[Plantsci] FW: [itsecmgrs] Ransomware phishing campaign - TLP:GREEN

[Marquez, Mario A - (marquezm)]

[itsecmgrs] Ransomware phishing campaign - TLP:GREEN
TLP:GREEN
Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. More information about the Traffic Light Protocol can be found at www.us-cert.gov/tlp

RECIPIENTS: Please forward to your supported users as appropriate


SUMMARY:
Information Security has received reports of malicious phishing emails that were confirmed to contain a new variant of the Cryptowall malware family.  The latest phishing campaign includes a Microsoft Word attachment made to look like a vendor invoice and specifically references various campus units in the email body and attachment name.  This is part of a larger extortion campaign that has been targeting universities, government entities, and businesses around the country for more than a year.

DETAILS:
Cryptowall is a malware type known as ransomware. The malware scans files on the infected computer and encrypts them with a 2048 byte RSA public key encryption, making the files inaccessible. Once files are encrypted, Cryptowall displays instructions to the computer user about how to decrypt the files. The instructions demand payment of a ransom (paid via Bitcoin) to decrypt the damaged files. The ransom is initially $500, and it increases $1,000 after a week.  Various public intelligence sources suggest paying the ransom does not always result in the encrypted files being restored.

Cryptowall can spread to any drives, network shares, and external storage devices that are connected to the infected computer.  During this type of attack, there is often a delay between the initial infection and when the user receives the first ransom demand.  This allows the malware to spread as far as possible before alerting the user to its presence.

The malware samples that were forwarded to Information Security were not detectable by any antivirus programs, so simply having antivirus installed would not protect a user from infection if they opened these attachments.

RECOMMENDATIONS:
Be careful anytime you receive an unsolicited email with attachments.  If you are uncertain about the legitimacy of an email, please feel free to submit it to the Information Security office for analysis.  It is better to take a little longer to respond to an email that was legitimate than to risk infecting your computer with a harmful virus!

Instructions for submitting suspected phishing emails to Information Security can be found on our website: hxxp://security.arizona.edu/report-incident
(Replace “hxxp” with “http” in your web browser)


Christian Schreiber, CISM, PMP
University Information Security Officer
The University of Arizona

Email: schreiber at email.arizona.edu<mailto:schreiber at email.arizona.edu>
Office: 520.626.2399
Web: http://security.arizona.edu


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://list.cals.arizona.edu/pipermail/plantsci/attachments/20160127/bbdd94c2/attachment.htm>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ATT00001.txt
URL: <https://list.cals.arizona.edu/pipermail/plantsci/attachments/20160127/bbdd94c2/attachment.txt>