Chose your color

Frequently visited

Frequently asked questions

  • I am looking for a domain name registrant. Where can I look it up?

    The Whois is an easy-to-use tool for checking the availability of a .nl domain name. If the domain name is already taken, you can see who has registered it.

    On the page looking up a domain name you will find more information about what a domain name is, how the Whois works and how the privacy of personal data is protected. Alternatively, you can go straight to look for a domain name via the Whois.

  • I would like to transfer my domain name to another registrar. What is the procedure?

    To get your domain name transferred, you need the token (unique ID number) for your domain name. Your existing registrar has the token and is obliged to give it to you within five days, if you ask for it. The procedure for changing your registrar is described on the page transferring your domain name.

  • The details registered about me/my company are incorrect or out of date. How can I get them updated?

    To update the contact details associated with your domain name, you need to contact your registrar. Read more about updating contact details.

  • Why is my domain name in quarantine?

    When a domain name is cancelled, we aren't told the reason, so we can't tell you. You'll need to ask your registrar. The advantage of quarantine is that, if a name's cancelled by mistake, you can always get it back.

    One common reason is that the contract between you and your registrar says you've got to renew the registration every year. If you haven't set up automatic renewal and you don't renew manually, the registration will expire.

  • Ik heb een klacht over mijn provider/registrar. Kan ik daarvoor bij SIDN terecht?

    Wanneer je een klacht hebt over of een geschil met je registrar dan zijn er verschillende mogelijkheden om tot een oplossing te komen. Hierover lees je meer op pagina klacht over registrar. SIDN heeft geen formele klachtenprocedure voor het behandelen van een klacht over jouw registrar.

  • What conditions do I have to meet as a registrar?

    Would you like to be able to register domain names for customers or for your own organisation by dealing directly with SIDN? If so, you can become a .nl registrar. Read more about the conditions and how to apply for registrar status on the page becoming a registrar.

More frequently asked questions

Spear phishing is one of the main ransomware attack vectors

Secure your mail infrastructure with SPF/DKIM/DMARC and DANE

Worried man behind a computer screen
  • Friday 23 September 2022

Ransomware has become a huge problem in recent years. Over the last twelve months alone, dozens of stories of big organisations falling victim have made the news. In total, there have been thousands of cases involving billions in damages.

Fortunately, there's a lot we can do to reduce the risk of our digital assets being held to ransom. Several organisations, including ENISA and NCSC provide advice, both on how to avoid trouble and what to do if you do come under attack. Meanwhile various government bodies are working (together) on regulations designed to tackle digital extortion. The market is also responding, with insurance companies, the financial servicessector and the security industry all taking up the fight against the ransomware epidemic.

In this article, we focus on e-mail – one of the main ransomware attack vectors – and how modern internet security standards can be used to greatly reduce the phishing threat.

Critical infrastructure

Recent ransomware victims have included numerous critical infrastructure operators [1, 2, 3]. As a result, the ransomware problem is increasingly treated like terrorism in terms of the priority afforded to it, the approach taken and the collaborative international response. However, ransomware is by no means a threat only to corporations and public entities. Smaller organisations, local governments, educational establishments and SMEs are frequently targeted as well.

Against that background, all organisations involved in fighting cybercrime have identified ransomware as the most serious cyber-threat we currently face [ENISA, the Counter Ransomware Initiative, Interpol, NCSC UK, NCTV]. And with good reason: the disruption caused by the Colonial Pipeline case was so severe that a regional state of emergency was declared.

Holding assets to ransom

In a ransomware attack, malicious actors gain access to an organisation's ICT infrastructure and infect large parts of it with malware that encrypts all the data, including recent backups. The attackers then demand a ransom, payable in cryptocurrency, for restoring the data. Usually, the stakes are raised by the added threat that, if the ransom isn't paid, the data will be published online or sold on for criminal exploitation. In other words, the extortion leverages both the availability and the confidentiality of the hijacked information. Some incidents involve 'supply chain' attacks, where the primary target's customers are also blackmailed and/or used to apply extra pressure.

Spear phishing (sending targeted e-mails with links or attachments as malicious payloads) is now the second most common ransomware attack vector, after remote desktop services [1]. What's more, phishing is gaining ground as the attackers' chosen mode of entry. Fortunately, the use of modern e-mail security standards can greatly reduce the threat posed by phishing.

