Sophos Cloud Optix
Thanks to Graham Chantry and Richard Cohen of SophosLabs for their work behind the scenes on this issue, and for encouraging us to warn you about it.
Even if you haven’t been hit by ransomware yourself, you probably know someone who has.
Most ransomware gets straight to work as soon as it infects your computer: it scrambles some or all of your files and then callously offers to sell you a tool to unscramble them.
If you have a recent backup (one that wasn’t scrambled along with everything else!), you should be able to recover without paying, hopefully without too much trouble.
But if you don’t, and you want your data back, you have little choice but to pay up.
From time to time, the crooks make mistakes, and decryption experts find a loophole so that you can unscramble for free, but that’s unusual.
As a result, many victims end up paying the money, even though it pains them to do it, no matter how hard they try to find another way to recover their files.
Most ransomware hitches a ride into your home, or into your business, and onto your computer, in email attachments.
Here are some recent examples:
As you see here, ransomware crooks like attaching ZIP files, inside which they put the malicious file they really want to you to open, such as a Word document or a JavaScript file.
Technically, they don’t need to do this: they could simply email you a DOCX or a JS file directly, which would typically put you two clicks closer to danger. (That’s because you wouldn’t need to open the ZIP file first, and then the file inside it.)
However, placing their malicious payloads inside ZIP files serves three purposes.
Firstly, ZIPs look unexceptionable, especially if the malware is in a .JS file, a type you don’t usually see in email.
Secondly, many organisations have more liberal rules about ZIPs in email than they do about files that are more directly dangerous, because of those two extra clicks away harm that a ZIP places you.
Thirdly, opening the ZIP takes you a “visual step” away from your email program when the time comes to access the booby-trapped file inside.
Once the ZIP is open, you will usually end up in a Windows Explorer window, giving you a file view that somehow makes the malware file seem like a regular local file you might be inclined to trust, rather than an unsolicited attachment that was part of an email from outside.
Although ransomware can be delivered in many ways, including EXE files (programs), Excel spreadsheets, PDFs, batch files and more, the crooks have used two main types of payload in recent months:
- Word documents. Most documents you receive contain text and perhaps a few images, and are perfectly safe, but Word files can contain macros, or embedded program commands. Word macros are more than powerful enough to download and install malware, often ransomware.
- JavaScript files. These look innocent because they show up with an icon that looks like a scroll of paper, as though they were harmless text files that are safe to open. However,
.JSfiles are full-blooded programs that can do anything a regular.EXEfile (program) can do.
But there’s another malware-friendly attachment type that we’re seeing more and more lately, to the point that SophosLabs specially asked us to tell you about it: the LNK file.
LNKs, more properly Shell Link Binary Files, have been around for years, and malware writers have used them on and off for all that time, because they’re a handy way of dressing up one file as another.
You probably know them best as “shortcuts” that you use as a quick way of opening popular apps or often-used files, such as this example:
On the left is a file called MyDoc.pdf, and on the right a file that looks the same, except for the tiny arrow at the bottom left of the icon that denotes a link or shortcut.
Apart from the arrow overlaid on the icon, the files look the same; the differences are obvious only if you list the files in a command prompt or use Right click | Properties to reveal their details:
Notice here that we’ve carefully told Explorer to show file name extensions, otherwise MyDoc.pdf would show up simply as MyDoc, but the LNK file nevertheless appears with the name of the file to which it links, not as MyDoc.pdf.lnk, as you might reasonably expect.
We recommend that you set up all your Windows computers to show file extensions. An extension is an integral part of the filename, and affects how Windows treats the file. Suppressing extensions may look a bit neater, but it needlessly hides information that might otherwise give you early warning of a security trick.
Worse still, a LNK file can be configured to show up with a misleading name, with an unrelated icon of your choice, and to run any command, like this one:
The LNK file itself is called INVOICE.PDF.lnk, and it’s configured to run a command prompt (using cmd.exe) that creates a JavaScript file called s.js and then runs it.
Nevertheless, it appears on the desktop as if it were a PDF file called INVOICE.PDF, even though it has no connection with any PDF content, and no link to any PDF-related application.
