Fake Contact Tracing App Installs Ransomware
In late May 2020, cybercriminals took advantage of two current events to help fuel a ransomware campaign in Italy. Find out what these events were, how cybercriminals carried out the attack, and what you can do to avoid falling victim to similar one.
Cybercriminals are opportunists. They like to take advantage of current events — especially those that evoke strong emotions in individuals — to increase the chance that people will fall victim to their attacks. In late May 2020, cybercriminals used two current events to help fuel a ransomware campaign in Italy. The hackers played on Italians’ fears of a second wave of the Coronavirus Disease 2019 (COVID-19) pandemic and Italians’ hope that a soon-to-be released contact tracing app, Immuni, would help prevent a coronavirus resurgence.
Once the ransomware attack was discovered, the Agency for Digital Italy (AgID) released an advisory to warn people about this threat. Knowledge of this attack helped curtail it. Similarly, this knowledge can help you avoid falling victim to this type of ransomware campaign in the future.
How the Ransomware Attack Was Carried Out
The cybercriminals who perpetuated the ransomware attack in Italy took the time to craft a convincing phishing email. Pretending to be from the Italian Pharmacist Federation (FOFI), they created a realistic looking email that even included a mix of real and bogus FOFI contact information at the end to make it look official.
The email was sent to pharmacies, doctors, universities, and other groups trying to slow the spread of COVID-19. The recipients were told that a beta release of the Immuni contact tracing app was available for use. The email noted that “This enhanced version, dedicated exclusively to field operators, will enable you to have up-to-date first-hand data in real time related to contagion situations in your territory…. Having effective and widespread monitoring in the territory will be the winning key to avoid a disastrous second wave of spread of the virus.”
The email included a link to a spoofed FOFI website and told the recipients to download an executable file named Immuni.exe from that site. The cybercriminals had cloned the legitimate FOFI website and registered their fake site using a domain name similar to the real one. Specifically, their domain name used a lowercase letter “l” (“fofl.it”) instead of a lowercase letter “i” (“fofi.it”) since the two letters can easily be mistaken for each other if read quickly.
The victims who downloaded, installed, and opened the fake contact tracing app were shown a bogus global map of COVID-19 infections. While the victims were looking at the map, the ransomware was busy gathering information about the victim’s machine and encrypting the victim’s files using the Advanced Encryption Standard cipher block chaining (AES-CBC) algorithm and a randomly generated password. Both the password and the details about the victim’s machine were sent to the cybercriminals’ command and control (C&C) server.
The ransomware was designed to encrypt 69 types of files in a dozen different folders (e.g., Desktop, Contacts, Documents, OneDrive), according to AgID’s Computer Emergency Response Team (CERT-AgID). The types of files encrypted include Microsoft Word files (.doc, .docx), Microsoft Excel files (.xls, .xlsx), executables (.exe), image files (.jpg, .bmp), and compressed files (.zip, .7-zip).
Once all the files were encrypted, the victims received a ransom note that asked for €300 (about $333 USD) to be paid in bitcoins within three days. However, the victims were unable to email proof of payment to the cybercriminals as instructed because the email address they were told to use was invalid. As a result, the victims likely did not get the password they needed to decrypt their files even if they paid the ransom. But they actually did not need it. The CERT-AgID researchers discovered that the ransomware had sent the password used to encrypt the files to the C&C server in cleartext. As a result, the victims could examine their network traffic logs to find out the password and use it to decrypt their files for free.
How to Protect Your Business from Similar Ransomware Attacks
While this ransomware campaign occurred in Italy only, similar attacks might be launched in other parts of the world in the future. Thus, you need to make sure your business is protected.
Your employees are an important line of defense, so a good place to start is educating them about ransomware. For instance, you might:
- Let employees know what ransomware is and the common ways cybercriminals spread it (e.g., downloads, phishing emails).
- Warn employees about the dangers of downloading and installing executables (e.g., apps, games) from the Internet. Even downloading and opening certain types of files (e.g., PDF files) can be dangerous. Be sure to let employees know about your company’s policy regarding when employees are allowed to download executables and files and the sources where employees are allowed to get them.
- Discuss the elements commonly found in phishing emails, such as generic greetings, spoofed email addresses, and messages that try to create a sense of urgency (i.e., act now or face the consequences). If employees know about these common elements, they will be better able to spot any phishing emails that make it through your company’s email filters.
- Tell employees about other dangerous practices that can lead to a ransomware infection, such as clicking links and opening attachments in emails, especially if the emails are from unknown senders.
- Stress the importance of avoiding any content flagged as a potential security threat by security software or web browsers. It might contain malicious code.
Besides educating employees, you need to take other measures as well. For example, you need to regularly update the apps installed on your business’s computers so that known security vulnerabilities are patched. In addition, it is important to make sure you have restorable backups of the data on your business’s computers in case a ransomware infection occurs.
We can perform a security assessment to make sure that your company is doing all it can to defend against ransomware and other types of cyberattacks.