How to Spot a Phish: Ransomware

Phishing has no limits. Everyone that uses email to communicate will at some point be the recipient of a phishing email. In the spot a phish series we'll be taking a closer look at some phishing lures to help you mentally prepare for these attacks before they hit your inbox. 

Content Clues

The first lure is representative of a vast majority of lures that we see. For starters, it capitalizes on the universal language of money. Because this is a mass distributed phish, the threat actor needs to find a commonality among the recipients.  For this reason, we see the use of "invoice attachments" employed exhaustively.  Lures in all languages utilize this tactic.  One would think this practice would get old and at some point become ineffective but it must be producing results for cybercriminals; otherwise, why would they keep it up?

The subject line of this email is "Invoice" and the body indicates that the invoice was requested by the recipient.

Lesson #1 from this lure: Any time you receive an email about an invoice, you should go on high alert. 

Example of a phishing lure distributing Locky Ransomware

Wake Up! Spelling, Grammar, and Punctuation Errors

The second very common red flag in an email is found with misspellings and grammatical errors as well as overuse or misuse of capitalization and punctuation. As you can see in this lure, there are several errors, highlighted in red (below). 

Ransomware spelling and punctuation.PhishLabs.png

Spelling, punctuation, and capitalization errors in phishing lure distributing Locky ransomware

Lesson #2: Pay attention! I know you're in a hurry; everyone is busy but spelling and grammar errors are obvious red flags if you're alert. 

Contextual Clues 

Contextual clues in the email can also help identify a phish. You should always ask yourself a few questions:

  1. Does it make sense that this person is sending me an email?
  2. Am I expecting an invoice from this company or person? 
  3. Does the sender's email address match the company domain? (this can be misleading since email domains can be easily spoofed but still worth noting)

Lesson #3: Consider the context of the email. This lure containing an invoice is unexpected. 

Stop, Think, Hover

Also noteworthy is that the attachment has no name, it's just a bunch of random numbers and letters. Anytime you are about to click on an attachment or a link, you need to be extra cautious. 

Lesson #4: Take caution before ever clicking or opening. 

Ransomware Ruins Your Day

Another reason this is a very common type of lure is because it's distributing ransomware. This particular one is spreading Locky, one of the first and most resilient ‘mass distribution’ ransomware families. Ransomware will ruin your day in a hurry if you inadvertently click or open and attachment and one of these nasty little scripts run on your machine. 

The attachment in this lure runs JavaScript that downloads ransomware which will encrypt your files, which locks access. The script makes several internet calls to ensure there is a connection so that the victim can purchase the ransom currency (Bitcoin). The threat actor is generous enough to allow its victims to get on the web so that he/she can go through Tor, purchase bitcoins, and pay the ransom. The ransom requested in this one is .25 in Bitcoin which is roughly $1,000...not chump change. Sadly, if you don't have your files backed up and they are critical, there aren't a lot of options in recovering the files unless there is a known, released decryptor.

The human firewall is the final defense against ransomware but there are other mitigation techniques which we explore in depth in this recent blog post: How to Identify and Block Ransomware

Key Takeaways 

The lessons we draw from this email lure include: 

  1. Any time you receive an email requesting money (possibly by including an "invoice") you should go on high alert. 
  2. Spelling, grammar, punctuation errors and misuse of capitalization are all red flags that warrant your attention. 
  3. Consider contextual clues - who is it from, what is it about, is it sent to the appropriate email inbox etc.
  4. Before opening or clicking on a link, you need to be confident in its legitimacy. 

We look forward to sharing more lures and resources as part of our National Cyber Security Awareness campaign. Together, we can all become more #cyberaware. Fill out the form on this page to ensure you receive the resources.  

Article Link: https://info.phishlabs.com/blog/how-to-spot-a-phish-ransomware