Phishing campaign takes ransomware attacks to a global scale

Research has uncovered ransomware attacks that begin with a sophisticated phishing campaign hitting users around the globe.

A sophisticated phishing campaign has been gaining steam around the world and infecting its victims with ransomware,...

according to new research.

Researchers from security company ESET, based in Bratislava, Slovakia, reported in a blog post that the company has found an increased number of infected emails carrying malware from the Nemucod Trojan family. ESET said the emails are sophisticated and appear to be legitimate invoices, notices of appearance in court or other official documents.

If the target opens the zipped file attached to the email, it will unleash a malicious downloader, JS/TrojanDownloader.Nemucod, which will then download ransomware, such as TeslaCrypt or Locky.

ESET telemetry uses what it calls "prevalence levels" to indicate how often its systems have detected a certain piece of malware.

"The prevalence level is calculated taking into consideration the amount of detections that ESET users report to our servers," Josep Albors, security researcher for ESET, told SearchSecurity. "If a new malware propagation campaign gets detected by a high number of ESET users in a certain country, this raises the prevalence level in that country."

As of the time of this writing, ESET telemetry had detected the malicious downloader at prevalence levels between 30% and 60% over the past 24 hours in the U.S., Canada, Western Europe and Japan. Looking at the past week and the past month, prevalence levels were slightly lower in most regions, except for Japan, where the prevalence of Nemucod was over 70% for the week.

"It indicates that the criminals behind these malware propagation campaigns are increasing their efforts to obtain benefits from the users [who] find their files encrypted, and forcing them to pay a ransom," Albors said. "That's why we have seen two big propagation campaigns of ransomware in a short period of time."

Stephen Gates, chief research analyst and principal engineer at distributed denial-of-service protection firm NSFOCUS IB, based in Santa Clara, Calif., said "having good system backups and other redundancies" in place makes the effects of ransomware attacks less damaging, but the phishing that would deliver the malicious downloader is almost impossible to stop.

"People being duped by a phishing attack is nearly impossible to stop ... as long as people continue to fall for their tactics. The only real defense is dealing effectively with the attack itself. Detection is the key," Gates said. "Once an unsuspecting employee clicks, defenses must be in place that block the piece of malware the attacker is trying to send to the user. Block the reply before it gets in."

Wade Williamson, director of threat analytics at Vectra Networks, based in San Jose, Calif., said ransomware attacks have recently taken a dangerous turn.

"In addition to encrypting the hard drive of infected hosts, ransomware explores the network to find file shares and network drives, which can also be encrypted. This has shifted ransomware from a nuisance to a potentially debilitating attack that can freeze critical assets and intellectual property," Williamson said. "Virtually every network already has malware, and these infections are more than enough for a ransomware attack. A few spambots in your network may not seem like a big deal, but a few CryptoWall infections could bring business to a standstill."

Williamson agreed that being "fastidious about backup" could help mitigate the risk of ransomware attacks, and said it can be dangerous for companies to pay the ransom when compromised.

"The biggest danger is that there is no real assurance that you will get what you pay for," Williamson said. "The payment is designed to be untraceable, so ultimately, you have to trust a criminal who, in essence, has already gotten away with the crime. Obviously, [it's] less than ideal."

Gates said it would be fair to assume that many organizations will pay the ransom and not report the attack, and said the dangers of this approach are simple. "If an attacker finds an attack vector that works, they will continue ... and others will soon follow."

Next Steps

Learn how to best mitigate ransomware as a service.                                                             

Learn about crypto ransomware hiding in ads on popular websites.

Learn the difference between ransomware and extortionware.

Dig Deeper on Malware, Viruses, Trojans and Spyware

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

4 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How does your organization protect against ransomware attacks?
Cancel
You don't even need to be sophisticated in your phishing attempt. Still I see way to many users blindly click links and open emails. Until we can educate the masses or they get hit with it themselves and have to pay to get their data back, we will see it more and more often. Now if we can only instill the importance of regular back ups.

Cancel
I’m a big proponent of education, but even with education there’s still the risk due to a lack of mindfulness. Our company recently sent out a fake phishing email as part of our educational efforts. Many people that had been trained and knew better clicked the email clicked the embedded link because they were distracted by something else.
Cancel
1. More secure systems built anew from the ground up
2. Backup, backup, backup
3. Education, training, reviews, reeducation. more training.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close