ALERT: New Ransomware Spearphish Uses One-Click Dropbox Attack

The cyber-mafia is stepping up the pressure. As you know, there are several competing gangs that are furiously innovating in an attempt to grab as much money as possible. Call it a criminal virtual land-grab.

A new ransomware attack was spotted in Europe that uses a highly-targeted spear phishing attack using Dropbox as a delivery mechanism. It only takes one click to infect a workstation and a victim has just 24 hours to pay the ransom in Bitcoin, which is very aggressive. It’s called the “Pacman” ransomware, suggesting pictures of something eating up all files.

The ransomware strain is highly malicious. Besides containing a ransomware payload, the code includes a keylogger and has “kill process” capabilities that shut down Windows operating system functions like taskmgr, cmd, regedit and more which makes it very hard to remove this malware.

Europe is often used as a beta-testing ground for attacks on the U.S., so you can just wait for this to happen here. The problem is that this spear phishing attack is focused on a small vertical, but fully automated. In this case it’s chiropractors in Denmark. But remember that with the tens of millions of data-breach records out there, it’s very easy to do this. Next time it can be your employees getting one of these in their inbox, specifically targeted for your company.

Here is how the attack looks, reported by CSIS. It’s an email in perfect Danish from a “possible new patient”, who explains they are moving into the area, have bad neck and back problems, and is looking for a new therapist. The new patient conveniently has links to his MRI and CT scan, because his back is a case of its own.

This attack has been rated high-risk because of its highly targeted nature and the degree of social engineering used.

Technical Background 

ransom_spear_phishThe malicious code has been developed in .NET, so it needs to have the .NET package installed, which most Windows machines have installed by default these days.

From there, “pacman.exe” is extracted and dropped on to the system while initializing the encryption of files on the local hard disk. The code searches the disk for data files which are subsequently encrypted. After a system has been compromised it will call home to the central C&C server.

A new file extension “.ENCRYPTED” is added to all files. The process continues by replacing the desktop of the infected machine with instructions on how to regain access to the data.

It is only a matter of time before functionality is added to encrypt both mapped and unmapped network drives.

What To Do About It

1) If you have not done so already, on your “edge” device whether this is a web-filter, proxy server or firewall, include Dropbox as a blocked domain. This may not be popular but it’s a corporate survival point. It’s also a way to get back some control over “shadow-IT”.

2) Urgently step your users through effective security awareness training, so that they will spot the Red Flags related to ransomware spear phishing attacks.

Source: Knowbe4

Leave a Reply

Your email address will not be published. Required fields are marked *