Thursday, 22. September 2016

From RAR to JavaScript: Ransomware Figures in the Fluctuations of Email Attachments

By Lala Manly, Maydalene Salvador, and Ardin Maglalang

Why is it critical to stop ransomware at the gateway layer? Because email is the top entry point used by prevalent ransomware families. Based on our analysis, 71% of known ransomware families arrive via email. While there’s nothing new about the use of spam, ransomware distributors continue to employ this infection vector because it’s a tried-and-tested method. It’s also an effective way to reach potential victims like enterprises and small and medium businesses (SMBs) that normally use emails for communication and daily operations. Over the first half of the year, we observed how cybercriminals leveraged file types like JavaScript, VBScript, and Office files with macros to evade traditional security solutions. Some of these file types can be used to code malware. In fact, as a security precaution, Microsoft turns off macros by default.

In this blog post, we examine various email file attachments and how ransomware affected the fluctuation in the use of these file types.

A look at email attachments

Trend Micro has already blocked and detected 80 million ransomware threats during the first half of the year; 58% of which came from email attachments. Throughout this year, we followed Locky’s spam campaign and how its ever changing email file attachments contributed to its prevalence.  Based on our monitoring, the rising number of certain file types in email attachments is due to Locky.

The first two months of the year, we spotted a spike in the use of .DOC files in spam emails. DRIDEX, an online banking threat notable for using macros, was, at one point, reported to be distributing Locky ransomware. From March to April, we saw a spike in the use of .RAR attachments, which is also attributed to Locky.

 

Figure1

Figure 1. Businesses are at risk to ransomware attacks as they are heavy users of productivity applications where macros are used.

In June and August, it appears Locky’s operators switched to using JavaScript attachments. However, this type of attachment is also known to download other ransomware families such as CryptoWall 3.0 and TeslaCrypt 4.0. We also noticed Locky employing VBScript attachments, likely because this can be easily obfuscated to evade scanners. Around mid-July to August, we started seeing Locky’s spam campaign using Windows Scripting file (WSF) attachments—which could explain how WSF became the second file type attachment most used by threats.

With WSF, two different scripting languages can be combined. The tactic makes it difficult to detect since it’s not a file type that endpoint solutions normally monitor and flag as malicious. Cerber was also spotted using this tactic in May 2016.

Bar-Graph-01.jpg

Figure 2. The rise in JS spam attachments from June to August is attributed to Locky. 

The latest strains of Locky were seen using DLLs and .HTA file attachments for distribution purposes. We surmise that malware authors abuse the .HTA file extension as it can bypass filters, given that it is not commonly known to be abused by cybercriminals.

spam_copy_locky

HTA_attachment

Figures 3-4. Sample email message with .HTA attachment

Due to the continuous changes in the use of various file attachments, we suspect that the perpetrators behind Locky will use other executable files such as .COM, .BIN, and .CPL to distribute this threat.

To block spam emails with JS, VBScript, WSF and HTA attachments, companies should use email solutions with different anti-spam filters such as heuristics and fingerprint technology.  In addition, solutions with blacklisting mechanism can block known malicious sender IPs.

To detect macro downloaders by Locky and Cerber, email solutions should have macro scanning feature that can detect any malicious macro components of threats.

Typical email subjects

Prevalent ransomware like Locky and Cerber did not deviate from using common subject lines for social engineering. Enterprises and small-medium businesses should watch out for subject lines including those that involve invoices, parcel delivery, confirmation of order, banking notifications, and payment receipts. Knowing these email subjects can actually aid employees in spotting emails with ransomware.

Here are other samples of subjects used:


•  Documents requested
•  Audit Report
•  Budget Reports
•  Emailing: (Label | Picture | Image)
•  Message from “{RandomChar}”
•  We could not deliver your parcel, #{RandomChars}, Problems with item delivery, n(RandomChars), Unable to deliver your item, #{RandomChars}
•  Payment receipt
•  Order Confirmation {RandomChars}
•  Bill, Paid Bills


 

spamlocky_auditreport

Figure 5. Sample of a spammed email message

Mitigation

One critical aspect of a ransomware attack is its delivery mechanism. Once ransomware-laced emails enter the network and execute on the system, they can encrypt important files.  Gateway solutions should be in place to prevent ransomware from entering the network.

Because of the very nature of these threats, companies need a multilayered solution that can cover all their bases from exposure layer, endpoints, network, and servers.  It is also highly recommended that companies do backups to avoid succumbing into paying the ransom.  Earlier this year, we conducted a Security Preparedness survey where we asked decision makers, buyers, and end-users from small-medium to large enterprises if they do backups. Our survey revealed that 33% of the respondents either did not strictly implement their backup policy or were unaware if they had one.

Here’s an overview of Trend Micro products that can address ransomware from the gateway level and endpoints, to network and servers.






PROTECTION FOR ENTERPRISES

• 

Email and Gateway Protection Trend Micro Cloud App Security, Trend MicroTM Deep DiscoveryTM Email Inspector and InterScanTM Web Security addresses ransomware in common delivery methods such as email and web.

Spear phishing protection Malware Sandbox IP/Web Reputation Document exploit detection



• 

Endpoint Protection Trend Micro Smart Protection Suites detects and stops suspicious behavior and exploits associated with ransomware at the endpoint level.

Ransomware Behavior Monitoring Application Control Vulnerability Shielding Web Security



• 

Network Protection Trend Micro Deep Discovery Inspector detects malicious traffic, communications, and other activities associated with attempts to inject ransomware into the network.

Network Traffic Scanning Malware Sandbox Lateral Movement Prevention



• 

Server Protection Trend Micro Deep SecurityTM detects and stops suspicious network activity and shields servers and applications from exploits.

Webserver Protection Vulnerability Shielding Lateral Movement Prevention










PROTECTION FOR SMALL-MEDIUM BUSINESSES AND HOME USERS
• 

Protection for Small-Medium Businesses Trend Micro Worry-FreeTM Business Security Advanced offers cloud-based email gateway security through Hosted Email Security that can detect and block ransomware.

Ransomware behavior monitoring IP/Web Reputation



• 

Protection for Home Users Trend Micro Security 10 provides robust protection against ransomware by blocking malicious websites, emails, and files associated with this threat.

IP/Web Reputation Ransomware Protection






Post from: Trendlabs Security Intelligence Blog - by Trend Micro

From RAR to JavaScript: Ransomware Figures in the Fluctuations of Email Attachments