Blockmail-edit

Sterling IT can clean your email BEFORE it comes to your network.

This will allow safer, cleaner and less junk hitting your company and is filtered externally taking the pressures off your network as well as minimizing traffic to your organisation over the internet. But most importantly, it protects you* (*better than antivirus alone) from getting Trojans and Viruses via email Zero Day. This includes Cryptolocker and other encryption links. Nothing is guaranteed but this defense will certainly reduce it dramatically.

Take a look at the brochures and contact us to organise a FREE 14 Day Trial (No Setup Costs , No commitment – Just TRY!)

To take advantage of the FREE TRIAL, please use our contact form and specify FREE BLOCKMAIL TRIAL.

PDF Brochures

Blockmail and Office365 STERLINGIT

Emergency_Email PDF

Blockmail Blended Threats Module

 

We are currently seeing extraordinarily huge volumes of JavaScript attachments being spammed out, which, if clicked on by users, lead to the download of a ransomware. Ransomware encrypts data on a hard drive, and then demands payment from the victim for the key to decrypt the data.

Our Spam Research Database saw around 4 million malware spams in the last seven days, and the malware category as a whole accounted for 18% of total spam arriving at our spam traps. The graph below shows hourly spam traffic for the malware category for the past 30 days – note the relatively low levels of activity to the left, and huge peaks on the right, representing the ransomware downloader campaigns. As you can see the campaigns are not continuous, but concentrated bursts, with peaks of 200K emails hitting our servers in a single hour.

 

Figure 1: Volume of Ransomware-ridden Spam for the past month

These campaigns are coming from the same botnet responsible for previously spammed documents with malicious macros which downloaded the Dridex trojan. The actors behind the campaigns have merely changed the delivery mechanism (.js attachment) and the end malware (ransomware).

The Destruction

The notorious payloads of ransomware have been covered many times in blogs and mainstream media. This type of malware has a very destructive payload. Here’s a walkthrough on how this ransomware gets propagated and infects a system. This particular spam campaign was sending a JavaScript attachment that downloads Locky ransomware:

Figure 2: Recent spam typically uses Invoice-related subject lines

Figure 3: Extracted JavaScript file

Running the JavaScript downloads the ransomware executable:

Figure 4: The JavaScript code showing the download URL of the payload.

A registry key may be added; in this case it adds the Registry key HKEY_CURRENT_USER\Software\Locky in the infected system.

Figure 5: Registry key added by Locky Ransomware

The malware connects to its Control servers that are hardcoded in the code. It then reports back the infected systems information:

Figure 6: Malware code showing the Command and control communication routine

The Locky ransomware looks for list of file extensions in the infected system’s hard drive and then encrypt those files:

Figure 7: The code routine where Locky looks for files to encrypt

 

.3g2

 

.3gp

 

.7z

 

.ARC

 

.NEF

 

.PAQ

 

.aes

 

.asf

 

.avi

 

.bak

 

.bat

 

.bmp

 

.c

 

.cgm

 

.class

 

.cmd

 

.djv

 

.djvu

 

.fla

 

.flv

 

.gif

 

.gpg

 

.gz

 

.jar

 

.java

 

.jpeg

 

.jpg

 

.m3u

 

.mid

 

.mkv

 

.mov

 

.mp3

 

.mp4

 

.mpeg

 

.mpg

 

.png

 

.psd

 

.qcow2

 

.rar

 

.raw

 

.rb

 

.sh

 

.svg

 

.swf

 

.tar

 

.tar.bz2

 

.tbk

 

.tgz

 

.tif

 

.tiff

 

.vdi

 

.vmdk

 

.vmx

 

.vob

 

.wav

 

.wma

 

.wmv

 

.zip

Figure 8: List of file extensions that Locky ransomware encrypts

The malware renames the encrypted files to a random name and uses .locky as the file extension.

Ransom notes are dropped in every encrypted file’s folder and the desktop background is also replaced with a ransom note image.

A unique webpage is generated for each victim that can only be accessed through Tor anonymous browser. This page contains a bitcoin payment setup where the victim could pay for a decrypter tool.

Conclusion

Blocking these mass spam attacks is important. In a way, apart from the huge volumes and the ransomware payload, these malicious spam campaigns are not new. It’s the same botnet, different day, and different payload. Our Blockmail Service is currently proving very effective against these campaigns. All layers, including the various anti-spam and anti-malware layers, play a part.

For those wanting extra protection, also carefully consider your inbound email policy:

  • Blocking inbound .js attachments.
  • Blocking inbound Office documents with macros.

While these steps might seem very strict, some companies have opted for them, at the same time as considering alternative ways to pass valid .js and macro documents into the organisation by using a secure file transfer system such as FileXchange.

And of course your last line of defense against ransomware infection is always having an up to date and good backup process.

As always I’m only too happy to help if you have any questions of any aspect of your IT security, so feel free to reach out and contact us.

 

 

Blockmail Australian Support and Distributor