Kovter Ad Fraud Trojan Now Shipping with Locky Ransomware

Over the past couple of months, the PhishMe Research Team has observed Locky ransomware being distributed alongside the Kovter ad fraud trojan. We have looked at this malware distribution channel in the past, and since then, the threat actors have evolved from using a fake file encryption threat to using a well known and effective ransomware family: Locky. In this post we will examine the history of the Kovter actors’ experimentation with ransomware and walk through a sample campaign that our PhishMe Threat Intelligence Team captured.

Ransomware Evolution

The distributors behind Kovter have been experimenting with “ransomware” since as early as January 2016. We place the word in quotations marks because their first attempt at including code that demanded payment was ineffective. These initial attempts were malicious JS email attachments that would only change Windows file extensions on the victim’s computer to “.crypted”. Below is a screenshot of an early ransom note.

initial_ransomware_instructions

An example of the ransomware instructions seen in earlier attempts.

Then in March of 2016, we saw a shift to actual file encryption by utilizing XOR on the first 2048 bytes of the files. In April, the threat actors shifted again with the use of 7zip, a legitimate archiving utility, to encrypt files with a static key. The actors then in June 2016 started distributing a PHP interpreter with a script to encrypt the files. A fantastic writeup on the PHP method used by these actors can be found here. They finally shift to utilizing the full blown ransomware family, Locky, in late October 2016.

locky_encrypted_desktop

A desktop infected with Locky ransomware now being spread with Kovter.

One analysis artifact that distinguishes Locky campaigns in the wild is the use of an affiliate identification number that gets hardcoded in to every Locky infector build. Locky affiliates 1 & 3 are the most commonly seen affiliate IDs in spam campaigns, albeit from the Necurs botnet (an x86 bootkit that contains spam modules). This differs from the Locky affiliates 23 & 24 that we are currently seeing being distributed with Kovter in that distribution relies on a botnet that utilizes compromised websites for spamming.

Sample Campaign

Spam messages containing lures that eventually download Kovter usually contain verbiage of missed package deliveries, as seen in the message sample below.

initial_lure

By viewing the headers of this malicious spam message, we can see that the message appears to be originating from a compromised Joomla website based on the directory structure of the sending script that the webserver prepended to the messages. Depending on server configuration, some webservers will add the lines seen in the snippet below when email is sent using the PHP mail() function call.

phpheaders

PHP email headers contain Joomla CMS path.

The ZIP archive attached to the email contains an obfuscated JScript file that is capable of downloading Kovter and the Locky ransomware loaders.

zipcontents

Zip attachment contains malicious JS downloader.

In an effort to defeat malware sandboxes, this initial JScript file sleeps for at least 5 minutes, then writes another obfuscated JScript file to the folder %TMP% and executes it using the WScript.Run method. The %TMP% is a Windows environment variable placeholder for the C:\Users\{user}\AppData\Local\Temp\ directory. The resulting, de-obfuscated JScript file runs the ping command in another effort to exceed sandbox timeouts, then downloads two binaries from gatheringmd[.]top, writing them to %TMP% and executes them, as seen in the code snippet below.

jsdeobs

De-obfuscated JScript that downloads two binaries and executes them both.

The Windows executable 24.exe downloaded from hxxp://gatheringmd[.]top/cb/l2[.]php is an NSIS-packed executable for the Kovter ad fraud trojan loader. Kovter is a “fileless” trojan that stores itself in the Windows registry for persistence and antivirus evasion. Upon execution, the trojan checks in with a command and control location that contains a URL path usually ending in upload.php or upload2.php, sending infected machine information such as the operating system version, service pack level, and the system architecture, and whether any known security programs were detected. Kovter will also check for and install the latest version of Internet Explorer Adobe Flash browser plugin, and .Net frameworks.

The Kovter trojan will then generate web traffic hidden from the victim’s desktop. The malware actors craft search terms, injecting them in to browser sessions with their malware that “clicks” on advertisements that generate revenue through pay-per-click models. We won’t dive too deep in to Kovter analysis since it has been well-documented already here (PDF) and here (PDF). Configuration data, seen in Table 1 below, is easily extracted from memory while the trojan is running.

