If you have ever wondered how a ransomware infection occurs, this is the story for you.  We will go through the steps of how a phishing email to an unsuspected user resulted in the files on their computer becoming encrypted with ransomware.  Even though this scenario resulted in a computer being infected with ransomware, phishing emails like this one can result in other type of malware/virus infections as well.  As we walk through the phishing scenario, I will provide some tips on how to verify the email is legitimate and point out warning signs that could have alerted the user that the email was malicious and fake.

If you aren’t familiar with ransomware, it encrypts the files on your computer so they cannot be open, viewed, read, etc.  After the encryption occurs, you will be provided instructions on how to pay a ransom to receive the key to “unlock” (decrypt) your files so they will once again be viewable/readable.   It’s important to note, most people in the security industry along with government agencies recommend NOT paying the ransom for several reasons:

• Paying the ransom will more likely lead to you being targeted again, due to attackers knowing you will pay.
• Paying the initial ransom could result in the attacker asking for additional money before providing the key to decrypt (unlock) your files.
• There have been times where the files cannot be decrypted (unlocked) with the key, because there were problems with the malware.

You may be asking yourself, “How do I protect myself against ransomware?”  You can become infected with ransomware in several ways, so the best defense is to have good backups of your data.  You should back your data up to some sort of removable media such as an external hard drive, USB drive, CD’s/DVD’s, etc.  After backing up your data, you should disconnect/remove the media from your computer as some ransomware can encrypt removable media as well as the files physical on your computer.  Good backups are also important if your computer ever stops working or your data becomes corrupted for other reasons.  Other than having good backups, you can read through our other posts regarding safe internet searching, not downloading random software off the internet, being extremely cautious when clicking on links or opening attachments from suspicious emails, running files through virustotal prior to opening them, etc.  These stories can be found by clicking following tags/categories above:  apps, downloads, scenarios, search words, and virustotal.

Now that we have defined ransomware and what you can do to protect yourself, let’s jump into this real-world phishing scenario…

Here is the email the user received:

The first warning sign here would be the email came from a random email address/random person.  The user did not know the sender.  You should always be skeptical of emails from random people, but you should be even more cautious if it includes a link to a website or an attachment. 

Please Note:  There may be times where someone you know has had their email compromised (“hacked”).  So even if the user did know the sender, they should be cautious if the email talks about random topics.  An example of a random topic, would be your friend sending you a news story about something political when they normally don’t or maybe it’s one of your friends sending a “receipt” like this email.  Should your friend be sending you a “receipt”?  You may be asking, “What if I actually do business with the sender or my friend does send me political stories often?”  Well, I would ask myself did the email (and topic) come at a random time such as you had discussed the topic several weeks or months ago and haven’t since?  Let’s say with this example the user had done business with the sender previously and they have received receipts previously.  There may be other warning signs such as were you expecting a receipt to be sent at this time?  If you purchased something months ago and then randomly months later you received a receipt, you should question why it came now.  If you were expecting a receipt, does the sender always put a password on the receipt?  Does the sender always say “Thank you so much for your business.” or do they include random numbers at the bottom?  If anything causes you to pause for a second or if something doesn’t feel right, reach out to the sender via an alternative method, such as a phone call, to find out if they intended to send the email.  The reason you use an alternative method is if someone did “hack” their email, the hacker could receive your reply/question asking if they meant to send the email.  If a hacker still has control over their email, the hacker could respond and say the email is legitimate when it isn’t.

In this scenario, the user did not know the sender.  The first obvious warning sign would have been there is no valid reason an unknown person would have sent them a receipt.    If they had done business with someone new recently and weren’t sure if the email was legitimate, they should have called the sender to verify the email was legitimate. 

Please Note:  You should never reply to the email, call/use phone numbers or click on links listed in the email if you are suspicious it might be fake or malicious.  You should find the contact information for the sender/company by a different method such as internet search, phone book, or physical business card you have on hand.

