With ransomware becoming so common these days, it feels like we’re getting a bit numb to this especially malicious — and potentially expensive — form of digital attack.
But a recent ransomware event in San Francisco is a reminder that we must stay ever vigilant to threats targeting our digital devices.
A bit of turnaround: An attacker gets hacked
Recently, San Francisco’s Municipal Transportation Agency was a victim of ransomware, and, for short time, it was unable to run any of its toll booths. Over a weekend, all rides were free — a boon for riders, but a could-have-been expensive lesson for Muni. (The agency was able to restore its computers from backups.)
In a rare and interesting twist to this story, a security researcher appears to have hacked the inbox of the attacker, as detailed in a recent KrebsonSecurity post. As noted in this excellent read, the attacker had successfully targeted manufacturing and construction firms, who had to cough up Bitcoins to get their data back.
Ransomware and other malware can arrive in many disguises. Recently, my office has received particularly persistent phishing emails from someone who appeared to be asking about our services. We became more suspicious when the sender required that all communications must be through email; the person claimed to be out of town and unable to meet in person.
When we questioned the emails’ validity, the sender appeared to have moved on to greener pastures. But then this week, he sent a follow-up email with two attached files: one a Word doc and the other a PDF. Word and PDF files are often used to hide malicious content. The bogus code typically runs macros to access other programs, using the apps as “launching pads” to pull down the full infection from an attacker’s online server.
I use two different platforms to scan potentially suspicious content. The first is a virtual sandbox that lets me see what the file might actually do. I can even get screen shots of what a suspect file looks like on a virtual Win7 machine. The other platform runs the files against a large collection of antivirus programs and reports any detections.