The run-up to the holiday season is the busiest time of the year for eCommerce merchants. Purchases skyrocket as shoppers seek the perfect gifts for family and friends. Most purchases are made with credit cards, creating a powerful psychological hook on which to hang malware distribution attacks.
Ransomware distribution is devious, and increasingly common use of spam — it’s a subspecies of the malware-distributing spam you’ve probably seen a thousand times before.
A spam email contains an innocuous-looking attachment or link, which, when opened, exploits a known vulnerability to install a malware dropper, which then installs whichever malware the attacker desires.
With ransomware, the aim is to encrypt files on the infected machine and collect the user information, such as social media accounts and banking access data. The malware then displays a notification or changes the desktop background to demand a “ransom” in return for the key to decrypt the files. This is often the red herring and it’s already got what it wanted but will still happily record any credit card information you're willing to supply and resell that on the darkweb as well.
Security researchers have had some success reversing ransomware encryption, but that’s extremely rare. The user should assume that if their machine is infected with ransomware, the only way to get the files back is to pay or to restore from a backup (if one exists).
Microsoft recently reported that spammers were using the holiday season to apply social engineering that influences shoppers to install the Cerber ransomware program.
Victims received emails that claimed a charge had been applied to their credit card. The charge was fictional, and obviously the victim wants to confirm the details to see why they’ve been charged for something they didn’t buy.
Each spam email contained a password-protected file with “details” of the charge. In reality, it contained a small piece of code that would download and install the ransomware. The payload was password-protected to make it difficult for any malware scanning software to identify it as a threat. The password is sent in the email along with the social engineering content.
Spam isn’t the only vector for ransomware, but it’s an effective technique, which means spammers are constantly seeking new ways to send their ransomware-laden spam.
Often, that means compromised web hosting accounts and content management systems — the spammers’ favorite resource. Mailbox providers are extremely proactive when it comes to protecting their users from this sort of attack. Ransomware is a high-impact attack that can do serious damage to individuals and to businesses.
If an account on your network is launching ransomware spam onto the internet, there’s a significant chance your IPs will be put on email blacklists, preventing even legitimate email from being delivered.
Clearly, the best course of action is to make sure there are no compromised hosting, CMS, or email accounts on your network, but that’s easier said than done, especially when updates and security are under the control of users, not the network’s admins.
Defense-in-depth is always the optimal approach to preventing outbound spam. Scanning outbound mail can help filter out ransomware spam before it gets anywhere near the open internet, helping protect your network’s reputation and its ability to have email delivered.