The use of “receipt” but then changing the word to “invoice” later in the email should have been a warning sign.  The change in language could have been an accident, but this is definitely something that would have made me suspicious based on the warning signs already presented.

The random numbers at the bottom of the email should have been another indicator something was suspicious.

Asking for the user to pay the invoice (“remit the payment”) was another warning sign.  This is known as a “call to action”.  Malicious emails will often use “calls to action” to get users to do something they normally wouldn’t such as saying their account will be deleted if they don’t click on the link provided to update their account information or asking for them to “remit the payment” as it does in this email.  “Calls to action” use our helpful nature, curiosity or fear against us.

Another warning sign for this email would have been the sender including/requiring a password to open the attachment.  We will discuss the reasons why this is a warning sign on the next screenshot. 

After the user in this scenario downloaded and attempted to open the attachment, they were prompted to enter a password to open the file.

This is another obvious warning sign.  Attackers will often include passwords to make the attachment seem more official or legitimate.  Attackers will also use password protected attachments so the attachment will get through anti-virus or security software.  If this email would have been from someone the user had dealt with previously, the same suggestion of reaching out to the sender via phone (from a phone number found on an internet search, phone book or physical business card) to ensure the email and password is valid would apply.  If the user had never dealt with the sender previously, they should have just deleted the email without downloading or opening the attachment.

Please Note:  The main reason you would password protect a file is for security reasons.  If I were going to send you an attachment with personal information, I would password protect the file so if the email went to the wrong person, was read by the wrong person or your email was “hacked”, the attachment couldn’t be opened.  I only want the intended recipient to be able to open the attachment.  This means I would NOT include the password in the same email as the attachment as that would totally defeat the purpose.  If someone got a hold of the email, the password is right there and the attachment could be opened.  I would send the password by another means.  Either to a different email address, via text message, or while talking on the phone.  So the fact the password is included in the same email with the attachment is another major warning sign the email is malicious.

The user in this scenario entered the password included in the email and was then prompted to enable macros.

The fact the receipt was a Word document should have raised some alarms.  A legit business would normally send a receipt in pdf or picture format (jpeg, gif, tif, etc.) so the receipt wouldn’t be edited easily.  I would go a bit further and say there’s usually no reason a receipt would ever be saved or sent as a Word, Excel or PowerPoint document. 

Please Note:  Even if the email included a pdf or jpeg attachment instead of a Word document, it wouldn’t mean it would be safe to open.  Malware/viruses can be sent via pdf files as well.  Safe email practices should still be followed such as not opening attachments, clicking links within or replying to suspicious emails (especially from unknown senders).

Requiring the user to enable macros should have been another red flag.  Attackers will often use macros to hide various things such as an executable program, a link to a malicious website, etc.  In this example, there would be no reason for a receipt to have macros.  Macros are to enable some sort of input, but a receipt is informational like it is when printed at a cash register.  I would never enable macros on an attachment sent to me in an email without calling the sender to find out exactly why there are macros in the document.  If there isn’t a legit requirement for the macros, I would ask the sender to resend the document without macros enabled.

After the user enabled the macros and opened the Word document, they were eventually presented with the following screens.  These are instructions on how to recover the key to “unlock” (decrypt) your files.  As stated earlier, it is recommended to not pay the ransom for various reasons and again, it’s best to have good backups of your data in case your computer is infected with ransomware, another virus, or it fails to operate.

That is the end of this ransomware scenario. In case you were wondering, the user did have good backups.  They had one of their IT friends “re-image” (rebuild) their computer to remove the ransomware virus and the IT person then restored all of their data from backups.

If you were like the user above (downloaded and opened the file), you should consider your computer compromised and should follow some of the steps as outlined in our blog post What should I do if my device is lost or stolen....  After reading the post and seeing all of our recommendations, at a minimum we would have someone reimage the computer to ensure no viruses/malware are lingering and capturing your data (passwords, personal information, etc.).