Dropbox phishing campaigns are relatively typical and often fool employees into revealing their sensitive information or installing malware.
Dropbox is widely used for sharing files and employees are used to receiving links advising them that files have been shared with them by their colleagues and contacts and phishers are taking advantage of familiarity with the service.
There are two chief types of Dropbox phishing attacks. One involves issuing a link that asks users to verify their email address. Clicking the link takes them to a spoofed Dropbox website that looks like the official website. They are then asked to enter in their login details as part of the confirmation process.
Dropbox phishing attacks are also used to send malware such as banking Trojans and ransomware. A link is broadcast to users relating to a shared file. Instead of accessing a document, clicking the link will result in malware being installed.
Over the past few days, there has been a huge campaign using both of these hacking methods involving millions of spam email messages. Last week, more than 23 million messages were sent in one day.
Most of the emails were spreading Locky ransomware, with a smaller percentage used to share Shade ransomware. There is no free decryptor available to unlock files encrypted by Locky and Shade ransomware. If files cannot be retrieved from backups, victims will have to spend big.
Due to the increase in value of Bitcoin of late the cost of recovery is major. The malicious actors behind these attacks are demanding 0.5 Bitcoin per infected device – Around $2,400.
According to F-Secure, the majority of malware-related spam messages discovered recently – 90% – are being used to distribute Locky. Other security experts have issued similar reports of a surge in Locky infections and spam email campaigns.
To stop Locky ransomware attacks, companies should install an advanced spam filtering solution to stop malicious emails from being sent to end users’ inboxes. Occasional emails are likely to get past spam filtering defenses so it is important that all users receive security awareness training to assist them identify malicious emails.
A web filter can be highly successful at blocking attempts to visit malicious websites where malware is installed, while up to date antivirus and anti-malware solutions can detect and quarantine malicious files before they are clicked on.
Backups should also be completed of all data and systems and those backups should be stored on an air-gapped device. Ransomware variants like Locky can delete Windows Shadow Volume Copies and if a backup device remains connected, it is likely that backup files will also be encrypted.
Best practices for backing up data include three backup files being created, on two different media, with one copy stored offsite and offline. Backups should also be audited to make sure files can be recovered in the event of disaster occurring.
The rise in ransomware attacks has lead to the National Institute of Standards and Technology (NIST) to creating new guidance (NIST SPECIAL PUBLICATION 1800-11) on recovering from ransomware attacks and other disasters.
