Maksim Samasiuk - Fotolia
Maksim Samasiuk - Fotolia
Phishing campaign takes ransomware attacks to a global scale
Research has uncovered ransomware attacks hitting users around the globe that begin with a sophisticated phishing campaign.
A sophisticated phishing campaign has been gaining steam around the world and infecting its victims with ransomware, according to new research.
Researchers from security company ESET, based in Bratislava, Slovakia, reported in a blog post that it has found an increased number of infected emails carrying malware from the Nemucod Trojan family. ESET said the emails are sophisticated and appear to be legitimate invoices, notices of appearance in court or other official documents.
If the target opens the zipped file attached to the email, it will unleash a malicious downloader, JS/TrojanDownloader.Nemucod, which will then download ransomware like TeslaCrypt or Locky.
ESET telemetry uses what it calls "prevalence levels" to indicate how often its systems have detected a certain piece of malware.
"The prevalence level is calculated taking into consideration the amount of detections that ESET users report to our servers," Josep Albors, security researcher for ESET, told SearchSecurity. "If a new malware propagation campaign gets detected by a high number of ESET users in a certain country, this raises the prevalence level in that country."
As of the time of this writing, ESET telemetry had detected the malicious downloader at prevalence levels between 30 and 60% over the past 24 hours in the U.S., Canada, western Europe and Japan. Looking at the past week and the past month, prevalence levels were slightly lower in most regions, except for Japan where the prevalence of Nemucod was over 70% for the week.
"It indicates that the criminals behind these malware propagation campaigns are increasing their efforts to obtain benefits from the users that find their files encrypted, and forcing them to pay a ransom," Albors said. "That's why we have seen two big propagation campaigns of ransomware in a short period of time."
PRO+
Content
Find more PRO+ content and other member only offers, here.
Stephen Gates, chief research analyst and principal engineer at DDoS protection firm NSFOCUS IB, said "having good system backups and other redundancies" in place makes the effects ransomware attacks less damaging, but the phishing that would deliver the malicious downloader is almost impossible to stop.
"People being duped by a phishing attack is nearly impossible to stop … as long as people continue to fall for their tactics. The only real defense is dealing effectively with the attack itself. Detection is the key," Gates said. "Once an unsuspecting employee clicks, defenses must be in place that block the piece of malware the attacker is trying to send to the user. Block the reply before it gets in."
Wade Williamson, director of threat analytics at Vectra Networks, said ransomware attacks have recently taken a dangerous turn.
"In addition to encrypting the hard drive of infected hosts, ransomware explores the network to find file shares and network drives, which can also be encrypted. This has shifted ransomware from a nuisance to a potentially debilitating attack that can freeze critical assets and intellectual property," Williamson said. "Virtually every network already has malware, and these infections are more than enough for a ransomware attack. A few spam-bots in your network may not seem like a big deal, but a few CryptoWall infections could bring business to a standstill."
Williamson agreed that being "fastidious about backup" could help mitigate the risk of ransomware attacks and said it can be dangerous for companies to pay the ransom when compromised.
"The biggest danger is that there is no real assurance that you will get what you pay for," Williamson said. "The payment is designed to be untraceable, so ultimately you have to trust a criminal who in essence has already gotten away with the crime. Obviously less than ideal."
Gates said it would be fair to assume that many organizations will pay the ransom and not report the attack, and said the dangers of this approach are simple: "If an attacker finds an attack vector that works, they will continue… and others will soon follow."
0 comments
Oldest Newest