Author Topic: This is the newest tactic cybercriminals are using to deliver ransomware  (Read 1910 times)

0 Members and 1 Guest are viewing this topic.

Offline Idaho_Cowboy

  • Hero Member
  • *****
  • Posts: 4,924
  • Gender: Male
  • Ride for the Brand - Joshua 24:15
This is the newest tactic cybercriminals are using to deliver ransomware
Cybersecurity researchers have spotted a surge in ransomware emails containing a type of file which isn't blocked by many providers.
By Danny Palmer | October 13, 2016 -- 11:15 GMT (04:15 PDT) |

Ransomware groups have evolved yet another new tactic in their quest to infect victims with malicious file-encrypting software, including those behind the notorious Locky campaign.

Email remains very much the main delivery method of ransomware but over the last three months there's been a shift in tactics, with cybersecurity researchers at Symantec spotting a sudden surge in Windows Script Files (WSF) used to distribute ransomware.

WSF files are opened by Windows Script Host (WSH) and are designed to allow a variety of scripting languages to mix within a single file. What makes files with the .wsf extension appealing to cybercriminals, hackers, and other ransomware pushers is that they're not automatically blocked by some email clients and can be launched like a standard executable file.

Having realised that WSF files are less likely to be blocked by anti-malware programmes, ransomware campaigns using the extension type have massively jumped in recent months.

Symantec researchers say 22,000 emails containing malicious .wsf files were blocked in June and that figure had multiplied by almost 100 times by July to 2 million. The figure has remained steady since then, with 2.2 million malicious .wsf files blocked in September....
http://www.zdnet.com/article/this-is-the-latest-new-tactic-cybercriminals-are-using-to-deliver-ransomware/
“The way I see it, every time a man gets up in the morning he starts his life over. Sure, the bills are there to pay, and the job is there to do, but you don't have to stay in a pattern. You can always start over, saddle a fresh horse and take another trail.” ― Louis L'Amour

Oceander

  • Guest
Re: This is the newest tactic cybercriminals are using to deliver ransomware
« Reply #1 on: October 14, 2016, 12:45:43 am »
@Idaho_Cowboy

Thanks for posting this.

Offline dfwgator

  • Hero Member
  • *****
  • Posts: 17,473
Re: This is the newest tactic cybercriminals are using to deliver ransomware
« Reply #2 on: October 14, 2016, 12:53:25 am »
They should be shot!

Offline roamer_1

  • Hero Member
  • *****
  • Posts: 43,314
Re: This is the newest tactic cybercriminals are using to deliver ransomware
« Reply #3 on: October 14, 2016, 01:21:38 am »
Having realised that WSF files are less likely to be blocked by anti-malware programmes, ransomware campaigns using the extension type have massively jumped in recent months.

Basic emaii safety:

Turn on 'view file extensions' in the windows operating system.
Control Panel=> Folder Options/File Explorer Options (depending on Win Ver) =>View Tab - Uncheck 'Hide Extensions for known file types'

The extension of a file is a dot and usually three letters at the end of a file name. the extension tells the machine what to open the file with.

Learn executable file extensions http://fileinfo.com/filetypes/executable (not safe, for sure)
and alternatively, those that are certainly safe:
http://answers.microsoft.com/en-us/protect/forum/mse-protect_start/comprehensive-list-of-safe-file-extensions/e5098d50-f6c2-4459-87dd-4d7787659954

Everything else is at the minimum, questionable.

NEVER open an executable attachment!!! Always save to disk and run antivirus on the file, or better yet, just ignore it entirely.

Remember only the extension at the end of the LAST dot is the true extension.
filename.doc is a word document
filename.doc.exe is an executable program.

This is why you make sure you can see file extensions, otherwise the operating system is hiding the last dot and extension:

filename.doc.exe is an executable program. if your machine is hiding extensions it will look like:
filename.doc which looks like a word document.

Even a .doc or .xls (typical MSOffice document extensions) can contain script and macros. Office will ask if you want to run the script or macro after execution, upon which say, NO. cancel out of the document and go get instruction by phone as to what and whether the script.macro is safe.

If you must send office documents with script or macros in them get in the habit (along with all your friends and colleagues) of either shipping such a thing in a zipfile (with a text file included to explain the macro) or rename the file before attachment - something like filename.do_ filename.xl_ or filename.ex_  (I'm a tech, and this convention is regularly used among my colleagues to quickly ship executables)... Of course the file would have to be saved to disk and renamed to be functional... and while you are at it, a virus scan is usually just a RClick away.

Learning how to zip files is super easy and free - saves all sorts of clutter problems (multiple files can be zipped into a single container file). And you can easily pwd protect the zipfile... if your friends know the password you use, then they can readily confirm the file actually came from you, thus limiting the chance of a spoofed email containing a virulent component.