Table 1: Kovter configuration for sample 0d01517ad68b4abacb2dce5b8a3bd1d0
cp1
(IP Addresses – please see Indicators of Compromise section below)
cp1cptm
30
cptmkey
a7887cc809cf0d4df17fc5dafd03e4e7 – MD5 of “smooth”
keypass
65537::20717578436666370206990156461786566788132748458910865354994919388630407187082788932551065567891365033974994995141358277530021944793516607142737605543772104350635734672485498640041982499636009940196953103877199811371834197299886690010229547993815721647414299018829914480336700775760032044922438942690008663278856440487164946050309668972730239620373400036156807226902415414689227139343695179004305146177952041410093920067335850237232148134221904306706694425837140102211178161590920721365317540938040383023194954613997204876850415109848188765254167924483000246775174171501733414326729845936854172715365200925796295269097
passdebug
False
debugelg
True
elgdl_sl
False
dl_slb_dll
False
b_dllnonul
hxxp://185.117.72[.]90/upload2[.]php
nonuldnet32
hxxp://download.microsoft[.]com/download/0/8/c/08c19fa4-4c4f-4ffb-9d6c-150906578c9e/NetFx20SP1_x86[.]exe
dnet32dnet64
hxxp://download.microsoft[.]com/download/9/8/6/98610406-c2b7-45a4-bdc3-9db1b1c5f7e2/NetFx20SP1_x64[.]exe
dnet64pshellxp
hxxp://download.microsoft[.]com/download/E/C/E/ECE99583-2003-455D-B681-68DB610B44A4/WindowsXP-KB968930-x86-ENG[.]exe
pshellxppshellvistax32
hxxp://download.microsoft[.]com/download/A/7/5/A75BC017-63CE-47D6-8FA4-AFB5C21BAC54/Windows6.0-KB968930-x86[.]msu
pshellvistax32pshellvistax64
hxxp://download.microsoft[.]com/download/3/C/8/3C8CF51E-1D9D-4DAA-AAEA-5C48D1CD055C/Windows6.0-KB968930-x64[.]msu
pshellvistax64pshell2k3x32
hxxp://download.microsoft[.]com/download/1/1/7/117FB25C-BB2D-41E1-B01E-0FEB0BC72C30/WindowsServer2003-KB968930-x86-ENG[.]exe
pshell2k3x32pshell2k3x64
hxxp://download.microsoft[.]com/download/B/D/9/BD9BB1FF-6609-4B10-9334-6D0C58066AA7/WindowsServer2003-KB968930-x64-ENG[.]exe
pshell2k3x64cl_fv
20
cl_fvfl_fu
hxxps://fpdownload.macromedia[.]com/get/flashplayer/current/licensing/win/install_flash_player_22_active_x[.]exe
fl_fumainanti
DD1D:1:DD1DDD2D:1:DD2DDD3D:1:DD3DDD4D:1:DD4DDD5D:0:DD5DDD6D:1:DD6DDD7D:1:DD7DDD8D:1:DD8DDD9D:1:DD9DDD10D:1:DD10DDD11D:0:DD11DDD12D:1:DD12DDD13D:1:DD13DDD14D:1:DD14DDD15D:1:DD15DDD16D:1:DD16DDD17D:0:DD17Dal:hxxp://185.117.72[.]90/upload[.]php:al::mainanti

The other Windows executable 23.exe that is downloaded form hxxp://gatheringmd[.]top/ll/l1[.]php is the loader for Locky ransomware. Locky is written in Visuall C++ and contains hard-coded IP addresses for command and control callbacks, although some versions of Locky do not require the victim to have Internet connectivity to start the file encryption process. The following table includes the configuration data we found in this campaign.

Table 2: Locky configuration for sample f3d935f9884cb0dc8c9f22b44129a356
Affiliate ID
23
Key
RSA1
RSA Key ID
711
RSA Key Size
114 (bytes)
DGA Seed
90577
Execution Delay
None
Svchost Process Persistence
Disabled
Registry Persistence
Disabled
Ignore Russian Computers
Enabled
C2 Callback URL Path
/message.php
C2 Callback Servers
109.234.35[.]230 176.103.56[.]119

 

Conclusion

Distributors behind Kovter are constantly evolving their ransomware game. We can only speculate why these malware actors would “burn” their foothold on an infected machine where they have also placed profitable ad fraud code. Perhaps the return on investment is much higher with ransomware and preferable to standing up the infrastructure and money laundering channels required for conducting ad fraud. PhishMe Intelligence customers can view more details about this threat in ID 7409.

This specific email template is available in PhishMe Simulator to use in your own scenarios.

 

How susceptible is your organization to phishing threats? Download our latest Phishing Susceptibility and Resiliency Report to learn how reporting phishing can greatly improve your organization’s security posture.

Indicators of Compromise

..:: Email Subject Lines
Courier was unable to deliver the parcel, ID{rand}
Delivery Notification, ID {rand}
Problem with parcel shipping, ID:{rand}
Problems with item delivery, n.{rand}
Shipment delivery problem #{rand}
Unable to deliver your item, #{rand}
We could not delivery your parcel, #{rand}
Fedex parcel #{rand} delivery problem
Notification status of your delivery (FedEx {rand})
Parcel ID{rand} delivery problems, please review
Parcel {rand} delivery notification, USPS
USPS parcel #{rand} delivery problem

 

