Cybercriminals use phishing emails with malicious links or attachments to distribute ransomware more than any other method. Their goal is to fool unwitting victims into downloading the nasty, file-encrypting malware so they’ll be forced to pay a ransom in exchange for the decryption key.
CSO Magazine last year found that 93% of all phishing emails contain ransomware. To protect yourself and your business, it’s important to know what emails and tricks to avoid. Here’s a look at phishing emails that have commonly used to spread CryptoLocker, CryptoWall, Locky and other notorious forms of ransomware.
Distributors of CryptoLocker ransomware used fake emails from police to snare victims. In one example, shown below, the distributors use a phony message from Australian Federal Police informing the potential victim of a traffic violation. Similar police phishing messages were used in other regions. CryptoLocker ransomware was automatically downloaded if victims clicked the link in the email.
Many victims fell prey to these messages because police phishing can create anxiety or panic and force people into action. Victims see the email and want to prove that they don’t really own any money, so they click the link to obtain more details and the ransomware attack begins.
In 2014, CryptoWall was distributed via email messages that contained a malicious attachment. Once the attachment was opened, CryptoWall encrypted the victim’s data with a 2048-bit RSA key. The CryptoWall phishing message below is one of the least sophisticated examples here. It comes with an attachment but provides no information on what is contained in the attachment. This form of phishing relies mostly on the victim’s curiosity as to what the file could contain that is so important. If you see an email like this, do not click on the attachment.
CTB-Locker ransomware used messages similar to the police phishing scan to entice victims into clicking on an embedded link. In this case, the email was designed to look like it came from the Federal Trade Commission (FTC). Victims who clicked the link launched a ransomware infection that encrypted their computer data and removed their shadow copies.
Distributors of Petya, Mischa and GoldenEye ransomware used fake job applications to trick recruiters and HR professionals into downloading the malicious code. They designed the phishing emails to be generic enough that they could be referring to any open position. The goal was to force victims to open to attachment to see which job the “applicant” was talking about. GoldenEye used a slightly different tactic, a .pdf file with the cover letter and a macro-enabled .xlsm file that loaded the ransomware.
Locky was heavily distributed by large criminal enterprises that used phishing messages. The one below claims that the victim made a payment on an account. The victim can view the payment confirmation in the attached zip file. Unfortunately for victims, the zip contained fake transaction information and a Locky ransomware loader.
As with Locky, the distributors of TeslaCrypt used a .zip attachment to attack their victims. In the case below, the phishing message claims that payment for services is overdue and threatens legal action if the victim does not pay. Victims who opened the .zip file found a Microsoft Word document with macros that installed the ransomware.
Ransomware phishing messages entice computer users into opening attachments or clicking links containing malicious code by appealing to their curiosity, creating anxiety or panic, or by offering them something of value such as money or a free vacation.
Be skeptical of emails you receive and do not click links or open attachments from unless you are absolutely certain it was sent from a trusted individual or business. You should also disable macros in Microsoft Office, because many forms of ransomware automatically take advantage of this functionality. Disabling Microsoft Office macros prevents such code from running.
Lastly, keep a backup of your data just in case someone does click an infected link or open malicious files. Backing up your data to an offsite location, such as the cloud, ensures that you can get your data back following an attack without paying the ransom.