Andra Zaharia, security evangelist at Heimdal, has published a very useful and exhaustive checklist for reducing your exposure to ransomware: The Anti-Ransomware Protection Plan You Need to Follow Today.
I get tired of reading ‘how to defend against ransomware’ articles that miss out vital points like not staying permanently connected to in-the-cloud storage, but this one really does cover most of the angles. Very nice.
Here are a couple of ‘what you need to know’ articles on ransomware. At some point I might come back to make a few comments about individual points, but in general, if you’re still puzzled as to what it’s all about, you might find some useful thoughts here.
To be precise, the ZIP file distributed by the spam campaign activates Powershell to download a Kovter payload delivering ransomware. The secondary payload is CoreBOT, a highly adaptive form of modular malware.
According to Heimdal’s Andrea Zaharia, the spam message looks something like this:
From: [spoofed / fake return address]
Subject Line: Payment for tax refund # 00 [6 random numbers]
Tax_Refund_00654767.zip -> Tax_Refund_00654767.doc.js
Heimdal analysis: Security Alert: Fileless Kovter Teams Up with Modular CoreBot Malware in IRS Spam Campaign
Commentary from David Bisson for Tripwire: Fake IRS Spam Email Campaign Serves Up Kovter, CoreBot Malware
Added to Ransomware Resources page.