860::8844 -all

You can also specifically allow email to be sent only from the same email servers that are already defined in the MX (mail exchange) record:

v=spf1 mx mx:mywebsite.com ~all

SPF and DKIM

However, SPF by itself is not sufficient protection. That’s why it’s often combined with Domain Keys Identified Mail (DKIM) to sign and encrypt emails.

Like SPF, DKIM needs a DNS record, but this record contains a public key. In addition, you need a DKIM signer setup on a mail server. The DKIM signer includes a private key that must be kept secret and matches the DNS record’s public key.

The installation can be challenging, but Microsoft 365 and Google platforms, for example, have specific guides and integrations to ease the setup.

When a DKIM is correctly set, all emails should include a DKIM-Signature in their headers. You can use easydmarc tools to check if you have a valid DKIM record.

DMARC Policy

After all these steps, you can add a DMARC policy as a DNS record to your domain. Every DMARC record must have at least two tag-value pairs:

  • v=DMARC1
  • p=none or p=quarantine or p=reject

The parameter p defines your policy. None means no action, Quarantine puts suspicious emails in the junk folder, and Reject rejects all messages that fail DMARC authentication.

Of course, you can add other parameters such as the following:

v=DMARC1; p=quarantine; pct=25; rua=mailto:[email protected];

pct stands for percentage and determines the part of emails the receiving server must reject if the DMARC authentication fails. In the example above, it’s 25%. It’s helpful to fix all misconfigurations and failures before applying a 100% quarantine.

All failures will be reported to [email protected] That’s the purpose of the parameter rua, which usually consists of a list of mailto addresses. You can find more info at dmarc.org.

Slowing Attackers

Security specialists recommend using DMARC to help protect against ransomware attacks. It’s an essential email security tool, and makes the task of hackers significantly more complicated.

Unless you are a primary target, it can even stop them in their tracks and force them to switch to another target.

Of course, it’s not the ultimate protection, as there are many other techniques hackers can use to deceive you, including social engineering, brute forcing and more sophisticated approaches.

Forensic Reports

There’s an essential part of DMARC that should not be neglected: reporting.

SPF and DKIM records are sometimes complicated to set up, leading to misconfigurations. It is where DMARC Forensic Reports can be helpful.

Forensic Reports allow automatic tools and analyzers to report failures. For example, they can tell you that the SPF and DKIM do not align with the DMARC, which can benefit the DMARC deployment.

After the deployment, you must monitor attempted attacks to prevent failures and make sure your email reaches its intended inbox. In addition, you have to find who’s sending emails using your domains.

DMARC monitoring can consist of DMARC digests that can help you resolve deliverability issues.

Essential Email Security

While DMARC can be challenging to configure and require monitoring, it’s a powerful email protection and an important defense against the current spate of ransomware attacks.

The damages of ransomware attacks go far beyond the cost of the ransom itself. Companies can remain non-operational for a long time, struggling to go back online. They may lose additional money with downtimes, and such attacks deeply harm their reputation. And perhaps most damaging of all, their data may be unrecoverable, making small security steps like implementing DMARC essential.

Further reading: How to Set Up and Implement DMARC Email Security

Julien Maury
Julien Maury is a backend developer, a mentor and a technical writer. He loves sharing his knowledge and learning new concepts.

Top Products

Top Cybersecurity Companies

Related articles