KnowBe4 ALERT: New Ransomware Spear-phish Uses Dropbox Attack

KnowBe4 ALERT: New Ransomware Spear-phish Uses Dropbox Attack

Competition is escalating with gangs furiously innovating in an attempt to grab as much money as possible. Call it a criminal virtual land-grab.

The cyber-mafia is stepping up pressure with a new, highly malicious ransomware strain that only takes one click to infect a workstation. This aggressive ransomware gives the victim a mere 24 hours to pay the ransom in Bitcoin. It's called the "Pacman" ransomware, suggesting pictures of something eating up all files. This attack has been rated high-risk because of its highly targeted nature and the degree of social engineering used.

According to KnowBe4 CEO Stu Sjouwerman,

“Europe is often used as a beta-testing ground for attacks on the U.S., so you can expect this to happen here. The problem is that this spear phishing attack is focused on a small vertical, but fully automated. In this case it's chiropractors in Denmark. However, with tens of millions of data-breach records out there, targeted spear-phishing becomes much easier to execute.”

This new ransomware strain is highly malicious. In addition to its ransomware payload, the code includes a keylogger and has "kill process" capabilities that shut down Windows operating system functions like taskmgr, cmd, regedit and more which makes it very hard to remove this malware.

Initially reported by CSIS, the email, using perfect Danish, is disguised as a "possible new patient", just moving into the area, with bad neck and back problems, and looking for a new therapist. The new patient conveniently has links to his MRI and CT scan, because his back is a case of its own.

The malicious code has been developed in .NET, so it needs to have the .NET package installed, which most Windows machines have installed by default these days. From there, "pacman.exe" is extracted and dropped on to the system while initializing the encryption of files on the local hard disk. The code searches the disk for data files which are subsequently encrypted. After a system has been compromised it will call home to the central Command & Control server. A new file extension ".ENCRYPTED" is added to all files and the process replaces the desktop of the infected machine with instructions on how to regain access to the data.

Sjouwerman further stated,

“Competition is escalating with gangs furiously innovating in an attempt to grab as much money as possible. Call it a criminal virtual land-grab. Next time it can be your employees getting one of these in their inbox, specifically targeted for your company.”

Sjouwerman advises:

“1) If you have not done so already, on your "edge" device whether this is a web-filter, proxy server or firewall, include Dropbox as a blocked domain. This may not be popular but it's a corporate survival point. It's also a way to get back some control over "shadow-IT".

"2) Immediately step your users through effective security awareness training, so that they will spot the red flags related to ransomware spear phishing attacks.”

For more information or to get a free phishing test to see how “phish-prone” your employees are, visit: http://www.knowbe4.com/

About Stu Sjouwerman and KnowBe4

Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4, LLC, which provides web-based Security Awareness Training (employee security education and behavior management) to small and medium-sized enterprises. A data security expert with more than 30 years in the IT industry, Sjouwerman was the co-founder of Inc. 500 company Sunbelt Software, an award-winning anti-malware software company that he and his partner sold to GFI Software in 2010. Realizing that the human element of security was being seriously neglected, Sjouwerman decided to help entrepreneurs tackle cybercrime tactics through advanced security awareness training. KnowBe4 services hundreds of customers in a variety of industries, including highly-regulated fields such as healthcare, finance and insurance and is experiencing explosive growth with a surge of 427% in 2013 alone. Sjouwerman is the author of four books, with his latest being Cyberheist: The Biggest Financial Threat Facing American Businesses.

About Kevin Mitnick

Kevin Mitnick is an internationally recognized computer security expert with extensive experience in exposing the vulnerabilities of complex operating systems and telecommunications devices. He gained notoriety as a highly skilled hacker who penetrated some of the most resilient computer systems ever developed. Today, Mitnick is renowned as an information security consultant and speaker, and has authored three books, including The New York Times best seller Ghost in the Wires. His latest endeavor is a collaboration with KnowBe4, LLC.


Related News

Amazon Spear Phishing Campaign Spreads Locky Ransomware

Locky ransomware has been infecting computers and networks all over the world in the past few months. Amazon customers have been deliberately targeted through malicious Microsoft Word documents to spread this malware. Comodo Threat Research Labs discovered this spear phishing campaign. Security researchers labeled it as one of the largest spam ransomware attacks of 2016. This attack took place on May 17 and last for twelve hours. During this time, 30 million spam messages have been sent out to Amazon users under the disguise of being an order shipment update notification. Spreading Locky....

What Came First, Bitcoin or Ransomware?

In a ransomware attack, it is assumed that the hackers prefer the ransom being paid in bitcoin due to the anonymous nature of its transactions. It might not be true as the hackers are probably interested in bitcoin for entirely different reasons. Bitcoin and Ransomware, these words appear more frequently in a single sentence these days than we wish for. Ransomware attacks have become a common occurrence these days. We had earlier reported the use of Advertising network by cyber criminals to propagate ransomware to the computers belonging to the readers of some of the leading news websites.....

US & Canada Cyber Agencies Issue Alert To Healthcare Providers For Ransomware

US and Canada cyber security agencies issued an alert last week regarding an increasing number of ransomware attacks against healthcare organizations. Five providers, in just the last month alone, have been infected with such computer viruses, and often they are forced to pay Bitcoin ransoms. “Malicious software” infected the computer system at Alvarado Hospital Medical Center in San Diego last month. Two other hospitals, Chino Valley Medical Center and Desert Valley Hospital in Victorville, were also infected. Each of these infected parties is a Prime Healthcare Hospital. In Indiana,....

FBI Warns Ransomware Gangs Are Harassing Victims via Telephone Calls to Pay C...

The U.S. Federal Bureau of Investigation (FBI) has released an alert that warns private industry in the country about incidents of harassment of victims made by ransomware gangs, such as the well-known Doppelpaymer group. FBI Is Aware of Cold-Calling Tactics by Ransomware Gangs According to a PIN (private industry notification) alert regularly sent to U.S. companies to inform them about the latest updates in the cybersecurity sphere, shared by Zdnet, the FBI has been aware of incidents since February 2020, where Doppelpaymer has cold-called companies to intimidate victims by demanding them....

Bitcoin Becomes Media Scapegoat as NSA-Derived Ransomware Hits 99 Countries

A global ransomware attack derived from a leaked NSA tool successfully breached into 100,000 computer systems and servers across 99 countries. During the first day of the attack, the focus was set on Bitcoin instead, which had minimal involvement in the ransomware attack, rather than the use of an NSA tool developed using taxpayers’ capital. What actually happened. On May 12, the WannaCry ransomware began to spread across the world, attacking 75,000 computers in a matter of hours. According to MalwareTech, WannaCry targeted and encrypted 100,000 computers in a period of 24 hours, quickly....