Last year, ransomware attacks have grown significantly, and the evidence points to the fact that the trend is likely to continue. About 42% of the security breaches in the UK were caused by ransomeware attacks. This is due to a vicious spam campaign which deceives victims with a fake invoice or order. Despite the fact that cyber security specialists have warned about this technique numerous times, it continues to result in huge revenue for attackers.
The email from the latest campaign includes an invoice which supposedly comes from Salesforce, a reputed company from the US which offers a customer relationship product used in companies around the world. The contents of the unsolicited email include a semi-dynamic subject line and an attached .doc file:
From: [spoofed / fake return address]
Subject line: (more combinations like the ones below)
salesforce – Billing Statement Overdue [% name of the receiver%]
salesforce.com – Contract Confirmation of [% name of the receiver%] [% name of the receiver%]
Your Telephone Bill Report is due [% name of the receiver%]
Your Phone and Data Billing Report is due
www.salesforce.com Order Confirmation for
Attached: [% name of the receiver%] _ Contract.doc
The attached .doc file conceals a deceptive macro, which, if activated, will download the CryptoWall 4.0 payload from the following URL:
http: // mastfm102 [.] com / wordpress / wp-includes / asalam.exe
The malicious Cryptowall 4.0 variant is then copied on the victim’s system, in the following location:
[% user account%] \ AppData \ Local \ Temp \ VBE \ MSForms.exe
Further on, the payload will connect to a long list of compromised web servers where the user’s data will be exfiltrated to. Here a segment of this list that includes some of the servers currently controlled by the attackers behind this campaign:
- http://vancouverdispensarycoalition[.]ca/euqUb5.php
- http://thebesttshirtsonline[.]com/CF9iM8.php
- http://turbosol[.]asia/l7xydO.php
- http://uzmankirala[.]com/KhVRbv.php
- http://vinastudio[.]at/8TkXUJ.php
- http://thebeautythesis[.]com/UaEigq.php
- http://wallpapersau[.]net/igrHKY.php
- http://yardstickglobal[.]in/Y37Jux.php
- http://villisplace[.]info/fJQ_3v.php
- http://zolty[.]eu/bnFKET.php
The malicious code reveals that the campaign uses the following ID: “crypt5029”.
Typically for the ransomware campaigns, antivirus detection is very low.
Companies, especially small and medium ones, are attractive targets for cyber criminals, because they:
- tend to favour a BYOD environment, where personal devices are also used to run the business;
- store and manage attractive data, such as customer contact information, credit card data, health data, intellectual property and more;
- tend to be less secure, because they cannot afford sophisticated cyber security technologies, which means that cyber criminals can easily find vulnerabilities they can exploit to get into the PCs or network;
- sometimes outsource cyber security tasks to unqualified service providers;
are much more interconnected than have ever been, with a mix of PCs (desktops, laptops), smartphones and cloud-store data to safely manage and protect, which is not always easy to do; - can be used as stepping stones to gain access into bigger targets, as small and medium business often act like service providers to big companies, which are more lucrative targets for cyber criminals;
- lack the time, budget and expertise needed to build a strong security system to protect business assets (this includes the lack of an in-house cyber security specialist);
- can be attacked via automated attacks – cyber criminals employ readily accessible malware kits to mass produce attacks with little investments; these attacks are automated and the attackers don’t care who they hit, as long as they get what they want;
- don’t usually conduct employee training and don’t do risk assessments.
Following the evolution of CryptoWall, one can conclude that each strain lasted for a few months until an enhanced, stealthier strain surfaced.
Until now, CryptoWall 3.0 was the longest lasting strain on the market, but CryptoWall 4.0 came with vastly improved communication capabilities and an increased ability to stay under the radar, so there’s no telling how long it will last.
Nevertheless, one can assume that CryptoWall 5.0 is already on the way and it could emerge in the next 3 months. Thus, all companies shouldn’t postpone implementing basic security measures to keep their data protected. Automatic patching, enabling macro protection, doing employee training – they are all solutions that are both affordable and effective.
