NCSC Cyber Security Advisory CSA-002-16

Ransomware attack infects victims through PDF-borne spear-phishing campaign

The National Cyber Security Centre (NCSC) has become aware of a PDF-borne crypto-ransomware attack.

In reported instances of this attack, a zipped PDF file was emailed to victims, which, when  opened, prompted the victim to download a new font package to render the PDF readable.

Installing the font package launched a crypto-ransomware exploit that encrypted the victim’s  files until a bitcoin payment was made.

Ransomware is widespread and infection can arise from a variety of continually evolving  vectors such as spear-phishing emails, malicious ads on websites, or navigation or redirection  to compromised websites that host ransomware or other malware. While this PDF attack has similarities to the recent “Locky” ransomware email campaign (i), the PDF attack differs in that  the zipped PDF file itself is apparently not malicious, and infection only occurs once a victim has downloaded and run the font package executable file.

In this instance, the NCSC recommends that recipients treat emails containing suspicious, zipped PDF files likely from an unrecognised sender with extreme caution, or delete such  emails altogether upon receipt or discovery. Other general mitigations against compromise include educating network users on the modes and risks of compromise, ensuring appropriate user permissions and network segmentation are in place, white-listing applications, and backing up business critical information.

The “Locky” campaign used an MS Word document purporting to be an invoice in a spear-phishing email to compromise victims.

For further details, see Arstechnica.com/security/2016/02/locky-crypto-ransomware-rides-in-on-malicious-word-document-macro and Technet 2/02/2016: Locky malware - lucky to avoid it/