Share this article on:
Warnings have been issued about a new ransomware variant that is being used in targeted attacks on healthcare organizations and IRS, FBI and Hurricane Harvey themed phishing attacks.
A new ransomware variant is being used in highly targeted attacks on healthcare organizations in the United States and United Kingdom. Defray ransomware is being distributed in small email campaigns using carefully crafted messages specifically developed to maximize the probability of a response from healthcare providers.
The messages claim to have been sent from the Director of Information Management and Technology at the targeted organization and include the hospital’s logos. The documents claim to be patient reports detailing important information for patients, relatives and carers. The messages are being sent to specific individuals in organizations and via distribution lists.
The campaigns involve Microsoft Word documents with embedded OLE packager shell objects. Clicking the embedded executable to view the content of the document will see Defray ransomware downloaded. There is currently no free decryptor to unlock the encryption. Recovery will depend on backups being available, otherwise a ransom of $5,000 per encrypted device must be paid for the decryption keys.
The scams were uncovered by researchers at Proofpoint who believe the actors behind the campaigns are likely to continue to conduct highly targeted attacks rather than use the spray and pay tactics more commonly associated with ransomware distribution.
As always, the advice is to ensure backups are regularly performed and end users are made aware of the risks of clicking links or opening attachments from unknown senders.
Hurricane Harvey Phishing Scams
Natural disasters draw out the scammers and Hurricane Harvey is no exception. US-CERT has recently issued a warning to consumers and businesses to be alert to Hurricane Harvey phishing scams. Scammers take advantage of interest in natural disasters to phish for sensitive information, install malware and ransomware, and fraudulently obtain charitable donations from the public.
Email and social media scams can be expected and users should be alert to the risk of malicious cyber activity. Emails relating to the relief efforts or updates on Hurricane Harvey should be treated as suspicious. Links in the emails should not be clicked and attachments not opened.
Email requests for charitable donations to help the victims of the disaster should be treated as suspicious. Rather than using links in the emails, US-CERT recommends obtaining trusted contact information for the charity via the Better Business Bureau National Charity Report Index and to independently verify the legitimacy of any email request for donations.
FBI and IRS-Themed Phishing Emails
An alert has been issued about a new phishing scam that uses both the FBI and IRS emblems to fool users into installing ransomware. The emails relate to an FBI questionnaire that needs to be downloaded, printed, completed, scanned and returned.
A link is included in the email to download the form, which the scammers suggest is related to changes to tax laws. Clicking the link will result in ransomware being downloaded. The IRS has reconfirmed it does not initiate communication via email, text message or social media posts.
IRS commissioner John Koskinen said, “People should stay vigilant against email scams that try to impersonate the IRS and other agencies that try to lure you into clicking a link or opening an attachment. People with a tax issue won’t get their first contact from the IRS with a threatening email or phone call.”