Computer Security Technology Ltd

+44 (0)20 7621 7836 LinkedInTwitter

+44 (0)20 7621 7836 CSTL LinkedInCSTL Twitter

May 15, 2016

Ransomware works – that’s why criminals to use it

Criminals have no need to devise new tricks while users continue to fall foul of ransomware - a particular type of malicious software, or malware, designed to block access to a computer system until a sum of money is paid.

Ransomware is still highly popular amongst cybercriminals, because users continue to fall into their not-so-carefully-crafted traps.

Security researchers discover more than 100,000 new malware variants every single day – indeed, it can be difficult to keep up. However, it seems that all this innovation is going to waste, as users are still vulnerable to the tried and tested methods of yesterday. In particular, people cannot resist clicking on an email attachment, even if they have no idea what it contains or who it’s from.

Do not open suspicious-looking email attachments

Curiosity killed the cat or, in these cases, the computer. The criminals depend on the recipients of their emails opening an innocent-looking attachment, which actually contains a malicious script. Soon after, the user’s files will be encrypted and they’ll be asked to pay a fee to release them.

Naturally, these campaigns don’t last long, as the criminals will want to avoid being detected and will attempt to achieve this by changing the malware slightly. Unfortunately, a proportion of victims will pay these criminals to get their files back safely, and so these attacks continue.

Some criminals are craftier than others – the emails they create are carefully written and sent out to one or two people within a company. While these have a greater chance of fooling the recipient, emails that are sent out to thousands of people across the world and make hardly any effort to encourage the recipients to open them do still work.

Avoid becoming a victim of ransomware

There are three simple measures that all users should be taking in order to avoid becoming a victim of ransomware and other malicious software.

First of all, you should implement an email filtering software to sift out the majority of dodgy emails and their attachments. Secondly, stop opening suspicious files from email addresses you do not recognise. Third of all, you should install an anti-virus solution and keep it up to date – not doing the latter could mean newer malware slips through the net.

The key is undoubtedly to be extra vigilant, revisit and tweak existing defences to ensure they are optimised and maybe consider advanced detection to deal with these new threats.

Similarly we have observed a spike in email threats that don’t have an overt payload, making it almost impossible for Antivirus scanner to detect. Here’s a walkthrough of one such recent threat:

An email is sent with a subject line “URGENT - Statement of Account - Invoice overdue”. It has an attachment that’s a spreadsheet, the spreadsheet looks to be list of invoices that have nothing to do with the recipient or their business. Thinking it’s a simple mistake the email is closed and forgotten. However, the spreadsheet contained a simple macro to make a web call to a legitimate web site and download a file. The download is undertaken using HTTPS (TLS) to encrypt the communication and bypass gateway content controls. Worth noting is that the legitimate web site has been compromised without the Web Master of the site realising they are now harbouring such content and hence web site categorisation lists used to ensure safe browsing are made worthless.

So why was the spreadsheet not blocked by the email anti-malware scanner? Because it did not actually contain malware, rather it had a macro that is legitimately supported in most MS applications. In Summary, a dangerous file has now bypassed email and web perimeter controls and has been delivered to the endpoint. The result is that the last line of protection depends on the endpoint defence being robust and adequate (reasons why it may not be: does the endpoint have AV, is it active, is it optimised to detect advanced threats, are the signature library is up-to-date). Disturbingly, even if these controls are all in place, if the payload file is a variant such as non-replicating utility that encrypts files, then the AV scanner can mistakenly deem the file as legitimate rather than a threat. The final chapter of this walk through, is that at some later time the original recipient receives a message stating that their files been encrypted, and they need to make a bit-coin payment ransom payment!

Do you want to know more about these and similar risks, and what you can do to protect against them? Please call or email us: or tel 020 7621 7836.

CST awarded ‘Cyber Essentials Plus’ certification body status - we can help you achieve Cyber Defence recognition.
Cyber Essentials aims to help organisations implement fundamental levels of protection against cyber-attack, demonstrating to their customers that they take cyber security seriously. We can assist with the advice, and can undertake assessment to award you Cyber Essentials plus certification.