Call now for cybersecurity help: 888-646-1616
Josh Ablett

The Ransomware Email that Slipped Past Google

November 1, 2020

Last week, a nasty ransomware email showed up in my personal Gmail inbox.

As free services go, Gmail is pretty good at spotting phishing and ransomware emails.

However, they completely missed this one. It wasn't in my Spam folder, and it had none of the warnings from Google that it might be malicious.

Here's what it looked like:

phishing_email_cino_lombardo

If you're security-savvy, there's a lot of red flags in this email:

  • It's from someone I don't know
  • It has a password in the body of the email
  • It has an attachment that I wasn't expecting, and didn't request

Sadly, most people aren't security-savvy. Your employees might see this email and get curious about how much money they're getting.  Greed is a powerful motivator.

Let's take a look at this ransomware and why it slipped past Google.

Why didn't Google catch this ransomware email?

The answer lies in the password.

By adding a password to the Word document, the attackers did something very smart.  They made it so Google's scanners couldn't open the file.  This is a technique that hackers are increasingly using to trick email antivirus.

If Google hasn't seen this exact file before, then it has no way to tell that it contains ransomware.

VirusTotal didn't catch this ransomware email

VirusTotal is an amazing resource for catching viruses and ransomware.  It's actually owned by Google.

With a single click, you can scan any file against 58 different anti-virus engines.

The first thing I did is I uploaded this file to VirusTotal to see what it said.

ransomware_email_virus_total

Uh oh!  VirusTotal has never seen this file before, so it doesn't know if it's a virus or not.

This is disappointing, but not surprising.  Hackers produce millions of new viruses each month. All it takes is a trivial change to turn an old virus into a new virus that tricks the virus scanners.

What the ransomware email did

Next, I pulled out the big guns.

I loaded the file to something called a "sandbox."  A sandbox is basically a temporary computer in the cloud that opens a file and watches what it does.  After it's done, the computer gets wiped clean, so there's no way that the file can do any real damage.

I used an excellent service from Payload Security called Hybrid Analysis.  It analyzed the file and showed exactly what I was dealing with.

IMPORTANT NOTE: If you try to do this yourself, be EXTREMELY careful about how you handle the file.  Make sure to delete it immediately from your local computer after you submit it to the sandbox.  You don't want to see this file in the future, and try to open it because you don't remember what it is. Better yet, do this from a computer you don't use very often.

It's simple to use -- you simply upload the file...

ransomware_email_payload_security

Fill out a few fields on a form, and then it does it's thing.

Since I was dealing with a password-protected file, I had to do one extra thing.

I had to expand the "Analysis Options" menu:

ransomware_email_analysis_options

And type in a command to tell it to enter the password from the email:

ransomware_email_password_prompt

Now we're off to the races!  Let's take a look at what the sandbox did...

First, the sandbox opened the file and popped in the password:

ransomware_email_sandbox_1

And we can see the "payload" in all its glory:

ransomware_email_sandbox_macro

THESE are the actual ransomware files, and they would do huge damage to my computer if I opened them.

Instead, they're safely in the cloud, running on a temporary computer that will wipe itself clean after it runs this analysis.  No real computers were harmed in the writing of this article.

The Ransomware: VirLock

Once I analyzed the files, I found that they contained a strain of ransomware called "VirLock."

This strain of malware is particularly nasty because:

  • It's "polymorphic" -- it changes itself every time it runs so it can fool your antivirus program,
  • It can even infect your files that are backed up to the cloud, which is unusually dangerous, and
  • It tricks users into think that it's a warning from the FBI, as pictured below.

How We Caught This Ransomware

Gmail's email anti-virus is pretty good for a free product, but it's not up to the task of protecting your business.

As a test, we forwarded this ransomware email to a Gmail account protected by the email security add-on that we recommend to our clients.

It worked like a champ.

As you can see from the screenshot below, it accurately classified this message as a Virus. It also blocked the email from being delivered to the user.

ransomware_email_blocked_by_adelia

If you don't use email virus protection from a company that specializes in email security, your business is at risk. Email is the most common way that ransomware, data breaches, and other hacks start.

Want help with your cybersecurity?

Get some free help!  Talk to an Adelia Risk cybersecurity consultant.

Talk to us!

Have questions or feedback?  Please share them in the comments below.

Like this article?  Share it!

Leave a Reply

Your email address will not be published. Required fields are marked *

Do you think we might be a
good match?

We help over 100 of the best financial services, healthcare, and manufacturing companies across the U.S. with their cybersecurity.
About
Blog
Copyright 2024 Adelia Associates, LLC | All Rights Reserved