psdesign1 - Fotolia
Businesses should ensure employees are aware of the dangers of email attachments in the light of evidence of large-scale ransomware distribution campaigns.
On 28 August 2017, more than 23 million email messages were sent in just 24 hours with malicious attachments containing variants of the Locky ransomware, according to researchers at AppRiver.
As a first line of defence, businesses are urged to inform employees of the ransomware risks associated with email attachments.
Businesses are advised to pay particular attention to raising awareness among employees who have access to sensitive data with high business impact.
In the second quarter of 2017, ransomware was the most popular form of malware, with 68% of all malicious email messages bearing some variant of ransomware, according to security firm Proofpoint.
In particular, email recipients should be wary of any attachments to email with the subject such as: please print, documents, photo, images, scans, pictures, and payment.
Some of the latest Locky campaings send emails appearing to be from the targeted organisation’s scanner, printer or other legitimate source, warns Comodo Threat Intelligence Lab.
Read more about ransomware
- How does the Locky ransomware file type affect enterprise protection?
- How does Locky ransomware get distributed by the Necurs botnet?
- Focus: How to avoid being hit by ransomware.
- Large UK firms are prepared to pay out more than £136,000 on average to cyber criminals who launch ransomware attacks.
The latest versions of the Locky ransomware are typically downloaded by a Visual Basic Script file in a ZIP file nested in another ZIP file as soon as the attachment is clicked.
Locky then encrypts all files on the system before instructing the victim to install the TOR browser and visit a .onion (Darkweb) site to process payment of .5 Bitcoins worth around $2,150.
Once the ransom payment is made the attackers promise a redirect to the decryption service, but the consensus among law enforcement and security industry representatives is to advise against payment because there is no guarantee the files will be decrypted or that the attackers will not strike again.
As there are currently no publicly shared methods to reverse the latest Locky variants, security researchers say employee awareness is paramount.
As a second line of defence, businesses are advised to ensure they have systems in place that can block spoofed emails and detect new variants of malware such as advanced analysis at the email gateway.
Stopping email fraud with Dmarc
The domain-based message authentication, reporting and conformance (Dmarc) protocol can instantly stop email fraud that uses domain spoofing.
With Dmarc, organisations can be sure email using the organisation’s domain is really from that organisation.
The email gateway should draw on advanced threat intelligence to inspect the entire attack chain using static and dynamic techniques, and it should constantly adapt to new threats, according to Proofpoint.
However, with each resurgence of Locky, the ransomware has continued to evolve to evade enterprise security defences, making it notoriously difficult to detect.
In the latest round of Locky ransomware campaigns that started around 9 August 2017, some Locky variants include sandbox evasion capabilities, according to security researchers at Malwarebytes Labs.
Malware authors have used booby trapped Office documents containing macros to retrieve their payloads for some time, but ordinarily, the code executes as soon as the user clicks the “Enable Content” button.
Sandboxes lower security settings
For analysis purposes, many sandboxes lower the security settings of various applications and enable macros by default, which allows for the automated capture of the malicious payload.
However, Malwarebytes researcher Marcelo Rivero discovered that some of the latest versions of Locky do not simply trigger by running the macro itself, but wait until the fake Word document is closed by the user before it starts to invoke a set of command to download the ransomware and issue the ransom demand.
“While not a sophisticated technique, it nonetheless illustrates the constant cat and mouse battle between attackers and defenders. We ascertain that in their current form, the malicious documents are likely to exhibit a harmless behavior in many sandboxes while still infecting end users that would logically close the file when they realise there is nothing to be seen,” Rivero and colleague Jérôme Segura wrote in a blog post.
Javvad Malik, security advocate at security firm AlienVault, said in such a large-scale distribution of the malware, attackers are banking on the fact many of the recipients would not have security controls in place to detect the malware, and are unaware of the dangers that exist in opening such attachments.
“It would only take a small fraction of the recipients to be infected for the attacker campaign to become profitable,” he said.