Latest Ransomware Attacks: End of Year Payments
End of Year Themed Ransomware Attacks
As we get closer to year end, a lot of financial transactions are being processed. This can include everything from new sales to companies sorting out maintenance contracts for the year ahead.
Cyber criminals are exploiting the fact that employees are under pressure to close accounts out. In recent days we have noticed an increase in the latest Ransomware attacks which have an end of year theme.
The image below shows a typical example, some detail has been blanked out as it used spoofed information associated with an unrelated company. The attachment name is suspicious but some automated billing systems generate files like this so the email recipient may think it is okay.
The author of this knows that finance departments are both very busy and keen to process as many year end payments as possible. The language in the email creates a sense of urgency by stating that extra costs could be added. The email recipient is directed towards the Word attachment which is described as some sort of report.
The Word file contains an embedded binary which will trigger once the email recipient opens the attachment. This binary then infects the local computer and local files and/or files hosted on network shares are encrypted.
If you do end up with an infected computer on your network you should quickly verify that there are no other infected PC’s active. Ransomware infections can spread quickly so there is little point in looking at backups if these clients encrypt the files once they are restored.
Preventing Ransomware Attacks
- Inform your users to never open attachments or embedded links in emails unless they know with 100% certainty that they are safe. If people ignore this advice you may need to consider blocking attachments to all email recipient. Attachments that need to be sent in could be forwarded to a special mailbox.
- Make sure you are backing up all important files and check that these backups are working. Make sure network users are not storing important data locally on their computers.
- Keep all applications and operating systems up to date. Some Ransomware variants exploit known bugs and security vulnerabilities.
- Make sure you have some form of network forensics system in place. You need to be able to track down infected hosts quickly if Ransomware gets into your network. You should not rely on firewalls or other edge devices as new Ransomware variants are appearing on a daily basis.
Do you have any experiences with Ransomware attacks? Comments welcome