Hundreds of cases

Perhaps the best-known ransomware case in the Netherlands is that involving Maastricht University. In 2019, the university was coerced into paying a ransom of €200,000 in Bitcoin to regain access to files on 267 Windows servers. (Some of the ransom was later recovered "with interest".) The attack began two months earlier, when two simple (generic) phishing mails were opened.

Other Dutch organisations extorted under similar circumstances in recent years include the Artis zoo, the Municipality of Buren, MediaMarkt, the Game Mania retail chain, media outlet RTL Nederland, office supplies vendor Manutan, ICT service provider Managed IT, logistics company Bakker Logistiek, the Dutch Research Council (NWO), the North and East Gelderland Regional Security Authority, the Municipality of Hof van Twente [1] and water technology institute Wetsus. According to the Ministry of Justice and Security, about two hundred ransomware attacks a year are reported to the Dutch police. That number is probably the tip of the iceberg, however, since many organisations are unwilling to report cybercrime [1].

Serious attacks have taken place abroad as well, hitting Danish wind turbine maker Vestas, Canadian payroll service provider UKG (Kronos), Colonial Pipeline, software vendor Kaseya, meat processing company JBS, the Irish Health Service Executive, the South African rail, port and pipeline company Transnet and container line Maersk, amongst many hundreds of others.

Ransom

The European Union Agency for Cybersecurity (ENISA) has investigated 623 reported ransomware incidents that occurred in the West between May 2021 and June 2022. The resulting Enisa Threat Landscape for Ransomware Attacks says that ransom was paid in an estimated 60 per cent of cases. In an average month, 10 Tbytes of data is stolen, nearly 60 per cent of it including personal data. In almost half the investigated cases, the stolen data was ultimately published, at least in part.

However, little is known about the great majority of ransomware incidents, many of which are not even publicly acknowledged. The reason being that many organisations are fearful that publicity will damage their reputations and encourage other attackers. ENISA estimates the total number of incidents in the fourteen-month study period to be 1640, implying that the Agency was able to investigate just 17 per cent.

In 95 per cent of the cases investigated by ENISA, it wasn't possible to ascertain how the attackers initially gained access. However, eight of the twenty-nine incidents where the attack vector was known, it was spear phishing. That makes e-mail the second most common attack vector, after remote desktop services. Moreover, in Threat Landscape 2021, ENISA has previously reported that phishing is gaining ground on remote desktop services.

A particular point of concern for software vendors and cloud service providers is that an increasing proportion of ransomware heists take the form of supply chain attacks [NCTV]. According to ENISA's Threat Landscape for Supply Chain Attacks, the number of such attacks has quadrupled in a year. What's more, the impact of such attacks is hugely amplified by the supply chain cascade.

Modern e-mail security standards

Despite the alarming developments described above, there is reason to be hopeful. The use of SPF/DKIM/DMARC and DANE is known to make e-mail traffic much more secure, thus substantially reducing the risk of mail-vectored ransomware attacks.

The DKIM, SPF and DMARC protocols protect against phishing, spam and virus/malware distribution by securing the sender (the sending e-mail address), the host (the sending e-mail system) and the contents of the message. Enabling the standards involves adding records to the domain name's DNS details. Although signing with DNSSEC is not strictly necessary for that (i.e. required by the standard), it represents an important addition to the mechanism.

DANE is a protocol for the secure publication of public keys and certificates using the DNS. DANE extends the DNS protocol by providing for a TLSA record, which is used to link key information to an address-protocol-port combination. That makes it possible to verify the authenticity of an encrypted internet service's server certificate via the DNS.

Although DANE is a generic protocol, it is used primarily to secure mail transport (SMTP).

Practical help with implementation

If you aren't yet using the security standards mentioned above, we advise you to start doing so as soon as possible. In that context, it's worth noting that implementation involves making changes only to your technical mail infrastructure (central systems). Consequently, it's considerably easier than many of the other (equally vital) measures you can take to minimise the threat posed by ransomware.

What's more, we provide implementation support in the form of a series of hands-on guides explaining the complete configuration of SPF/DKIM/DMARC and STARTTLS/DANE for Postfix and for Exim (the two most popular mail server software packages):

An e-learning module on secure e-mail standards is also available for .nl registrars in the SIDN Academy.