..:: File Hashes
Filename
MD5 Checksum
Type
23.exe
f3d935f9884cb0dc8c9f22b44129a356
Locky
24.exe
0d01517ad68b4abacb2dce5b8a3bd1d0
Kovter
details_AneLU.zip
bb84729c02b898b7aeef6b65c119f0c4
Attachment
details_bkxeL.js
10c1be3b95fa013458081d19747bc0df
JSDownloader
details_cOBYkk.zip
cc095bc05e61a0b373671e6f80f72686
Attachment
details_CRFuvd.zip
c9cf8185d1168b0712e532a6a7d88fe9
Attachment
details_dFTHp.zip
5ad3fec19d0723532dea49a2ccc3ea9c
Attachment
details_FyReR.zip
f2284d51a3daffcb12ff91f57601c246
Attachment
details_LKXcNI.js
a811a54525161017e5ac1f85b83d2758
JSDownloader
details_MGStju.zip
ab5540f78e67fd196c1be1dfd3612947
Attachment
details_mSplK.js
cdacbaf9b13333ac264b798797432391
JSDownloader
details_pKvHWv.js
17d0d6d8176e01e92f74b9ce08ba188b
JSDownloader
details_PpxpD.zip
320151d35fd61ef1b17f8fe921c4beef
Attachment
details_rqpOqK.zip
f30d21a5c882dbdb011b361a5cba67a4
Attachment
details_shHih.js
111af7977728443aa268479a87c29656
JSDownloader
details_XCFvfh.js
b4179c5a075fed9b606e9b7f068dca4c
JSDownloader
details_XHZms.zip
c3e012a26c9fee9ff72bddf413f74f52
Attachment
details_YAVSi.zip
e0cabfc058cc4d6ff2419743a79f6b1a
Attachment
details_ZHewkz.zip
f7a7d41def5a90ed504581edf719c079
Attachment
details_zZcSMY.js
d2096cc86d4d89904316caca5b2242f9
JSDownloader
doc-details_cLOFYn.js
035caab39c0cbe55e59a78ce6cb8e3f7
JSDownloader
doc-details_CPwxGO.js
ab4ed724a82100735195d8767afec999
JSDownloader
doc-details_dNqBy.js
81a37ce8dc207d6adfe99fe4f29790ac
JSDownloader
doc-details_FUCxwj.js
963fa75b2d36b525df79c89bb6674c57
JSDownloader
doc-details_gfSxM.zip
f79543458f14e4fd05077f497e5b3b6c
Attachment
doc-details_hKuupX.js
72940493157e8313f53f40ecb0cc8999
JSDownloader
doc-details_hZpjC.js
acf53f8fedb0c9e7c717f17b24c2bd40
JSDownloader
doc-details_LamGu.js
a76c99d8e8e1fb61c80751a3b86b0161
JSDownloader
doc-details_qHpxP.zip
f5e55dd9c3f1258792940e6d44ff69e6
Attachment
doc-details_xMSZnv.zip
4615a66cff28ab1993d1cf1767012fa2
Attachment
doc-details_ysKya.zip
5af53a61146d95ff3cd4906998d5a3dc
Attachment
docinformation_chckfG.zip
53da2b40b05311ebf1c96d1390e498c5
Attachment
docinformation_eiBUR.js
0fdbf59914be1d61b2ebea804681a06d
JSDownloader
docinformation_fobWte.zip
de92d06890c4c036059805eb76cf6932
Attachment
docinformation_gFsaxs.js
f3bb12d7fd0512075154b68f748b106c
JSDownloader
docinformation_hYBnW.js
fa99be4f0cf635cf5ab27c8d9cdb737c
JSDownloader
docinformation_jwmOKD.zip
397985be48b08034596b74f3258f4be8
Attachment
docinformation_KxARw.js
5b4dd2f0077cb49626ea0fc4b28042e6
JSDownloader
docinformation_LyIGo.zip
f137879fd5f1b616e5468f2940a72670
Attachment
docinformation_tfFVrb.zip
a1e2571d4a9a9adc0e43a844e24f4b9a
Attachment
docinformation_UKqiN.js
d27d0caa0998f3d55a3742410849af0e
JSDownloader
docinformation_vvfUNP.zip
68c80b0764dae51a444798e84b7d567c
Attachment
document_aCBltX.zip
7835b9b6460756b69421b4ad9ee4d460
Attachment
document_bgFtst.js
33a195f89bc70f47d0b3531b6929cacc
JSDownloader
document_gDhkHi.js
1a0897eb182ce799950844870003bffb
JSDownloader
document_GZrswr.zip
6b51f7dc3d01e1e1d80e663251e826c0
Attachment
document_NpkFE.js
c17fd226efc58df20d61e98799728b9e
JSDownloader
document_Rgvjf.js
060d4ecd9101dec77ef2ff932682660c
JSDownloader
document_xSdOeE.zip
85a93ae756b903c27dc348a566a05bda
Attachment
info_aaRda.js
d3902306e1a94fa58670c93db5565a9e
