Here is the latest tactic in the cat-and-mouse game between cybercrime and security software vendors. The bad guys have come up with new a ransomware phishing attack, tricking users to open what appears to be a document scanned from an internal Konica Minolta C224e. This model is one of the most popular business scanner/printers in the world. The emails are written to make the user think that the communication is from a vendor.
Basically, Locky is back with a vengeance and a whole new bag of evil tricks.
The campaign launched Sept. 18 features a sophisticated new wrinkle, enabling it to slip past many of the machine learning algorithm-based software sold by some of the industry’s most popular vendors, said security firm Comodo.
“The method of phishing is by an attachment of an email; the attachment is disguised as a printer output, and it contains a script inside an archive file,” said Fatih Orhan, vice president of Comodo Threat Research Labs. “These are not enough to make a phishing detection.”
This is the third recent Locky attack
The third in an increasingly sophisticated series of ransomware attacks launched this summer is also a “Locky” malware variant dubbed IKARUS by Comodo, some other other security vendors are calling it Diablo6.
As in previous attacks, the hackers are using a botnet of zombie computers which makes it hard to block in spam filters.
“Employees today scan original documents at the company scanner/printer and email them to themselves and others as a standard practice, so this malware-laden email looks quite innocent but is anything but harmless,” the report continues.
The most innovative hook of this new feature involves the way the hackers manage to evade anti-malware software.
Here is how it evades machine learning
“Machine learning algorithms need to extract the attachment, open the archive, extract the script and understand it has a malicious intent,” said Orhan, the Comodo research head. “But usually, these scripts contain just a download component and do not have malicious intent on their own.”
“That’s why even machine learning is not sufficient in making these kind of detections,” he continued. “Complex solutions are needed to run the script dynamically, download actual payload, and perform malware analysis to conclude that it is phishing.”
In other words, it looks like that again the bad guys are ahead of your spam filters, whether that is a traditional or new machine-learning flavor.
Now, the Locky payload still ultimately uses an executable file written to disk, so your endpoint security may be able to block it. There are other types of attacks that take advantage of machine learning blind spots (fileless attacks, for example), but this isn't one of them. What the bad guys behind Locky count on is cranking out so many new variants that antivirus (even some machine learning ones) won't recognize and block it.
What do you do when all filters have failed?
Your users still are and will remain your last line of defense, when all filters have failed. You need to create a human firewall. New-school security awareness training is the way to go. Join 13,000 KnowBe4 customers and keep the bad guys out of your network.
I strongly suggest you get a quote for new-school security awareness training for your organization and find out how affordable this is. You simply have got to start training and phishing your users ASAP. If you don't, the bad guys will.
Get a quote now and you will be pleasantly surprised.
Don't like to click on redirected buttons? Cut & Paste this link in your browser:
Let's stay safe out there.
Founder and CEO, KnowBe4, Inc