A ransomware attack has, for the first time, been documented as dropping keyloggers and trojans onto compromised systems.
In an alert issued on Thursday, The Internet Crime Complaint Center (IC3) warned about a recent wire transfer scam that often shows up immediately after a ransomware attack. The “Business E-Mail Compromise” (BEC) attack has impacted victims in every U.S. state and 45 countries. Plus, it has netted perpetrators more than $179 million in just 14 months.
The scam has three versions, the primary of which targets C-level executives by compromising their email accounts and using them to send a phony wire transfer request to an employee. The transfer, of course, is to be sent to the attackers' account.
Another version of the attack spoofs a vendor email to an employee and requests a wire transfer to a different bank account than usual. The spoof can also come through a phone call or facsimile. Often times, victims fall for the attack because of the email's uncanny resemblance to an already familiar vendor's.
A third version of the attack compromises an employee's email and requests invoice payments from vendors in the employee's contact list.
The peculiar ransomware aspect of the attack, however, said Stu Sjouwerman, founder and CEO, KnowBe4, in an interview with SCMagazine.com, adds a new dimension to the ransomware underground world.
Previously to this attack, ransomware really only held data files hostage, but this attack is, Sjouwerman said, “taking it to a whole new level.”
IC3 and Sjouwerman haven't explicitly pointed to the ransomware as the root cause of infection, however, both noted its presence, and Sjouwerman said it is a logical conclusion to make.
The attackers are thought to be in Asia, most likely in China, because of the locations of the bank accounts.
IC3 suggests avoiding free web-based email, establishing digital signatures, and deleting spam to mitigate the risk of attack.