A California-based IT security company Barracuda Networks have recently discovered an email attack with a double whammy. The email contains a malevolent attachment that can load ransomware on the device while simultaneously steals passwords of the affected user. So, the victim won’t have to deal with ransomware removal only, he also has to change all the hacked login credentials.
According to cyber security experts of the company, this new ransomware attack is exploiting an old vulnerability of Internet Explorer identified three years ago. The email attack uses Samba for the attachment downloading. It helps the ransomware file to bypass all the security features of the browser.
It’s worth mentioning that Microsoft released a cumulative security patch to remove this vulnerability of Internet Explorer back in September 2016. Organizations and individuals that show negligence in updating their systems with all the latest patches will remain susceptible to this ransomware-containing email attack.
Modus of Operandi of this Email Attack
Ransomware attacks through emails are not a new thing. We have seen it in many cases where phishing tactics are employed to deliver ransomware to a network or a device. Unfamiliarity with social engineering tricks of the perpetrators is the reason why phishing is still the most effective tool for cybercriminals.
According to the investigation from Barracuda, this ransomware-containing email masquerades as a billing statement or a message from any financial services provider. The email contains an attachment with zip extension, which provokes the targeted user to download it immediately.
From here, the things start to go underhanded. Instead of using the normal route of downloading the file through https address, the file in the zip folder (Window Script file with an extension ‘wsf’) uses ‘files://’ to execute the Quant Loader installer using Samba.
Quant Loader is a notorious ransomware-as-a-service Trojan. But in this ransomware-containing email, a password stealing software has also been integrated in the executable file to make the attack more deadly. According to the researchers, it is very hard to comprehend the script files because of high level of complexity. This means the ransomware removal activity after this attack will also be quite burdensome.
