Cybersecurity firm warns of 20 million active ransomware attempts in last 24 hours

The aggressive attack uses impersonation and advanced threats to trick email recipients into downloading an attachment labeled ‘payment,’ which will encrypt an organization’s files.
By Bill Siwicki
02:37 PM
Share
ransomware attack email

An example of the email attachment’s naming convention: Payment_201708-6165.7z being sent out. (Image courtesy of Barracuda.)

Over the course of 24 hours beginning August 30, there have been 20 million attempts at a ransomware attack through an email attachment, cybersecurity specialist Barracuda said. 

The warning note comes two days after another the hackers behind Locky ransomware launched a massive campaign on August 28, with more than 23 million infected emails sent in a 24-hour period, researchers at AppRiver found.

Barracuda said the newest attack comes from a spoofed email address bearing the attachment name and number in the subject line. 

[Join Your Peers at HIMSS’ Healthcare Security Forum! Register Today]

“The full subject line in this example is ‘Emailing: Payment_201708-6165’ and the number in the attachment name is variable," Barracuda said. "This attachment is a JavaScript file in a 7zip archive that the Barracuda ATP Dynamic Analysis Layer identifies as a ‘file-encryption/ransomware’ type virus.”

One example of the email attachment’s naming convention: Payment_201708-6165.7z.

A file encryption/ransomware attack follows three steps. The first is delivery, where an attachment arrives in an inbox.

[Also: WannaCry victim NHS Lanarkshire hit by new ransomware strain]

“It’s best to stop this attack before it arrives at your network, which is possible with an email security service,” Barracuda said.

The second step is infection. In the case of this latest ransomware attack, as seen by the spoofed source address, impersonation is key to gaining the trust of an email recipient.

“If the impersonation is successful, the recipient is likely to open the payment file attachment,” Barracuda added. “At this point, the embedded threat may be executed, which will begin the process of encryption.”

[Also: How emerging cyber threats are transforming the HIPAA landscape]

And the third step is ransom. Once an attack hits a predetermined threshold, the attacker will present a document that indicates the payment required for the decryption file.

“At this point, the victim might pay the ransom, recover from backup, or search for a decryption key online from a resource like NoMoreRansom,” Barracuda said. “We advise against making payment to ransomware criminals because this doesn’t guarantee the decryption of your files and it encourages them to target you again in the future.”

Barracuda said the JavaScrpt file is from the ransomware strain known as Locky. While Locky at one point was thought to be nearly extinct, the virus has continued to pummel all sectors in 2017. It’s one of the most successful ransomware strains launched, as it continues to evolve to evade attempts to crack its code.

Twitter: @SiwickiHealthIT
Email the writer: bill.siwicki@himssmedia.com