JSDownloader
info_EkuERW.zip
489ec3212a4ff602a0d44296913468c3
Attachment
info_LUTTy.js
90023223eb47013711919de9dcd5dd07
JSDownloader
info_SCfca.zip
8ef1cc722479c09ab067be9caa130113
Attachment
info_wKfhS.zip
07362becf09c43f14ff6bd112c117176
Attachment
letter_cjJeHL.zip
7b72a9ceec70a30b0dbb7cc0a4b2e202
Attachment
letter_DsrtV.zip
1715cc68bd8fc453415ecf39ede93cd6
Attachment
letter_kNYHrR.zip
3d698ce90f48b585bd932521c065cda6
Attachment
letter_OjWlc.zip
3a13e6f6846a5a1722e8b266ceae8dd6
Attachment
letter_QnBTi.zip
4cbc25dcbf08de24ee87bcc119f6c16f
Attachment
letter_RfVviz.zip
0cfc0aec33a7bdbffa53895c9cd7fb57
Attachment
letter_VuHASr.js
100a19a7278820886461ca509ec1c993
JSDownloader
letter_YKkPE.js
ed12fead265edfe0152f27dae6078212
JSDownloader
post_info_asgHE.zip
d60c838a51236ac585013a8f807b7569
Attachment
post_info_bwJbDR.js
e47f9353f491581e46e46647a357c93c
JSDownloader
post_info_CeZZu.js
a363de2b167ac355a0f93888b5e04a6b
JSDownloader
post_info_cGuqm.zip
cdee553957fb83a40f7b14eba0a41ed0
Attachment
post_info_CsbYG.zip
f5af5b7834bda884188490452c2c85e6
Attachment
post_info_CzRrE.zip
1567ed8c60a92e2ff8678432ad083a4d
Attachment
post_info_FvdXc.js
b50585cc02304fc4e3238b4d2e071178
JSDownloader
post_info_KsELg.js
0b28a46cd55c859e2bc42d5ed48a3f0d
JSDownloader
post_info_MSGDE.js
e0f23f5e0403c2a3de0cfde2fe89938d
JSDownloader
post_info_pJtOt.js
e8e093060c70372ef942f89633d9bd0c
JSDownloader
post_info_tuOxpr.js
8da38959402c894db8e55b01fd6ffb6b
JSDownloader
post_info_xXWwy.js
be900919c08a6f9e15dbc88f9a8bc91f
JSDownloader
warning-letter_equIH.zip
31ae173517f1c3b95c2eae4e7b546c9a
Attachment
warning-letter_IcDwG.js
7afa14b7941098c48d88ba8befa926cc
JSDownloader
warning-letter_IoBWF.js
412d93a1600236b226784e6011399dc2
JSDownloader
warning-letter_ojIjtc.zip
749a7c139690a6b527800fbccd4066f9
Attachment
warning-letter_PNEIi.zip
dc6f872e1f5caea1d29a48b9f183de40
Attachment
warning-letter_rAvJv.js
dfe0d32610330f32747da3551b3b722f
JSDownloader
warning-letter_ShAAZ.zip
e9d953fb3dc52364d71674c3b1aa8b9d
Attachment
warning-letter_swXcEq.js
3987c2d03042dee1bf5f90127dc8dc0d
JSDownloader
warning-letter_tjTfks.zip
992b864fa761ff7ae3ae114f1c0b3237
JSDownloader
warning-letter_ZHsTF.js
8078316a13c0139c4b8472dc53cff718
JSDownloader
warning-letter_ZoikPb.zip
316b7e8bb7bb773aa8a6ad47c6953e4f
Attachment
watch_it_CdJex.js
5ae36d68911396dd7c0bf9ef674e25d0
JSDownloader
watch_it_dZpLi.zip
f5ddcfb1545a1af403131d115cf04ce6
JSDownloader
watch_it_GCzQN.js
be44dd6023c9ea40e82369272bb933d2
JSDownloader
watch_it_JNHNs.zip
d997419f7348c2e45e3fff33ed66985f
Attachment
watch_it_KgDcbd.zip
80fc86862e21d7022743b1b388334bbe
Attachment
watch_it_lRqvTG.js
7ac74145aa485acf711df23e2d3ed6ec
JSDownloader
watch_it_odoRqP.js
2dfe5e49862d57ac1f5c510f0568afd2
JSDownloader
watch_it_sOqdK.js
b0cd17c7ecddfc176adb089948f5703e
JSDownloader
watch_it_udGEp.zip
3277afcde8d2dd473d3da61c0a4b0b61
Attachment
watch_it_VuCwU.js
35f36d821794c5951dd4a29fd326b379
JSDownloader
watch_it_WeOiwi.js
8f3e35cead2b76bfb0bfbeb9783101c1
JSDownloader
watch_it_wiaSit.js
1c5a1719337b72562a9e09f51c44b088
JSDownloader
watch_it_wJInBR.zip
eb34a9e90d3ec4a8e358d69a006ebf2c
Attachment
watch_it_WkuTs.js
a9cdf2f2e946f32bde8054167c49f025
JSDownloader
watch_it_YKqLr.zip
ecc2e62e42ea24134b9522e2c3b4df5e
Attachment

