Ransomware attack infects victims through PDF-borne spear-phishing campaign
The National Cyber Security Centre (NCSC) has become aware of a PDF-borne crypto-ransomware attack.
In reported instances of this attack, a zipped PDF file was emailed to victims, which, when opened, prompted the victim to download a new font package to render the PDF readable.
Installing the font package launched a crypto-ransomware exploit that encrypted the victim’s files until a bitcoin payment was made.
Ransomware is widespread and infection can arise from a variety of continually evolving vectors such as spear-phishing emails, malicious ads on websites, or navigation or redirection to compromised websites that host ransomware or other malware. While this PDF attack has similarities to the recent “Locky” ransomware email campaign (i), the PDF attack differs in that the zipped PDF file itself is apparently not malicious, and infection only occurs once a victim has downloaded and run the font package executable file.
In this instance, the NCSC recommends that recipients treat emails containing suspicious, zipped PDF files likely from an unrecognised sender with extreme caution, or delete such emails altogether upon receipt or discovery. Other general mitigations against compromise include educating network users on the modes and risks of compromise, ensuring appropriate user permissions and network segmentation are in place, white-listing applications, and backing up business critical information.
The “Locky” campaign used an MS Word document purporting to be an invoice in a spear-phishing email to compromise victims.
For further details, see Arstechnica.com/security/2016/02/locky-crypto-ransomware-rides-in-on-malicious-word-document-macro(external link) and Technet 2/02/2016: Locky malware - lucky to avoid it/(external link)