4 ways to spot Ransomware

Ransomware is a topic that you’re surely familiar with by now, given its resurgence in 2016. If you’re not, Ransomware is a form of malicious malware that encrypts (or locks down) users’ files and demands a ransom for their decryption (or release) – which is where the name comes from.

Ransomware is most commonly distributed through malicious emails. Once upon a time, emails distributing malware were easy to spot. Hackers would distribute malware in a ‘spray and pray’ attack, sending simple and nonsensical emails to a large batch of email addresses in the hope that someone gullible might click the link or download the attachment. While some less advanced cyber criminals may still use this method, many modern hackers are now much more sophisticated.

2016 has seen an increase in ‘spoofing’ as a method of spreading malware; this means the hackers will pose as someone reputable, like your CEO, or someone you know and trust, like the colleague you work closely with on a daily basis. They do this to gain your trust and lull you into a false sense of security. They’ll use the language that your co-worker uses by monitoring their presence online, and they’ll copy your company email signature exactly. When you receive an email that looks and sounds like your colleague, it’s common to not check things like the sending email address, which is often a giveaway that the emailer is not who they say they are.

As Ransomware continues to grow more sophisticated, we’ve got some top tips to help you spot and prevent Ransomware. We’ve also got a handy infographic that gives you all the facts and figures on Ransomware.

Check the sender’s email address

This is possibly the biggest red flag of them all. It’s easy to copy a person’s tone of voice and a company email signature, but you can’t exactly replicate their email address. You can make it look similar – replacing ‘l’s with upper-case ‘i’s or ‘o’s with ‘c’s, for example – but it won’t be the correct name, domain or spelling. Sometimes, particularly when sending to personal email addresses and when the email itself looks believable, the email address won’t even be close to the company it’s supposedly coming from.

Take this actual email I received purporting to be from Apple a few months ago. These emails work particularly well, not only because they look like legitimate Apple emails on the surface (more on that later), but because they tap into a common fear of losing money. In this economic climate, with our stretched budgets and empty pockets, any unexpected outgoing money can throw a spanner in the works. Hackers are preying on this fear, and using it to their advantage. This email highlights the importance of checking the sender’s email address; particularly as the hackers have set the Alias (who the email appears to come from) as Apple, masking the email address in the first instance.

First, pay attention to the domain – does it match the sender’s domain? Look out for incorrect spellings or slight differences – like a .com instead of a .co.uk or small character changes like the ones mentioned above. These anomalies will inform you that the sender isn’t who they appear to be.

And of course, if you don’t know the sender at all, never click a link or download any attachments.

Thoroughly check the email content

The next thing to look at is the email content. Most people are now aware that nonsensical text-only emails are spam, but remember that these hackers are more sophisticated than ever. If the hacker is spoofing someone you know, ask yourself if you were expecting this email. If you weren’t, think about if it’s something this person would likely ask for. Working in an office, you’re likely to receive emails daily from colleagues and customers asking for favours or sending you information. If in doubt, check their email or give them a call.

In my example above, I showed you a fake invoice email purporting to be from Apple. While I knew to check the sender address, the email itself looked pretty legitimate. It had my email address (or Apple ID), an Order ID, Sequence Number and Order Number all in the correct place. The layout of my ‘purchases’ was strikingly similar to a real Apple invoice email. But there were still some indicators in the email itself that indicated it wasn’t real. For example, it didn’t have my billing card or address on, and the text at the bottom, which supposedly led to the refund page, was different. There were small spelling errors – which is a sure-fire way of spotting the email is not real. However, it’s easy to miss those small clues in your panic over losing your money.

 And then there are the spammers who don’t even try…

I must really like the song ‘Goodies’ to purchase it for ‘87.19 GBP’! And pasting the full, spammy link is a dead giveaway. But we shouldn’t scoff the sloppy criminals too much, because they still catch people out.

