Cyber security researchers are urging businesses to prepare for ransomware attacks after the discovery of a massive cyber attack campaign
Businesses should ensure employees are aware of the dangers of email attachments in the light of evidence of large scale ransomware distribution campaigns.
On 28 August, more than 23 million email messages were sent in just 24 hours with malicious attachments containing variants of the Locky ransomware, according to researchers at AppRiver.
As a first line of defence, businesses are urged to inform employees of the ransomware risks associated with email attachments.
Businesses are advised to pay particular attention to raising awareness among employees who have access to sensitive data with high business impact.
In the second quarter of 2017, ransomware was the most popular form of malware, with 68% of all malicious email messages bearing some variant of ransomware, according to security firm Proofpoint.
In particular, email recipients should be wary of any attachments to email with the subject such as: please print, documents, photo, images, scans, pictures, and payment.
Some of the latest Locky campaings send emails appearing to be from the targeted organisationís scanner, printer or other legitimate source, warns Comodo Threat Intelligence Lab.
The latest versions of the Locky ransomware are typically downloaded by a Visual Basic Script file in a ZIP file nested in another ZIP file as soon as the attachment is clicked.
Locky then encrypts all files on the system before instructing the victim to install the TOR browser and visit a .onion (Darkweb) site to process payment of .5 Bitcoins worth around $2,150.
Once the ransom payment is made the attackers promise a redirect to the decryption service, but the consensus among law enforcement and security industry representatives is to advise against payment because there is no guarantee the files will be decrypted or that the attackers will not strike again.
As there are currently no publicly shared methods to reverse the latest Locky variants, security researchers say employee awareness is paramount.
As a second line of defence, businesses are advised to ensure they have systems in place that can block spoofed emails and detect new variants of malware such as advanced analysis at the email gateway.
However, with each resurgence of Locky, the ransomware has continued to evolve to evade enterprise security defences, making it notoriously difficult to detect.
In the latest round of Locky ransomware campaigns that started around 9 August 2017, some Locky variants include sandbox evasion capabilities, according to security researchers at Malwarebytes Labs.
Malware authors have used booby trapped Office documents containing macros to retrieve their payloads for some time, but ordinarily, the code executes as soon as the user clicks the ìEnable Contentî button.
Sandboxes will not help the cyber security risks
For analysis purposes, many sandboxes lower the security settings of various applications and enable macros by default, which allows for the automated capture of the malicious payload.
However, Malwarebytes researcher Marcelo Rivero discovered that some of the latest versions of Locky do not simply trigger by running the macro itself, but wait until the fake Word document is closed by the user before it starts to invoke a set of command to download the ransomware and issue the ransom demand.
‘While not a sophisticated technique, it nonetheless illustrates the constant cat and mouse battle between attackers and defenders. We ascertain that in their current form, the malicious documents are likely to exhibit a harmless behavior in many sandboxes while still infecting end users that would logically close the file when they realise there is nothing to be seen,’ Rivero and colleague JÈrÙme Segura wrote in a blog post.