According to a research by SophosLabs, cybercriminals are targeting their ransomware attacks more and more effectively, varying the attacks by region to make it more likely that even well-informed users will fall for the scam.
Emails delivering ransomware, for example, are often written in the local language, with good spelling and grammar, and use local brands and logos to make them more believable.
“Most ransomware arrives in booby-trapped files attached to emails. These days, many organisations use their email filters to discard program files sent in by email, because they are very frequently dangerous, and there is almost no business case for allowing them,” said Harish Chib, vice-president for Middle East and Africa at SophosLabs.
Moreover, he said that ransomware attacks always avoid sending in programs (executable files) directly, instead claiming to be documents containing invoices, requests for quotations and other types of correspondence that are bread and butter for the average organisation.
After all, documents are supposed to be opened and looked at — how else to decide what attention they need?
These days, he said that ransomware commonly arrives in JavaScript files that pretend to be documents. This sounds like a strange disguise, because JavaScript files are usually associated with web browsing, not with emailed documents, and they have the extension. JS, which will seem unfamiliar to many users.
However, Windows OS shows filenames without their extensions by default, so that a file name Invoice. PDF. JS will actually show up as Invoice. PDF. Worse still, the Windows icon for JavaScript files is a scroll of paper with written script on it, reinforcing the impression that the user really is looking at an innocent document.
Unfortunately, when JavaScript is saved into a file and then opened outside the browser, it doesn’t run inside the protected “sandbox” of the browser. The browser’s sandbox prevents JavaScript programs from reading and writing files on the hard disk or across the network, but those restrictions don’t apply when Windows runs JavaScript files directly.
“A malicious JavaScript attachment, saved from an email and opened directly in Windows, may connect to a predetermined website and download a ransomware program that forms the second stage of the attack, or may be ransomware in its own right,” Chib said.
For example, a recent malware family known as RAA consists entirely of JavaScript. Despite its innocent name and an icon that makes it looks like a document, the RAA ransomware not only scrambles and locks your files before demanding money, but also downloads and installs a second item of malware known as Pony.
The Pony malware is a well-known password stealer, so the criminals not only get to extort money through the ransomware component, but also to sniff out passwords that they can use for later attacks, or sell on to other criminals in the cyber underground.
Attacks such as ransomware often pass through many security checkpoints, such as email filters, endpoint protection and more. Traditionally, however, these products have worked independently, reflecting the fact that, in many organisations, each part of the network is managed and secured separately.
Unfortunately, he said that it can lead to a situation that is rather like a hospital where the patients can’t talk to the doctors, the doctors can’t talk to the nurses, and the nurses can’t talk to the patients.
“When it comes to protecting networks against malware, detection and remediation can be improved greatly if there is coordinated communication and interaction between the various security layers,” he said.