 

..:: 2nd Stage Downloads
gatheringmd[.]top
post-us-post[.]com
46_22_220_32:80 23_94_62_145:80 81_22_255_154:80 107_182_132_63:80 23_94_62_145:80 107_182_132_63:80 200_63_47_104:80 146_0_77_17:80 185_159_37_58:80

 

..:: Kovter C2
148_40_209_32:443 46_137_116_87:55583 22_73_46_193:80 14_154_83_169:80 114_88_78_247:80 213_3_143_182:443 35_221_138_66:443 110_111_98_226:8080 196_247_15_241:443 78_255_84_160:443 174_19_1_252:443 193_210_13_80:80 197_114_101_80:80 62_189_35_159:443 232_100_152_247:443 81_69_85_164:80 253_83_248_253:8080 3_190_33_15:80 168_212_129_14:80 53_76_226_88:80 65_79_26_56:40287 107_125_248_16:443 245_98_91_242:80 93_177_208_107:443 121_64_65_135:443 117_211_70_204:80 122_170_4_36:443 140_117_148_158:443 202_56_225_2:443 27_49_39_8:80 203_115_105_245:80 89_205_122_234:443 203_130_238_149:443 190_225_246_67:443 49_231_177_206:443 182_180_65_173:443 83_221_198_77:80 197_45_165_116:443 199_13_13_225:443 176_76_193_169:80 36_158_188_126:80 109_218_67_61:80 3_182_133_67:80 233_183_17_47:80 206_246_145_219:80 213_140_36_150:8080 127_186_211_59:80 100_167_18_166:80 88_169_155_220:8080 198_163_233_245:53859 184_235_184_147:80 141_32_231_36:443 102_221_40_161:80 139_73_39_50:80 126_218_200_91:80 161_33_105_138:443 144_66_2_72:80 197_212_244_173:8080 19_213_113_180:31441 252_18_46_42:59404 9_241_234_207:80 12_56_29_34:80 94_35_16_52:443 41_149_219_114:55592 177_226_92_155:443 88_172_13_130:8080 22_115_39_228:80 50_29_34_83:80 128_118_243_179:8080 215_220_243_179:80 155_100_49_247:80 80_172_28_209:22358 68_14_23_73:27750 51_107_147_23:80 10_158_103_224:21315 90_148_200_244:80 236_246_8_60:58866 36_13_138_86:443 152_108_154_216:80 5_107_180_239:443 190_142_217_159:80 52_51_208_40:80 201_21_34_209:80 196_244_93_79:80 174_230_181_72:80 84_77_42_9:443 157_199_202_119:80 210_170_153_163:80 196_108_230_229:8080 55_169_50_147:80 66_223_50_137:39390 133_214_199_142:443 101_85_221_219:80 176_133_85_83:443 25_191_61_253:80 167_47_7_159:37972 72_126_220_209:443 98_167_227_239:80 72_69_152_35:443 167_84_156_254:31354 91_59_106_88:80 18_135_180_177:443 251_47_14_204:80 112_116_47_96:80 119_164_199_154:80 17_66_247_172:443 100_8_122_206:80 40_223_230_220:80 24_215_191_38:80 11_149_25_58:443 176_152_16_75:31249 32_140_52_204:80 152_211_70_103:443 110_70_26_74:80 49_33_150_86:8080 161_234_222_218:443 39_139_120_54:8080 180_86_98_232:8080 45_128_245_115:80 224_45_66_42:26359 115_75_153_200:80 58_179_237_21:80 21_159_10_74:80 189_160_214_166:80 4_38_183_118:443 223_86_58_34:80 62_148_201_215:80 217_17_17_199:80 162_219_197_172:80 58_106_196_16:80 134_19_54_62:80 67_30_222_124:80 94_186_211_39:80 49_255_162_65:80 199_227_162_140:443 199_198_249_140:80 9_18_232_63:8080 114_129_109_80:80 173_183_127_212:46778 175_212_234_239:80 177_211_61_62:443 4_4_92_143:80 101_161_194_163:8080 37_93_132_34:28109 50_217_135_6:80 54_218_12_38:80 189_249_177_251:80 181_255_183_68:80 28_229_155_191:8080 206_227_51_83:8080 59_132_223_193:80 1_247_100_13:80 216_202_23_138:80 114_63_197_42:443 157_69_104_57:80 62_8_232_112:80
hxxp://185.117.72[.]90/upload[.]php
hxxp://185.117.72[.]90/upload2[.]php

 

With apologies to Led Zeppelin fans: The (BEC) Song (Still) Remains the Same

Almost three months have passed since I last updated you on the Business Email Compromise scam, also known as the CEO Fraud scam.   Though the volume of these attacks remains high, the information security community has continued to collaborate well regarding this type of fraud, preempting the transfer of millions of dollars and identifying numerous mules in control of bank accounts around the world.

