Please note: For privacy reasons, the identity of the hacked accounts in the examples used for this blog have been changed or hidden.
In last month’s email security education blog, we highlighted the impact of COVID-19 on the current threat landscape and how threat actors are taking advantage of users working from home who want to know more about the virus. Though this trend continues to rise, these are not the only campaigns you should be wary of. The SolarWinds® Mail Assure threat intelligence team continues to observe the latest malicious campaigns threat actors use to exploit user vulnerability.
These attacks include malware, ransomware, spoofing, and display name spoofing. Cybercriminals often use email as a delivery mechanism for malicious cyberattacks like these. All it takes is one click on a malicious link to download ransomware, illicit cryptomining software, or spyware onto an endpoint. An attack could then propagate out to other machines. From there, it could potentially take down the entire network and damage a company’s reputation in the process.
MSPs are key targets for ransomware attacks as they provide threat actors with a route to access all their clients. In fact, last year saw an MSP pay $150,000 in bitcoin for a ransomware recovery. In today’s blog, we will look at ransomware attacks on email.
So, what is ransomware and what does it look like today?
Ransomware dates to the 1980s and, although it has evolved in sophistication, the main goal for cybercriminals is still the same: financial gain. Ransomware is a form of malware where threat actors lock a computer, system, or personal files, and then demand a ransom payment to allow the users to gain access to their files. Cybercriminals will often threaten to delete these files or, in the case of bigger companies, publish sensitive information.
Cybercriminals launch ransomware in several ways, including:
It’s easy enough for cybercriminals to create convincing-looking fake messages with phishing emails. A popular method to launch ransomware involves using malicious links in phishing emails to take the user to a malicious site.
LINKS IN ATTACHMENTS
A common phishing scam threat actors use involves including fake attachments in email. The phishing email directs the user to open an attachment to retrieve an invoice for example. The invoice itself includes a malicious link that leads to a phishing page that asks the user to enter the user’s credentials.
These scams typically use PDF, Word, or Excel attachments that claim to be important. When the user clicks on the attachment it opens a phishing web page. In other cases, clicking on the attachment automatically starts a ransomware download or the victim enables macros in the document that triggers a download.
While some ransomware is easy for knowledgeable users to reverse, some forms of malware use advanced techniques such as cryptoviral extortion. This type of extortion encrypts a victim’s files and demands a ransom payment to decrypt the files and make them accessible again. When properly implemented by threat actors, recovering files from a cryptoviral extortion attack without the decryption key is a major problem. Today, cybercriminals request payment through cryptocurrencies or credit card payments. This helps cybercriminals maintain a level of anonymity. The blockchain in cryptocurrency uses hashes of public keys instead of individuals’ names to keep track of ownership. Blockchain is basically the name used for a cryptocurrency’s public ledger. The example below shows how the threat actor claims to have hacked a victim’s website. It’s evident this is coming from cybercriminals, what’s not evident is if their claims are true. Industry experts advise the public not to directly act on emails like this one.
Bitcoin became popular when Cryptolocker appeared in 2013—and has since become a preferred payment method for ransomware operators. The FBI states that over $140 million has been paid to ransomware over the past six years using bitcoin wallets. This shows these campaigns are effective for cybercriminals.
Some of the top recent ransomware email subject lines include:
- Subject: H¡gh level of r¡sk. Your account has been hacked. Change yøur passwørd.
- Subject: ***SPAM*** I GOT EVERYTHING!
- Subject: RE: Take Notice Your Device Was Infected!!!
- Subject: At Your Notice [email protected]
- Subject: Mail delivery failed
- Subject: Delivery Status Notification (Failure)
Email continues to be a vulnerability. The fear of losing sensitive information or of making personal photos or videos public makes users vulnerable. To prevent email attacks, it helps to add multiple layers of protection to your email infrastructure. An email gateway designed for security can help reduce spam levels, catch phishing, and prevent malware, ransomware, and other email-borne threats.
While an email security solution is essential, teaching users to be on guard against potential threats also makes a major difference. Make sure to hold regular security trainings with your customers to emphasize what to look for in a potentially malicious email.
If you’d like to learn more about how you can protect your email from ransomware and other email-borne threats, please contact us.
Mia Thompson is product marketing manager, Mail Assure, at SolarWinds MSP.