Usually the spam campaigns used by ransomware are the ones that come with a compressed attachment (.zip) that contains the malicious code to be executed by the user. This can be a PE file (usually .exe), a script (.js, .vbs, .wsf, etc.) or a Word document (this one might be compressed or not). Another approach (rather successful for cybercriminals as we saw in the fake utility invoices campaign) is to include in the email message just a link, that will take the victim to a website where he will download the compressed file.
What’s the frequency of these attacks? Taking a look at our data, during the last couple of months we have stopped quite a few ransomware attacks using either PE or script files that came via email (either attached or going through a website):
In total we have blocked 22,665 infection attempts. Take into account that this is what has evaded all previous security layers in place (signatures, heuristics, malicious websites filters, etc.) so the real number is obviously higher, but this is what made it through all of them and the user tried to infect himself. You can realize that there is a pattern as there are usually 2 days where there are fewer infection attempts blocked followed by 5 days where they increase; yes, cybercriminals love enjoying weekends too. It is also normal as the main target nowadays are companies, and they are more active from Monday to Friday.
Let’s take a look and see how popular malicious Word documents are compared to malicious scripts. For the same period of time we have blocked 3,943 infection attempts:
The same weekend-related pattern happens here. Word is not the only Microsoft Office type abused, there are other with are not that common in these campaigns but that show up from time to time. For example, in the last 2 months we have only seen 1 spam campaign using Excel:
That’s all for now, in a couple of weeks I’ll publish the next article of this series explaining how to take advantage of ransomware features to stop infections.