Security researchers are warning against a sudden spike in the number of infected emails containing malicious attachments, which downloads and installs ransomware onto an infected device. When opened, it encrypts victims‘ files on their PCs and requires a ransom for decryption.
Security expert Rodel Mendrez from Trustwave wrote in a blog post that around 4 million malware spam instances have been recorded in the last seven days, with 200,000 emails hitting their servers in a single hour.
Behind the surge is a malware strain called Locky produced two weeks ago, coming from the same botnet that used malicious macros in documents to download the Dridex trojan.
Mendrez writes that this type of malware has a 'very destructive payload', and includes a walkthrough of exactly how it works to take hold of a user's data.
After encrypting an infected machine, Locky asks for a payment of 3 bitcoins (£885) in exchange for a decryption key.
So how do you prevent yourself becoming a victim?
As spotting these emails manually can be virtually impossible, Mendez advises that a robust gateway blocker is the only real solution.
'For those wanting extra protection, also carefully consider your inbound email policy,' says Mendez. This means blocking inbound .js attachments and inbound Office documents at the gateway.
'While these steps might seem very strict, some companies have opted for them, at the same time as considering alternative ways to pass valid .js and macro documents into the organisation.'
'And of course your last line of defense against ransomware infection is always having an up to date and good backup process.'
Ransomware attacks grow more common because they’re effective – and lucrative. Last year prevalant ransomware Cryptowall cost businesses in the US at least $325 million.
As David Gibson, VP of strategy and market development at insider threat protection specialist Varonis explains, ransomware is effective because it’s relatively easy to trick someone into downloading malware via phishing.
'Once a user launches a piece of ransomware it often won’t be detected (until it’s too late) because most aren’t watching or analysing file activity on networked file shares or in SharePoint.'
This means that it’s difficult to spot and stop an attack/infection while it’s in progress. Without a record of activity, it’s difficult to know which files were encrypted and when, so recovering from backup can be challenging.
'It’s lucrative because many people and organisations end up deciding it’s just easier to pay,' says Gibson. 'User Behaviour Analytics that incorporates file activity can help detect and stop the spread of malware, and make recovery much more straight-forward.'