Clicking on it doesn’t open a PDF file at all, as you might think, but instead runs the s.js file created by the command prompt shown above, which in this case innocently pops up a message box using the WScript.Echo() function:
We first wrote about malware using this trick back in early 2009, and we offered this advice:
Donβt be tricked into opening a shortcut file from an untrusted source, falsely assuming the LNK must be harmless because it can only point to items already on your system.
With that in mind, you’re probably not surprised to hear that cybercrooks are having another crack at LNK files, probably because we’ve collectively learned to be doubly cautious of unexpected documents and JavaScript files.
In particular, the fact that LNK files don’t follow the View file name extensions setting in File Explorer, and that they can show up with an icon that is at odds with their real behaviour, makes them very attractive for criminals.
The attachments in the three sample emails shown at the start of the article, for example, each contain a LNK file that uses a technique similar to the INVOICE.PDF trick shown above:
We can’t be sure exactly what ransomware would have been delivered in each of these examples.
Fortunately, the servers used by the crooks to deliver the next stage of the attack had all been taken down, apparently by vigilant hosting providers. (Several of the samples we tested produced “account suspended” messages, thus neutralising the malware.)
In at least one sample we examined, however, the next stage of the attack led to infection by malware known as RAA: ransomware that itself is entirely written in a scripting language.
Of course, LNK-based infections don’t have to end up in ransomware, because the crooks can vary the payload they deliver to suit their current criminal plans.
Indeed, they can adapt the payload victim by victim, based on details such as time of day, operating system version, geolocation, and more.
We’re guessing, however, that the majority of LNK-based attacks you’re likely to see will be aimed at squeezing money out of you through ransomware-style extortion.
What to do?
- Tell Windows to show file extensions. Even though this doesn’t help with LNK files, we think that deliberately suppressing extensions merely introduces a needless risk.
- Be cautious of unsolicited attachments. We know that this advice is easy to say to but hard to follow: how else to tell if a message is worth reading except by reading it? Watch out anyway. Emails claiming to know you, to have money to send, or to be issuing an invoice from a company you’ve never heard of, could have come from anywhere, and probably did.
- Use a real-time anti-virus and web filter, and keep them updated. Sophos Home, for example (100% free for home use on Windows and Macs), blocks these malicious LNK files variously as Troj/LnkDldr-C or Mal/DownLnk-D, and will actively prevent them from running at all.
- Never open LNK files that arrive by email. We can’t think of any situation in which you would need, or even want, to use a LNK file that came via email. The name and icon will probably be misleading, so keep your eyes peeled for the tiny arrow that Windows shows at the bottom left of the icon.
- Review the list of file types you allow in email attachments. Many sysadmins block various well-known file types in email outright, such as EXE attachments (for security reasons) and multimedia files (to avoid accusations of piracy). Review the list whenever the crooks change their game.
- Read our guidelines on How to stay protected against ransomware. The good news is that best practice against ransomware protects you from a vast catalogue of other security and availbility problems, too.
- Listen to our Techknow podcast on Dealing with ransomware. The Techknow podcast series is an excellent “brush up” resource for coffee breaks, train trips and your regular commute.
LISTEN NOW
(Audio player above not working? Listen on Soundcloud or access via iTunes.)
Do you recommend blocking LNK files as e-mail attachments?
Yes, on the grounds, “Why not?” (I’ve never received one myself, nor have I ever felt that I ought to have. So I am pretty confident there’s nothing to lose.)
Great article Paul, thanks. The Sophos PureMessage system rates .LNK files threat level as “low”. Should this not be higher?
Good question…I shall pass it on π Having said that, you can modify the blocklist anyway…
There is one legitimate reason for receiving LNK files that I can think of. If you’re in a work group with a shared mounted path to files that everyone can update, it’s often convenient to mail a shortcut to your teammate to look at a file on the shared drive (maybe the file is too large to attach in mail, or you want the other person to update the file directly). If you’re not in this situation (you’re not part of a team, or your team doesn’t share files this way), then there’s really no reason to be sending/receiving LNK files.
Rather than sending link files perhaps you could use file:/// URLs?
Given that .LNK files are masters of disguise, why not simply email your colleagues the One True Samba Name of the object you want them to open, in good old plain text?
This has the double advantage of being self-documenting, and completely transparent to the recpient.
For example:
\\SERVERNAME\SHARE\PATH\FILENAME.EXTis more informative, more generally useful (it still makes sense on Linux and OS X), takes up less space, and doesn’t need an attachment.
