A Southern Ontario executive recently victimized by ransomware thought he was knowledgeable about computing and security. But curiosity got the better of him last month and he opened an email attachment.
“I was an idiot for checking on it,” Robert said Wednesday, who asked that only his first name be used and the company not identified to protect the firm against possible further attacks.
However, his story is a lesson on why having a robust backup and recovery strategy and regular awareness training is vital at a time when ransomware – whether targeted or not – is spreading.
According to a study released Wednesday by backup provider Datto of 1,100 Managed Service Providers (MSPs) in the U.S., Canada, Australia, the U.K., 60 per cent of respondents said their customers said they had suffered up to five ransomware attacks in the previous 12 months. Forty per cent reported six or more attacks.
Thirty-one per cent of IT service providers said there had been multiple ransomware attacks against small business clients in a single day.
In Robert’s case he had just become head of a small company, which included taking over the previous executive’s email account.
Going through the mail that first morning last month there were a number of messages such as “Here is the financial statement you wanted,” with attached invoices or spreadsheets which. Robert thought some might be for the former executive and should be forwarded. To be sure, he scanned one file with anti-virus software that had a .DOCM extension and found no warnings. Then, to make certain the message was for the former exec, he opened the file.
At first, there was only a blank document. “I began to smell a rat,” Robert said. Shortly afterwards a ransom message popped up demanding payment in Bitcoin if he wanted encrypted files to be released.
“I didn’t believe it at first. I thought it was something to trick you into downloading an anti-virus program.” But then he checked his PC’s directories and found all files had been renamed with .Zepto extension, meaning they had been encrypted with the Zepto ransomware. Also infected were attached drives, including the company’s servers and several PCs.
The DOCM file was a Microsoft Word macro that delivered the payload.
According to a recent blog from security vendor Sophos, Zepto ransomware has been seen increasingly since July, usually with ZIP or DOCM attachments. The ZIP file contains a Javascript file that downloads the ransomware. Sophos says Zepto has a lot of similarities with the Locky ransomware.
In Robert’s case, fortunately his company had a strong backup provider who within hours was able to restore the server. His computer, however, had to be wiped and several files were lost.
“It was my first 10 minutes (in the new job) going through these emails,” Robert says in his defence, and he scanned the file – but he also kicks himself for not being careful enough.
He did one thing right before clicking on the Word documents, doing a lookup to see check the message sender; but it looked legit. On the other hand, the message wasn’t personally addressed to the former exec. Another clue was that it would be unusual to send a “financial statement” to this particular company. A third reason to be suspicious is that a DOCM attachment is a signal it has a macro.
Having anti-virus software isn’t a complete defence against any type of malware, particularly signature-based AV, which is why regular awareness training is vital along with a backup and recovery strategy. That strategy could include real-time backup if necessary, as well as ensuring the backup is not on a network drive that could be infected.
An email gateways that scans and quarantines malicious attachments is important – and if it slows mail, tough.
In addition, Sophos recommends IT set browsers to open .JS (Javascript) files to open in Notepad, to set Windows show file extensions, and set Microsoft Office to not allow macros in documents from the Internet.
And having all staff be vigilant is essential. “In the same day I might have four or five” suspicious emails with slightly different senders, says Robert. “Now I know what they look like I either mark them as junk or delete them.”
“If you’ve got mission critical data is worth having a proper backup solution,” he says. “and never click on anything with DOCM and be careful with ZIP files.”