Ransomware continues to be one of the largest areas of cybersecurity claims for businesses and local governments. Over the past few weeks, we have witnessed a spike in ransomware infections and claims across Coalition insureds – and we project the number and frequency to continue to rise throughout the holiday season.

Why the holidays?

Hackers are always looking for the easiest ways to take advantage of people. They recognize that over the holidays employees are often out celebrating with their family, and use this as an opportunity to do their dirty work while people aren’t paying as close attention, because they can maximize the damage they can cause. Don’t let these bad actors ruin your holidays!

What’s happening?

Specifically, we’ve been seeing an increasing number of infections from a piece of malware called “Trickbot.” Trickbot is a banking trojan, originally created to steal banking credentials from various browsers, but has now evolved for other purposes - including installing ransomware.

As of July 2019, it is estimated that Trickbot has harvested over 250 million email addresses and passwords (and growing!), all from people opening an attachment or clicking a link.

Here’s how Trickbot works

• Trickbot first enters a company network by an employee either opening an infected email attachment (macro-enabled MS Excel spreadsheets, MS Word documents, or PDFs) or clicking a malicious link (in email or on the web) from untrusted sources.

• Next, it hijacks the user’s email account, and sends an email with the same malicious documents and links to the user’s entire contact list - in order to spread as far and as quickly as possible.

• It then secretly installs a program on the infected computers that connects back to a “command and control” center, which gives hackers full control over the infected computers.

• Hackers use this access to do anything they want - install ransomware, access emails, steal personal/banking information, etc.

• They then wait until the infection has spread throughout the company, installed ransomware and stolen sensitive information from as many computers as they can.

• Finally, when they have decided that they can do the worst damage possible, they spring the trap and activate the ransomware.

Recent case study

Two days after Thanksgiving, CIR (Coalition Incident Response) was engaged to investigate a Trickbot infection. The Client had customers calling them advising that they had spam emails being sent with attachments they did not recognize.

After a review of the emails, we discovered that the malicious actors re-used legitimate email threads from previous conversations to falsely restart the communication and attach a malicious document - in order to further harvest credentials and spread Trickbot.

Upon completion of the investigation, CIR found 4 different employees had Trickbot running on their systems - each sending malicious emails via these previous email threads. Over 14,000 spam emails were sent out posing as the Client employees.

The initial cause of this infection? These employees opened an attachment named “November Invoice Review.doc”. Once opened, Trickbot installed itself and email harvesting began.

What to do?

Ransomware is particularly devastating to its victims. Fortunately, there are a few things you can do to both help prevent infection from occurring and to help recover if an infection does occur.

• Do Not Click Links or Open Any Attachments You Are Not Expecting. If you are not expecting a specific attachment, do not open it for review. Additionally, do not click links within emails if you are not expecting them. Follow up with a phone call to the sender directly, better to be safe than sorry!

• Use Proper Email Security. Always verify that the emails you receive are from legitimate and trusted sources. Inspect the from addresses closely and be wary of downloading any files that you’re not already expecting.

• Use Proper Web Security. Only download files from known and trusted websites. Verify that the URL is not intentionally misspelled to confuse you into downloading malware from a malicious website.

• Disable Office Macros. Macros in Microsoft Office are small pieces of code that run in the background - that code often downloads malware. It’s rare to see macro-enabled Office documents used in normal business (e.g. .docm and .xlsx files). We recommend disabling macros on all computers to prevent ransomware infection.

• Perform Backups. Often the best recovery option for ransomware is restoration from backup. Ensure your organization is performing daily backups on all systems in the event that restoration is required.

• Educate Your Employees. Ensure your employees are aware of this alert to help remind them to stay vigilant. Remember, a single employee’s actions can infect an entire network!

Help!

• If you believe you have been infected by malware, contact Coalition immediately for breach assistance.

• To learn more about malware and ransomware, visit our Coalition Learning Center topic on Understanding and Preventing Malware.

• Learn about how Security Awareness Training can protect your company from these attacks.