Maksim Samasiuk - Fotolia
A sophisticated phishing campaign has been gaining steam around the world and infecting its victims with ransomware, according to new research.
Researchers from security company ESET, based in Bratislava, Slovakia, reported in a blog post that the company has found an increased number of infected emails carrying malware from the Nemucod Trojan family. ESET said the emails are sophisticated and appear to be legitimate invoices, notices of appearance in court or other official documents.
If the target opens the zipped file attached to the email, it will unleash a malicious downloader, JS/TrojanDownloader.Nemucod, which will then download ransomware, such as TeslaCrypt or Locky.
ESET telemetry uses what it calls "prevalence levels" to indicate how often its systems have detected a certain piece of malware.
"The prevalence level is calculated taking into consideration the amount of detections that ESET users report to our servers," Josep Albors, security researcher for ESET, told SearchSecurity. "If a new malware propagation campaign gets detected by a high number of ESET users in a certain country, this raises the prevalence level in that country."
As of the time of this writing, ESET telemetry had detected the malicious downloader at prevalence levels between 30% and 60% over the past 24 hours in the U.S., Canada, Western Europe and Japan. Looking at the past week and the past month, prevalence levels were slightly lower in most regions, except for Japan, where the prevalence of Nemucod was over 70% for the week.
"It indicates that the criminals behind these malware propagation campaigns are increasing their efforts to obtain benefits from the users [who] find their files encrypted, and forcing them to pay a ransom," Albors said. "That's why we have seen two big propagation campaigns of ransomware in a short period of time."
Stephen Gates, chief research analyst and principal engineer at distributed denial-of-service protection firm NSFOCUS IB, based in Santa Clara, Calif., said "having good system backups and other redundancies" in place makes the effects of ransomware attacks less damaging, but the phishing that would deliver the malicious downloader is almost impossible to stop.
"People being duped by a phishing attack is nearly impossible to stop ... as long as people continue to fall for their tactics. The only real defense is dealing effectively with the attack itself. Detection is the key," Gates said. "Once an unsuspecting employee clicks, defenses must be in place that block the piece of malware the attacker is trying to send to the user. Block the reply before it gets in."
Wade Williamson, director of threat analytics at Vectra Networks, based in San Jose, Calif., said ransomware attacks have recently taken a dangerous turn.
"In addition to encrypting the hard drive of infected hosts, ransomware explores the network to find file shares and network drives, which can also be encrypted. This has shifted ransomware from a nuisance to a potentially debilitating attack that can freeze critical assets and intellectual property," Williamson said. "Virtually every network already has malware, and these infections are more than enough for a ransomware attack. A few spambots in your network may not seem like a big deal, but a few CryptoWall infections could bring business to a standstill."
Williamson agreed that being "fastidious about backup" could help mitigate the risk of ransomware attacks, and said it can be dangerous for companies to pay the ransom when compromised.
"The biggest danger is that there is no real assurance that you will get what you pay for," Williamson said. "The payment is designed to be untraceable, so ultimately, you have to trust a criminal who, in essence, has already gotten away with the crime. Obviously, [it's] less than ideal."
Gates said it would be fair to assume that many organizations will pay the ransom and not report the attack, and said the dangers of this approach are simple. "If an attacker finds an attack vector that works, they will continue ... and others will soon follow."
Learn about crypto ransomware hiding in ads on popular websites.