Security vs convenience: The story of ransomware spread by spam email

Like many others, you’ve probably faced the ‘Security vs Convenience’ question many times.

“Should I disable web security to increase the speed of Facebook?”

“Do we really need Microsoft Office macros disabled when it causes so many issues for the Finance team’s spreadsheets?”

“This software installer keeps crashing, so why can’t we turn off the anti-virus to let it finish?”

Let me show you why security is important so that the next time someone asks you to disable a security setting, you can tell them how these settings are keeping them safe.

The Threat

Our story begins with the villain, let’s call him Bob. Bob is a cybercriminal who has spent the last few years stealing money and personal details from innocent victims.

You may be forgiven for thinking that Bob is some kind of computer genius. However, although he knows his way around a computer, his coding skills are very limited and his knowledge of security systems is mediocre at best. And yet this won’t stop him from launching an attack on your users or family.

Bob has decided that his latest attack is going to use ransomware, specifically one called TorrentLocker, and that his attack will be spread by a spam campaign – a mass blast-out of email. He is going to concentrate on the USA, UK, Australia and Canada as these countries are likely to deliver the greatest return on investment.

Using the Tor software, Bob delves into the Dark Web and contacts a Malware-as-a-Service (MaaS) organization. For a small amount of money, paid on a monthly basis, Bob now has access to the TorrentLocker ransomware. He also has the ability to use the MaaS organization’s botnet to send hundreds of thousands of spam emails through a deployment method which uses Microsoft Word and Excel attachments.

Macros embedded in the booby-trapped documents will automatically run to download the ransomware payload when the user opens these attachments. All of this comes with 24/7 technical support from the criminal gang providing this service. Bob’s targets include offices, factories and home users, pretty much anybody with an email address.

The attack begins at dawn, before his victims have had their morning coffee, in the hope that they will be less vigilant to suspicious activity.

The defence

Our hero or IT Rock star is called Ray. Ray understands that security is made of layers, and that the more layers you have, the harder it is for criminals to create malware that can get through all of them.

The following are examples of just some of the layers that Ray can use.

Email protection

The first layer of defence Ray has deployed is an email gateway appliance. This utilizes strong anti-spam technology that filters out unsolicited and unwanted email. Some advanced features that you may not have enabled in your environments could include DKIM and SPF.

DKIM allows an organization to add a digital signature to emails that its sends. This not only allows your recipients to feel reassured that it is really you that they are talking to, but also allows you to block inbound emails that fail this check. The idea is that if crooks send imposter emails pretending to be someone else’s email domain, they won’t be able to create a valid digital signature, because they won’t have the necessary cryptographic keys.

An SPF record is a list of all the official email servers that an organization uses. When you receive an email, you can check to see if it came from one of the servers listed in the SPF record for the sender’s email domain. If the email comes from an unofficial server, you can block it.

TIP. SPF records usually include either -all or ~all. The -all option means “this list is definitive and no other servers are valid senders of my email.” In other words, your SPF record is up to date and you are telling the world to discard any email allegedly from you that came from any other server. But ~all is a so-called Soft Fail, meaning “my list of servers may not be complete after all.” Soft Fail can be used when constructing, modifying and testing SPF records, but you should always aim to finish off with a definitive SPF record terminated with -all.

IT security rules

Recently Ray noticed an increase in spam with Microsoft Office documents attached; these documents when opened by a user would automatically run macros that then downloaded a malware payload. One precaution Ray can take against these is to disable all macros with notification. This will stop the automatic execution of the macros and require the user to manually accept them before they run. One other thing Ray could consider is installing Microsoft Office viewers. These viewer applications let the end user see what the documents look like without opening Word or Excel. The additional benefit is that the viewer software doesn’t support macros at all, so the user can’t enable macros by mistake.

User education

Ray is now faced with the hardest layer to configure…his users. User education is often overlooked due to the ongoing nature of the education required. As the user is routinely considered the weakest link in the chain it can be considered that user education is one of the most important security layers you have. After all, if Alice hadn’t opened that attachment from her Nigerian Prince pen pal then she wouldn’t have ended up sending her bank details to him.

Security should be a consideration of your users at all times, be it choosing strong passwords, not falling for phishing attacks or just understanding the type of threats out there. Ray has gone one step further and created a security training program including email and password tips, videos guides and posters. You may want to do the same.

Endpoint scanning

Ray knows that it doesn’t matter how aggressive his email protection is, because there are numerous ways of getting malicious files onto his network. It could be from services such as Dropbox, FTP or a mobile device, Ray is even getting worried about drone attacks – and let’s not forget about those pesky USB sticks. (Remember Conficker?).

A web gateway appliance will help with many of these, but you have to assume that some things will get through or find a way round them. That is where endpoint scanning comes in.

This is also the layer that users are most likely to complain about causing slowdown on their machine. So let’s look at the security features Ray has deployed and why they are needed:

On-access scanning

This is at the core of most endpoint protection products. On-access scanning looks at every file you use, just before you use it, so that it doesn’t just detect malware, but prevents it from activating, too. A good on-access scanner also feeds information to the other features of the endpoint protection solution. It should be considered fundamental to your protection: if your endpoint protection software were the heart, this would be the blood.

