The Check Point Incident Response Team (CPIRT) has received numerous reports of ransomware being spread via fake utility bills.
According to a company blog post, the campaign uses realistic looking emails coming from compromised e-mail accounts. This ransomware also appears to install key loggers and appears to try and steal e-mail account details to spread further.
Users receive the email, then have to click on a link, this then directs them to a compromised website which will then re -direct them to a fake site from utility providers, currently the attackers are pretending to be AGL.
Check Point says the fake page looks realistic and contains a captcha that users need to complete. If a user tries to visit this page via a mobile device or Apple Mac it will give them an error message saying they need to access it from a Microsoft Windows computer. This results in a number of users forwarding it to their corporate email.
Check Point Anti-virus currently detects and prevents the current ransomware, and Check Point’s Incident Response and ThreatCloud Intelligence Teams are actively monitoring this campaign and protecting Check Point’s customers.
The Check Point Incident Response Team recommends organisations deploy HTTPS Inspection, Sandboxing in hold and prevent, and application white listing and perform scrubbing on incoming documents.
“It is important that organisations review and test their backup strategies as ransomware will frequently delete previous versions and encrypt data on file shares,” Check Point says.
Check Point says it is important that organisations make their users aware of the widespread prevalence of ransomware and the damage it can cause.
It is also important that organisations deploy controls that keep up with the changing landscape especially:
1. HTTPS Inspection
2. Sandboxing that can hold and prevent the initial file
4. Have a well-rehearsed and tested incident response plan.