Just last week, yet another phisher tried to phish PhishMe.  Our CTO, Aaron Higbee, reported on early attempts in September 2015 when he also described the use of PhishMe Reporter to phish-back and collect details of the phisher’s IP address and user-agent.

Since that time, we have seen repeated attempts against our CFO, Sam Hahn, where he receives messages impersonating our CEO, Rohyt Belani.  These messages seek to engage Sam in an exchange regarding an urgent request to make a wire transfer.  Of course, such wires would be fraudulent, but, amazingly, the phish-back technique almost always works.  It has resulted in the identification of as many as five mule accounts at five different banks for one potential transaction.

The Song

With this latest attempt against PhishMe, the phisher has apparently used social media and/or search engine results to identify the name and email address of a staff accountant who reports to Sam Hahn, bypassing Sam’s renowned phish-spotting skills.  But the phisher’s email message landed with another trained reporter at PhishMe, who submitted the message as Suspicious, using the PhishMe Reporter button.  The report fed into our internal PhishMe Triage where we could quickly see that the accountant has a high Reputation Score, indicating that she is good at spotting truly-suspicious messages.  We knew that we should have a look right away at her report, shown in Figure 1 below.  The subject line of the message was the accountant’s first name, and the salutation included her first name.

Figure 1  Initial message from BEC phisher

Then our incident response plan kicked in, and we asked the accountant to reply with an offer to help, as seen in Figure 2 below, where he responded right away with his plea for money to cover a secret international acquisition.  (Ah!  The Intrigue!)

Figure 2  BEC phisher makes plea for a wire transfer

In her response to that second message, our astute accountant indicated that she would need someone else to sign off on the wire transfer, “since it is an international wire.”  She actually copied our incident response team, which later provided a wire “confirmation link” to the phisher.  Figure 3 below shows the third message from the phisher, where he sent wire instructions to the accountant.

Figure 3  The BEC phisher sends wire transfer instructions

Once the mule account was revealed, it was reported to the bank, and our accountant’s associate sent a “confirmation link” that, when clicked by the phisher, revealed the phisher’s physical location.  From the phisher’s point of view, the link re-directed to the login page for the bank hosting the mule account.

The phisher must have been convinced that the wire transfer had been made because the next morning, twenty hours after the initial request, he came back for more.  In Figure 4 below, you can see where he hit up our accountant’s associate (really, our incident response team member) for a double dip.

Figure 4  The BEC phisher returns the next day to request more money

The final part of that thread included instructions for a $165,590 wire, details of an account at a second bank, and a request for a confirmation.

The Investigation

Beyond reporting this to the U.S. government’s Internet Crime Complaint Center at www.ic3.gov, our researchers wanted to dig deeper and document this phisher’s other activity.  It turns out that the lookalike domain name phislhme.com was registered at 1&1 Internet SE on December 15th –the same day as the first spam message to PhishMe, using the email address garyrabine@rabinagroup.com.  When we initially looked into whether that same email address had been used to register other domain names, we found 69 other idomain names, all registered within the previous week and all seeming to be misspellings of domain names in use by real companies.

We took the list of domain names and guessed at which real company each domain was meant to imitate.  We then notified the administrative contacts of record for those legitimate domain names.  Though there was a handful of bounced messages, four companies replied with appreciation, and, so far, one has responded that their company had also received a BEC phishing email.

We checked back again this week to see how many domain names have been registered with 1&1 by this threat actor, and now there is a total of 156 domains.  We notified 1&1 on December 19th and requested that all the names be de-activated.  (see list at this link)

Takeaways

Though the song remains the same, phishers are constantly evolving their tactics to lead to more success.  In this recent attack, the phisher did not use the word “urgent” or “wire” in the subject line of the email message.  He also opted not to try for the CFO again; he likely found our accountant’s name and email address online and contacted her instead, possibly in hopes that she would feel a sense of urgency to which our CFO has become inured.  Then, when we saw the plea for money, we knew a bit more about why the phisher may have opted to avoid our CFO—it was a secret deal that only the “CEO” could know about.

We also want you to understand that this does not just affect large companies.  Because this scam has been going on for years, some of the larger targets have already been hit, and some have learned very hard lessons.  And with over 150 companies of all sizes spoofed by this one phisher and almost a full day between the two wire requests we received, we think this phisher is very busy.

PhishMe also wants everyone to understand how simple but effective these scams can be.  Learn how to spot them, and make sure your employees are great reporters.  Your staff needs to know that raising a red flag to the appropriate team can make all the difference in the world to your company, preventing the loss of hundreds of thousands of dollars and helping us stamp out this fraud.

Viotto Keylogger: Freemium Keylogger for the Skids

The PhishMe Research team recently received a campaign escalated by one or our analysts. We’ll explore the campaign delivery, malicious attachments, and analysis of the malicious attachments, and we’ll provide a simple method for extracting the credentials being used for this keylogger family’s data exfiltration.

