Beware of This Ransomware Strain and Its Dangers for Cloud E-mail.

We recently came across some chilling news. A white hat hacker developed a working “Ransomcloud” strain, that encrypts cloud e-mail accounts like those in Office 365, and it does this in real time. This strain uses a smart social engineering tactic to trick you into giving the bad guys access to your cloud e-mail account. This means that if you open your e-mail in a browser, it can encrypt the whole lot right in front of your eyes. Thankfully, Ransomcloud hasn’t hit the wild yet. With that said, there’s no reason why it wouldn’t, especially because it’s not all that hard to do.

• Scareware is malware that works for both security software and tech support. It can be recognized by its notification telling you that your computer is plagued with a specific bug or virus. In order to remove it, you need to pay a fee to the hacker.
• Screen Locker uses an official-looking seal from government programs such as the FBI or Department of Defense. It locks your computer screen and requests that you pay a fine to unlock it and retrieve your data.
• File-Encrypting Ransomware is a type of malware that tricks you into clicking on a suspicious link or opening a phishing e-mail. Ransomcloud is the newest variant of file-encrypting ransomware and is incredibly dangerous. In the Ransomcloud Demo Video, Kevin Mitnick, KnowBe4’s Chief Hacking Officer, shows us the dangers of this new variant and what it means for our cloud-based emails. Once the Ransomcloud is initiated, either by clicking on the link or opening the e-mail, it immediately begins encrypting or scrambling e-mails. This is especially dangerous if you are connected to a corporate network that shares access to files, such as a shared cloud. Any files you have access to can be encrypted.

Often the malware is represented as something else. For example, the e-mail can come through as an update or program that is beneficial to you. For example in the demo video, the e-mail looks like it was from Microsoft. The e-mail may appear to come from a large company such as Microsoft–even using authentic logos–It’s important to look for anything suspicious before opening it or clicking on it. If you see that the e-mail says that Microsoft is launching a new anti-spam pro product, without taking a deeper look, you could easily shrug it off as authentic.  (Keep in mind, that while this specific example uses the ruse of a “new Microsoft anti-spam service” it could be anything from any company as long as it helps the hacker reach their goal.) Since the e-mail stated that this new program will keep spam from your Outlook 365 inbox it wouldn’t be suspicious if it asked you to stay logged in and provide access to your data.

As soon as you accept these terms, the fatal mistake is made. You are essentially providing an “OAuth token,” which gives the hacker complete control. Once that OAuth Token is given up, all of your e-mails and attachments are encrypted real-time! The horrifying thought is that a Ransomcloud attack will work for any cloud e-mail provider that allows an application to give control through e-mail. It will also work for Google. After the link is clicked, and you go back to your e-mail, at first, it looks perfectly fine; then you’ll see changes moving swiftly throughout each and every e-mail in your inbox. All of your e-mails are quickly encrypted, leaving only the header readable.

Ransomware earns its name for what it does next.

Next, you’ll be notified that to decrypt your data you must pay a ransom. The hacker will explain how to do this.

The ransom is typically requested in the form of bitcoins. Bitcoins were created in 2009, as a new form of currency. When using this currency, there’s no need for banks or other middlemen, to intervene. The transaction is just between you, your bitcoins and your supplier. So why would bitcoins be a common currency for ransomware attacks? Because Bitcoins can be used without the name and paper trails (which can be limiting to criminals). Additionally, Bitcoins don’t use credit reports, or fees, and can work internationally without the regulations that other currencies are subjected to.

Using bitcoins gives this crime another shade of elusiveness. In the KnowBe4 Ransomcloud Demo video the hacker’s ransom e-mail states that the cloud e-mails have been encrypted and if the user wants the decryption code, they must pay a fee of $300 bitcoins to be sent to a specific bitcoin address. The video ends with the user paying the hypothetical $300 bitcoins and receiving the decryption code. Just as quickly as it started, it’s over, and the e-mails all return to their readable status.

The dangers of this are especially pertinent if you and your employees are working in a cloud-based environment. This is why it’s especially important to train your employees to be vigilant to secure your business data. They should carefully look at each e-mail prior to opening it or clicking on links. One small click of the mouse can turn into a world of trouble for your business.

The Take-Home Message

Simple training can help secure your company and your data. Training staff to spend a little more time when sorting through e-mails could save your business from a ransomware attack. This is where the importance of the training comes in. Employees should be trained to recognize ransomware emails and constantly look for ones that are suspicious, such as those containing simple grammatical mistakes or excessive punctuation. You should have a policy in place that tells them how to flag suspicious e-mail. Additionally, employees should all be trained on the importance of not opening or clicking on suspicious e-mails or links.