Schools hit by spate of cold call ransomware attacks

Cybercriminals have started cold-calling UK schools in an attempt get them to believe that ransomware attachments sent via email are important official documents, the Action Fraud service has warned.

The fraudsters phone admin staff claiming they have sensitive documents covering exam guidance or mental health assessments which must be sent direct to the head teacher.

If successful, the head will be sent a booby-trapped .zip file masquerading as a Word file or PDF which launches a ransomware attack demanding up to £8,000 ($10,000) in Bitcoins to recover any files it encrypts.

A small but important innovation is that the fraudsters pretend to be officials from the “Department of Education” (since 2010 the Department for Education in fact) to make the request sound more convincing.

Action Fraud doesn’t reveal how successful the attacks have been, but does go on to say:

“It should be noted that similar scam attempts have been made recently by fraudsters claiming to be from the Department for Work and Pensions and telecoms providers.”

That implies a larger campaign or perhaps several campaigns trying the same tactic. The fact that Action Fraud (which is funded by government) has heard of these attacks suggests they’ve been alerted through local police units that have received news of possible ransom demands.

Another hint that attacks might have got to the file encrypting stage is the fact the malware’s behaviour is mentioned. The ransomware involved isn’t named but in many ways that’s become almost academic: there are now so many families and variants, it could be any of the current crop.

More significant is the way the attack borrows heavily from tech support scams, which cold call victims to try to socially engineer them into paying to fix non-existent malware or computer problems.

Perhaps ransomware gangs are having to work harder to get their malware through in the first place, either because of competition from other ransom criminals or because defences are improving.

In a separate attack exploiting the same basic idea, security company Check Point reports that a variant of Petya is being sneaked past defences under the guise of being a job application to HR departments.

Most ransomware attacks are probably either detected before they do damage or are ignored or bypassed by victims. But enough succeed for some industry sources to estimate that ransomware has turned into a global $1 billion-a-year enterprise. If we believe in cybercriminal stereotypes, that’s a lot of designer clothes and vacations in Aruba for someone.

Our tip? First, it’s always worth reporting ransomware when you encounter it. Such intelligence is invaluable for the wider fight. To stop it getting that far, read our more general advice on preventing an attack – or coping with one without being fleeced.