I enabled file extensions on my first copy of Windows 98 without fully recognizing the security implications–I just liked knowing what was going on in my computer. I had lyrics to a couple dozen songs in Word documents for collaboration with a buddy.
I went to his house, 3.5″ floppy in hand and overzealously renamed all of them. I saw what I perceived as truncated file names–assuming it was a computer glitch of some sort–and “fixed” them all. Got them back home and…oh. Oops.
It wasn’t long before I learned how hiding file extensions can be a huge disadvantage and now proselytize everywhere about it. Once I thought it might eventually be changed For The Betterment Of The Internet Community, but I’ve cynically abandoned that optimism.
Form over function. Boo.
Hahahaha, I’ve often ended up with
document.doc.docandarticle.pdf.pdffor the very same reason. Ironically, in the early days of post-3 Windows, it seems that Microsoft wanted both to have its cake (by supressing extensions in general) and to eat it (by encoding extensions for key system files into the name, so the file type would be clear even if the extension were invisible).System filenames were limited to 8-dot-3, presumably in case the files were ever copied to a filing system where long filenames weren’t supported, so the three-letter extension was repeated at the end of the filename, restricting the distinctive part of the name to just five characters.
AFAIK, that is why, to this day, we have special files such as
NTDLL.DLL. The extension *is* important after all. So important they included it twice πThe reason MS abandoned the practice is because there weren’t enough strings left. Only the 5 preceding characters are available in 8.3 if you take the last 3 of the 8 and make them the same as the extension. By the time of Windows 98, Microsoft realized that they were quickly closing in on the 60 million names available to 5 characters, and they had pretty much left all the useful names in the dust.
“64,000,000 names ought to be enough for anybody.”
Paul, maybe you could extend your ‘show file extensions” advice to Mac OS X users also; I don’t know when they started but I recently went from Lion to El Capitan and Apple has followed MIcosoft’s lead in hiding extensions by default. I use Path FInder 7 as a Finder substitute and had instructed PF7 to show all extensions by default, but I was getting frustrated by screen captures showing up without extensions in Path Finder. I discovered I had to check a Finder box: “Finder/Preferences/Advanced/Show All Filename Extensions” because the Apple screen shot utility automatically creates files with a “Hide Extension” flag. Path Finder ignored my default setting and honored the flag until I changed the “Advanced” setting in Finder.
Good point. (I decided not to touch on OS X extensions here because of the Windows-centriciy of the article, but perhaps I should have.)
Your instructions are spot on – the option to get Finder to do the right thing (which affects the desktop, too) is indeed in Finder’s “Advanced” preferences. As you say, each file has an attribute for “hide extension,” so it isn’t all-or-nothing, but I still strongly reccommend “show all extensions”, which overrides the hide extension flag on individual files.
Terminal.app, FTW!
…but yes your ‘show all filename extensions’ is a great thing to enable
π
Hi Paul,
we are using Sophos UTM 9 and Endpoint Protection on each Windows Client.
Are we well protected against Ramsomware?
Hmmmmm….Yes, you are! (But I would say that, of course.)
More seriously, and as objectively as I can, I’d suggest that a combination of network gateway and endpoint protection is a strong one, because most ransomware (though admittedly not all) relies on getting an email delivered, getting some sort of program to run, and then also getting some sort of “call home” web request back out again.
So, a combination of inbound email filtering, on-access endpoint protection that blocks both unwnanted software and dangerous network connections, and outbound web and network filtering at the gateway leaves you a lot safer than any one of those on its own. As for what software settings would work best for you, I recommend calling Sophos Support or taking a look at the document mentioned in the article:
https://www.sophos.com/en-us/medialibrary/Gated%20Assets/white%20papers/sophosransomwareprotectionwpna.pdf?la=en
You might also want to take a look at this, for another angle on ransomware protection and recovery. It’s currently still in Beta [2016-08-04] but you can sign up now to try it out:
https://blogs.sophos.com/2016/08/02/sophos-intercept-stops-ransomware-in-its-tracks-try-the-beta-today/
(Sophos Intercept provides yet another layer of ransomware defence, by detecting rogue attempts to scramble your files, killing the offending program, and rolling back the changes. Of course, you’ll always have a backup, but… hey, if you don’t, Intercept is your friend π
Any samples please ?