Campaign

The PhishMe Triage platform allows SOC analysts to identify, analyze, and respond to email threats that have targeted their organization. For this particular campaign, the suspicious email had an ARJ archive attachment, which contained a Windows PE32 executable.

lureAlthough Windows OS does not natively open archive files with the ARJ extension, a number of third-party applications, such as 7zip, will be able to extract these rarely-used archives. The content of the archive is a single PE32 executable name “DOCUMENT-71956256377.pdf.exe” which is a packed Viotto Keylogger sample, intentionally named with a double extension to entice victims to click and execute the malware.

archive_screenshot

Malicious attachment contains executable.

Since this malware was written in VB6, we can decompile the unpacked, malicious binaries to verify our classification. By viewing the VB6 forms, we can see that the hidden Form1 contains the name of Viotto Keylogger:

decompiledforms

Decompiled VB6 forms.

Now that we have seen an example of how this malware propagates in the wild, let’s examine the family itself. When an analyst has access to a malware’s builder (an application that enables the easy customization of malware samples), we can save precious reverse engineering time by analyzing its capabilities and features to better understand how this malware behaves.

Builder

Most of the indicators that comprise a Viotto Keylogger infection can be set at build time when the actor creates the stub (the malware sample that infects a victim’s computer). In the public version 3.0.2 of the builder, the malicious actor can specify where the keylogger’s logs will be stored, the installation method for persistence, and the delivery method of the logs via SMTP and/or FTP. In the paid, private version of the builder, the actor is able to control even more settings, such as encrypting the Keylogger logs with RC4 with a hardcoded key and enabling a Screen Capture feature that periodically sends screenshots of the victim’s desktop back to the actor. Another feature included in both versions that is not highlighted in the builder’s options is the ability to capture all text copied to the victim’s clipboard.

mainscreen

VKL Builder’s main screen.

The storage location option for the keylogger log files can be set by the malicious actor at build time. They also have the ability to specify a custom log filename and to set hidden file attributes. The log files can be saved in the following locations on the infected machine’s disk:

  • Root (C:\)
  • Windows (C:\Windows)
  • System32 (C:\Windows\System32)
  • Program Files (C:\Program Files)
  • Application Path (copied where originally executed)
  • Temp (C:\Users\{username}\AppData\Local\Temp)
  • AppData (C:\Users\{username}\AppData\Roaming)
logfileoption

Options where keylogger logs will be stored.

Persistence

As described above, depending on the settings enabled during built time of the stub, the actor has the ability to enable infection persistence through reboots of the infected machine. The actor can also select the option to save a copy of the executable which has the same file system options as the log file storage locations. The copy of this executable can then be executed during Windows’ start up events for persistence through computer restarts. Although multiple instances of the stub can be launched by selecting any combination of startup entries, the stub ensures it’s the only process currently running by checking the mutex (a program object lock used to avoid multiple instances of the same malware from running). The default mutex is “ViottoLogger”; however, this setting can also be changed in the builder. The following startup registry keys are viable options:

  • Current User\Run (HKCU\Software\Microsoft\Windows\CurrentVersion\Run)
  • Local Machine\Run (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run)
  • Winlogon\Shell (HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell)
  • Winlogon\Userinit (HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit)
  • Explorer\Run (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run)
persistenceoptions

Windows startup persistence options.

Keylogger Data Exfil

Viotto Keylogger is capable of sending the recorded keystrokes, clipboard contents, and screenshots to the perpetrator in an email (via SMTP) or to a file server (via FTP). The email option can be delivered to open relays that do not require authentication or to accounts that require authentication over SMTP using Transport Layer Security (TLS). By utilizing TLS, the account credentials and email contents will be encrypted in transit. Most of the VB6 code in this keylogger was copied from sources freely available on the internet, as indicated in the builder’s About screen:

builderabout

Extracting Exfil Credentials

Skids wishing to use this malware creator be forewarned: your email and FTP credentials can be easily obtained! Although most of these samples in the wild will be packed, a quick and easy way to extract the malware actor’s credentials being used for victim data exfiltration is by analyzing the application’s process memory. Analysts are not only able to extract this information on the same machine utilizing a program such as Process Hacker, but personally, I prefer keeping my memory analysis tools outside of the infected machine by analyzing full VM RAM dumps with either the Rekall or Volatility memory analysis frameworks. We can also extract the malware sample’s configuration, including any SMTP/ FTP exfil credentials, statically. The malware sample’s configuration is stored plaintext in the Resources section of the stub:

resourcedecom

The decompiled FindResource section loads the stub configuration.

The PhishMe Research team also wrote a Python script to extract the Viotto Keylogger configuration from an unpacked sample:

configextractor

Conclusion

The recent sighting of the freely-available Viotto Keylogger in the wild reminds us that cybercrime has a low barrier to entry and that tools built years ago continue to be used to exploit unsuspecting users. PhishMe Simulator trains and encourages users to recognize and report the type of email messages that are delivering this threat. The next step is to act on those reports, and PhishMe Triage enables your team to sift through all reports and quickly and efficiently act on the ones that pose a threat to your organization. Click here to learn more.