Links in emails can be spoofed super easy. Get in the habit of looking for the translated (read honest) link, hover over the supplied link and compare it to the actual link, usually supplied by your browser or email client - usually in the bottom left corner. if it is different than the supplied address in the email, chances are, it ain't good.

ANY legitimate agency or business will never send a mail requesting a reply with sensitive information, especially your bank. If you get such, do not send. call the agency or business in question (not using any number provided by the suspect mail), using a verified number, and inquire personally.

Never trust ANY mail, even if it is from your own mother. many viruses replicate by sending itself to people in the infected machine's email list.

ALWAYS, ALWAYS, ALWAYS... when in doubt, DON"T CLICK IT. Call someone on the phone and verify. The machine you save may be your own.
« Last Edit: October 14, 2016, 01:27:56 am by roamer_1 »

Offline EC

  • Shanghaied Editor
  • Hero Member
  • *****
  • Posts: 23,804
  • Gender: Male
  • Cats rule. Dogs drool.
Re: This is the newest tactic cybercriminals are using to deliver ransomware
« Reply #4 on: October 14, 2016, 01:26:20 am »
Awesome post, Roamer. Thank you!  :beer:

Printed it out for the missus and for my son in law (both are way less computer savvy than is safe).
The universe doesn't hate you. Unless your name is Tsutomu Yamaguchi

Avatar courtesy of Oceander

I've got a website now: Smoke and Ink

Offline roamer_1

  • Hero Member
  • *****
  • Posts: 43,314
Re: This is the newest tactic cybercriminals are using to deliver ransomware
« Reply #5 on: October 14, 2016, 01:37:21 am »
Awesome post, Roamer. Thank you!  :beer:

Printed it out for the missus and for my son in law (both are way less computer savvy than is safe).

Happy to be of service!  :beer:

Oceander

  • Guest
Re: This is the newest tactic cybercriminals are using to deliver ransomware
« Reply #6 on: October 14, 2016, 01:40:57 am »
Basic emaii safety:

Turn on 'view file extensions' in the windows operating system.
Control Panel=> Folder Options/File Explorer Options (depending on Win Ver) =>View Tab - Uncheck 'Hide Extensions for known file types'

The extension of a file is a dot and usually three letters at the end of a file name. the extension tells the machine what to open the file with.

Learn executable file extensions http://fileinfo.com/filetypes/executable (not safe, for sure)
and alternatively, those that are certainly safe:
http://answers.microsoft.com/en-us/protect/forum/mse-protect_start/comprehensive-list-of-safe-file-extensions/e5098d50-f6c2-4459-87dd-4d7787659954

Everything else is at the minimum, questionable.

NEVER open an executable attachment!!! Always save to disk and run antivirus on the file, or better yet, just ignore it entirely.

Remember only the extension at the end of the LAST dot is the true extension.
filename.doc is a word document
filename.doc.exe is an executable program.

This is why you make sure you can see file extensions, otherwise the operating system is hiding the last dot and extension:

filename.doc.exe is an executable program. if your machine is hiding extensions it will look like:
filename.doc which looks like a word document.

Even a .doc or .xls (typical MSOffice document extensions) can contain script and macros. Office will ask if you want to run the script or macro after execution, upon which say, NO. cancel out of the document and go get instruction by phone as to what and whether the script.macro is safe.

If you must send office documents with script or macros in them get in the habit (along with all your friends and colleagues) of either shipping such a thing in a zipfile (with a text file included to explain the macro) or rename the file before attachment - something like filename.do_ filename.xl_ or filename.ex_  (I'm a tech, and this convention is regularly used among my colleagues to quickly ship executables)... Of course the file would have to be saved to disk and renamed to be functional... and while you are at it, a virus scan is usually just a RClick away.

Learning how to zip files is super easy and free - saves all sorts of clutter problems (multiple files can be zipped into a single container file). And you can easily pwd protect the zipfile... if your friends know the password you use, then they can readily confirm the file actually came from you, thus limiting the chance of a spoofed email containing a virulent component.

Links in emails can be spoofed super easy. Get in the habit of looking for the translated (read honest) link, hover over the supplied link and compare it to the actual link, usually supplied by your browser or email client - usually in the bottom left corner. if it is different than the supplied address in the email, chances are, it ain't good.

ANY legitimate agency or business will never send a mail requesting a reply with sensitive information, especially your bank. If you get such, do not send. call the agency or business in question (not using any number provided by the suspect mail), using a verified number, and inquire personally.

Never trust ANY mail, even if it is from your own mother. many viruses replicate by sending itself to people in the infected machine's email list.

ALWAYS, ALWAYS, ALWAYS... when in doubt, DON"T CLICK IT. Call someone on the phone and verify. The machine you save may be your own.


@roamer_1

awesome post!