Technology Blog »

This Email Attachment is Ransomware Disguised as an Invoice

New strain of Locky disguises itself as an invoice

By disguising itself as an invoice it proved to be an effective approach for the original Locky ransomware, which infected millions of users in 2016. Although it was mostly defeated, hackers are currently using a similar approach to spreading a new type of Malware. In 2017, a new Locky ransomware is poised to duplicate the success of its predecessor.

Quick Facts

According to a threat intelligence report, the email-based ransomware attacks started on August 9 and were detected through 62,000 PHIshing emails in 133 countries in just three days. It also revealed that 11,625 IP addresses were used to carry out the attacks, with the IP range owners consisting mostly of internet service providers and telecom companies.

How it Works

The malicious email contains an attachment named “E 2017-08-09 (580).vbs” and just one line of text. Like the original Locky authors, attackers responsible for the new variant deploy social engineering tactics to scam recipients into opening the attached .doc, zip, pdf, .jpg or tiff file, which installs the ransomware into their systems.

When an unsuspecting user downloads the file, the macros run a file that provides the encryption Trojan with an entry point into the system. The Trojan then encrypts the infected computer’s files.

Once encryption is completed, the user receives instructions to download the Tor browser so they can access the "dark web" for details on how to pay the ransom. To retrieve their encrypted files, users will be asked to pay from 0.5-1 Bitcoin.

What you Need to do

This ransomware variant builds on the strengths of previous Trojans. In fact, the original Locky strain made it easy for cyber criminals to develop a formidable ransomware that could evade existing cyber security solutions. This is why adopting a "deny all" security stance, whereby all files are considered unsafe until proven otherwise, is the best way to avoid infection.

Here are other tips to avoid infection:

  • Don’t open unsolicited attachments in suspicious emails. Alert your IT staff, and most importantly disallow macros in Microsoft Office unless they’ve been verified by your IT team.
  • Performing regular backups guarantees you never have to pay cyber criminals a ransom. If all other security measures fail, you can always rely on your backups, which protect your business not just from cyber crime-related disasters, but also from natural and other unforeseen system failures.
  • Train your staff to identify online scams like phishing. This and other similar ransomware strains take advantage of users’ lack of cyber security training.
  • Update your operating systems as soon as updates become available to reduce, or eliminate, the chances of your system’s vulnerabilities being exploited.

Even with a trained staff and the latest protections installed, your IT infrastructure may still have unidentified security holes. Cyber security experts can better evaluate your entire infrastructure and recommend the necessary patches for your business’s specific threats. To secure your systems, get in touch with our experts now.