I documented my analysis in a Research Paper, “Analyzing a Spear Phishing Email.” You can download the report here.
The findings of my research are summarized below:
1. The appearance of the Phishing Email is very primitive, alleging the postal service could not deliver a package. The from Email address was completely unrelated to the signature line. (k(at) karastel,ru, Eugene Lee.
4. The miscreants compromise legitimate web sites to host the malicious binaries. The scripts contain multiple dowload URL’s to protect against detection of compromised servers.
5. The Malicious PE file is a Cerber Ransomware binary that encrypts files in the logged on user’s Documents folder, and any attached USB devices.
6. There is a sophisticated web site on the DarkNet that instructs a victim how to obtain BitCoins and pay the ransom.
7. The cyber-punks who send out these Emails bank on economies of scale. If they send out 1 million weaponized Emails, if they have a 5% hit rate – that is 50,000 victims.
8. The ransomware problem is not going away anytime soon. In fact, evidence suggests the cyber-crimnals are getting more aggressive in their tactics. Not only are they encrypting files, they are also wiping out the master boot record (MBR) on compromised systems preventing them from booting.
We are continually adding enhancements to the PacketSled Platform to identify advanced ransomeware compromise techniques.
Posted on April 12, 2017