Host Intrusion Prevention System

Known by different names such as Behavior Monitoring or HIPS. Even after a file has passed the on-access scanner and started running, HIPS continually monitors it for suspicious activity, and can stop it if it misbehaves. This security feature can help protect you from new malware that nobody has seen before.

Live protection

With the amount of malicious activity on the increase, ensuring that you are protected from the latest threats has never been so important. Even if your anti-virus software updates several times a day, there will still be occasions when you are at risk from new sorts of malware. Live Protection works by taking information about a file at the time that it is scanned and connecting to a cloud service to find the very latest information about the file.

Web Protection and Malicious Traffic Detection

A common practice for malware is to split an attack into multiple parts. For this scenario I will keep it simple and say that there are three main parts:

  1. Delivery – in this case via spam.
  2. Download – a dedicated program to fetch and launch the next stage.
  3. Payload – the malware that will do the damage.

A downloader is a miniature piece of malware that does nothing more than call home to a web server and pull down whatever malware the attacker is hosting on it. This means the criminals can deploy their attack via spam without attaching the final payload, and can even change the payload half way through their spam run.

Web Protection and Malicious Traffic Detection monitors which websites your computer is connecting to. If any of them are known to be associated with malware delivery, the connection will be blocked.

Memory Scanning

If malware is already running on your computer, you need memory scanning to find any active malware code and get rid of it. You can sometimes find running malware by looking at list of active programs, but many tricks exist by which cybercriminals can hide their malware from the process list so that only direct examination of memory will do.

Also, some malware removes itself from disk once it is active, so that a disk-only scan won’t find the infection.

Top Tips for Endpoint Scanning:

  • Ensure your endpoints are set to update regularly.
  • Regularly check that endpoints are updating correctly.
  • Enable any live protection features in your product to ensure you have the latest threat detection capabilities.
  • Turn on HIPS, behavior monitoring and memory scanning if your product supports them.
  • Enable Web Protection and Malicious Traffic Detection to stop downloaders from calling home for more malware.
  • Consider restricting the use of removable devices such as USBs.
  • Use application control to stop users running unapproved software such as torrent clients, keyloggers and more.

Web Gateway Protection

Ray is using a Unified Threat Management (UTM) product to manage his web policies, firewall, network traffic and server protection. The first thing he did was remove his predecessor’s firewall rule that allowed all traffic in both directions. Ray is still shocked at how many people do this.

Ray introduced a new firewall rule that allowed most traffic, then over the period of weeks he monitored what users did and locked-down everything that wasn’t needed. He enabled Intrusion Protection with advanced features such as port scanning detection to help detect when criminals were testing his network for weaknesses. He also enabled traffic flooding protection to help protect his servers in the case of a DDoS attack.

Ray’s UTM product also communicates with his endpoints, allowing him to create policies that can automatically cut off a computer’s access to the internet, or to key internal servers, if it gets infected. This gives him the confidence that even if a malware attack occurs, any infected computers will quickly be quarantined to stop wider damage to his network.

For more information on the Sophos approach to real-time threat sharing between endpoints and the gateway, please see our documents on synchronized security.

Security permissions

This is easy to talk about but admittedly hard to do in real life. Simply put, you should operate on the “least privilege” principle: if users don’t need to access to a particular resource or server on the network location, then don’t give them permission to access it.

Just like Ray, many of you reading this may have already had to deal with the after-effects of ransomware.

For those of you who haven’t, in general it works like this:

  • A user runs a booby-trapped file.
  • The file fetches and launches the ransomware program.
  • The ransomware contacts a server run by the criminals and downloads a unique encryption key.
  • The ransomware then starts encrypting everything it can get its hands on: hard drive, removable disks, network shares and more.
  • The user contacts IT.
  • A sysadmin then spends ages re-imaging the computer and restoring the lost data from backup.

And when I say that it will encrypt everything that it can get its hands on, I mean pictures, documents, videos, that presentation you spent hours on, your Bitcoin wallet, even your Minecraft creations.

(It isn’t just your work that is at risk now, but your games too.)

By the way, please make sure you keep at least one of your backups offline, and preferably off-site. If you have a backup drive plugged in when the ransomware hits, it will encrypt your backups just as avidly as it will scramble your home folder.

TIP. When troubleshooting a ransomware infection in which server files have been scrambled, identifying the infected user that caused the damage can be difficult. Try using Windows Explorer and switching to the Details view. Then add the Owner column, as this will often give you the username that did the encrypting.


Educated users make your network safer. Providing users with information about how you do it and the consequences of what happens when you don’t should help them to understand the benefits of security, even if it means some mild inconveniences.

After all, if you teach your users to be safer at work, they’ll be safer at home, too. No one wants their holiday pictures encrypted as a side-effect of opening a document.

If you have any other security suggestions or layers that we may have missed, please let us know.

And finally, to add an upbeat note to an otherwise troublesome topic…

…check out our video to find out what it means to be the ultimate IT Rock star.

Image of ransomware courtesy of Shutterstock.