Check the attachments – particularly the file types

Not all Ransomware, or even malware, is distributed through infected files, but it’s still the second most common method of distribution (after malicious web links in emails). The most common file types used to distribute Ransomware are zip files (.zip), because the contents need to be extracted to be accessible, therefore giving hackers the perfect opportunity to hide Ransomware inside, and macro-enabled Word documents (.docm), which again look innocent on the surface but can host all kinds of malicious content.

The reason these file types are most commonly used is because they easily hide the content inside, and they’re commonly used. Zip files are used to condense file sizes, or to send a number of documents without having to attach them all individually, while Word documents are universally recognised and usually trusted.

Don’t open any .zip attachments from unknown sources. And before you open anything, carry out the steps above to make sure they’re from the real person. With Word documents, it’s good practice to check the file extension – the most commonly used and trusted file extensions will be .docx, or .doc if the sender is on an older version of Word. For the macro-enabled documents, most PCs running Windows now have an extra layer of security in place that automatically disables macros in a document, meaning you need to manually enable them yourself. ­You can check if this is in place in Word by going into File > Options > Trust Centre > Trust Centre Settings. You’ll then see a setting with four radio button options, and you should set it to the ‘Disable all macros with notification’ option. 

If you download a document from a colleague that prompts you to enable macros, it’s worth giving them a call to ask if you need to do that in order to use the document properly. Most macro content is keyboard shortcuts that can cut out small repetitive tasks within a document, but sometimes the shortcut isn’t worth the risk.

Check the links – without clicking on them

Links in emails are the most common method of executing a Ransomware download on your PC, narrowly beating out malicious file attachments. Some sloppy cyber criminals will let you see the full URL in their email, so you can easily see that it’s not legitimate. Again, look out for spelling errors or unusual domains – you can always Google the company to check if their domain matches the link in your official-looking email.

If the hackers have been clever enough to hide their links by hyperlinking the text, you can hover over the link with your cursor to see the full URL.

Take the Graham Cluley IT security newsletter that I’m signed up to, for example. By hovering my cursor over the hyperlinks in his newsletter, I can see the URL it goes to. This newsletter is nice and simple, and tells me the exact URL this link will take me to. However, many companies now use tracking tools in their emails to monitor how successful articles in newsletters are, for example. That can present unsettlingly long URLs – but it’s mainly the domain you need to look out for. If it matches the company’s website domain, you’re probably safe. But again, if you’ve got any doubts, don’t click the link.

It’s not just emails that can pass on malicious links. Spam social media accounts and ‘malvertising’ are on the rise, whereby ‘click bait’ articles or adverts online lead you to a malicious website that could possibly contain Ransomware or another malware virus. These methods rely on piquing your interest with a jammy headline, or the offer of a guaranteed free iPhone. But remember, cyber criminals are more sophisticated than ever, and they’re also using subtler tactics; they could post adverts purporting to be betting websites, or set up social media accounts that on the surface look like a real company. Always check the domain of the URL – you can hover over the link in your browser, and the full URL will appear in the bottom left of your browser window. 

Shortened URLs – commonly used on social media but can also be used in marketing emails or anywhere else on the web – pose an additional problem, so if you don’t fully trust the source of the link, don’t click on it.

We recommend having a robust anti-virus system in place to add an extra layer of protection to your business. 80% of successful cyber-attacks can be attributed to human error, so you need that additional protection in place. Sophos Intercept X has been specifically designed to deal with Ransomware, detecting and removing the virus before it has the chance to encrypt your files. What’s more, if you’re unlucky enough to fall victim to Ransomware, Intercept X will decrypt your files, then intelligently make your system more robust so that you’re less likely to experience a Ransomware attack in the future. Find out more about preventing Ransomware with Sophos Intercept X by signing up to our Sophos security webinars.

 These tips are aimed at helping you prevent unknowingly downloading a Ransomware virus, but they’re good practice going forward. Cyber criminals often work in the same circles, and use the same methods. By following this advice, you can prepare yourself for a possible Ransomware attack – over 41% of business have experienced a Ransomware attack in 2016. But even if you and your business are lucky enough to never experience a Ransomware attack, there are a lot of malicious malware viruses out there ready to wreak havoc on you, your computer and even your business.