 

Related SHA256 Hashes

271781975987737466077146acc7309b6d1e794e2ead0876e0a204f0fb1169ef
6fee7e06eff76397354455665919aa53ee62957f3ef5a47aa16558f7799937ad
7961671bc61cb4c0df3d81dff85f707be2fc666708e5fba626c328e6a6bfcd17
7d74f30b5a663972d9984ef8cb8dbfba478a4968e1d626e39c4fb8a80385f37b
91b30f5368a1c102d496e82099cb6222551131f74607e1a694b0ff3ed3c04cfd
9640db7cfb5e083c58166905386c5472cf38823364ff719ad3e59c6fbeb696b3
e75684f5e16cf6476726b0c2b51f760035746742334238c13172e4fe73970ff2
f8b1cd7524a5183fe7aa3abb0aae7e660c201df095a1df83e139cecad145a253

 

Miscellaneous

Download the Viotto Keylogger yara rule or the configuration extractor.

 

The PhishMe Advantage – ROI

Return on Investment

Measuring the return on investment (ROI) from your PhishMe solution is simple and easy. The most obvious and significant impact is the dramatic reduction you will see in the overall risk of a phishing attack both getting past your perimeter protection and your skilled users but there are other ways to measure your investment:

Monetary ROI

Customers can realize monetary ROI from PhishMe by reducing their overall risk to phishing and other security threats. Adversaries have successfully employed phishing tactics to steal intellectual property, personally identifiable information, and other sensitive information that can harm an organization’s competitive advantage and reputation.

The costs of a data breach vary and can range from hundreds of thousands to billions of dollars. The costs of incident response and mitigation will be, at a minimum, a few hundred thousand to millions of dollars. While the loss of intellectual property and sensitive information can have a severe financial and legal impact on an organization.

PhishMe’s solutions lower the likelihood of users being susceptible to various security risks while also increasing your IT Security team’s ability to quickly and accurately identify and mitigate an attack in progress. PhishMe’s experience sending simulated phishing attacks to over 20 million unique users has shown that prior to training, organizations show a reduction in repeat “clicker” susceptibility to phishing of 95%.  Download our Phishing Susceptibility Report for the full details.

Time ROI

There is also the opportunity cost view of measuring the ROI from PhishMe. Specifically, this includes the amount of time and resources your IT organization must commit when responding to user reports of falling for phishing attacks, resetting passwords, slow computer performance caused by malware, and unwinding the damage caused by such incidents. The internal cost to identify, respond, triage and recover compromised systems can place an unbearable strain on the IT service organization. Most firms find that cutting the need for this effort by 50% to 80% results in significant savings of time, labor and energy, all of which can be focused on core business operations that can help your business grow.

PhishMe’s innovative training solutions will save your entire organization time and resources while increasing employee productivity. On average, PhishMe simulated training exercises conducted periodically takes 1/30th as much time as traditional computer-based training (CBT).

 

The (BEC) Song Remains the Same

I had a dream, a crazy dream, that we stopped responding to ridiculous email messages demanding that a wire be sent immediately.  Also in that dream, all the bad guys were caught and had to pay restitution and go to jail.

While that second part may never happen, there has been definite progress toward the dream goal and there are definite steps to take to ensure that you – and others in your company – do not fall victim to a BEC email.

Coordinated by the National Cyber-Forensics & Training Alliance (NCFTA), contact information and incident details are being swapped quickly in the business and financial communities, allowing wires to be successfully recalled from far-flung places, facilitating the identification of fraudster activity, and preventing additional victimizations.  However, the typical scenario involves the disappearance of money into the hands of criminals much faster than the victim realizes that they have made a grave mistake in acting upon a fraudulent email message.

The FBI has now released three major advisories* regarding the Business Email Compromise scam.  The below charts illustrate how the estimated number of victims and the estimated volume of dollar losses have increased dramatically with each Public Service Announcement.

chart-1

chart-2And, though the Internet Crime Complaint Center (IC3) first noticed an uptick in related complaints in October 2013, the ruse has been a common one in Europe for even longer.  A fellow security researcher in France, where they call this ‘The President’s Scam’, has been closely tracking a certain group since 2011.

The most common sequence of events is that a C-level employee email address is either compromised or spoofed in order to send a convincing message to someone in the company with the authority to send a wire.  It appears that oftentimes the fraudsters have done their homework on who’s who also, gleaning names, titles, and even travel schedules of executives from social media accounts.  We have shared examples before; just over a year ago, PhishMe CTO, Aaron Higbee, described an attempt against PhishMe.

graphic-3

Also around this same time last year, Centrify CEO, Tom Kemp, detailed EIGHT different attempts against his company, which itself provides multi-factor authentication services.

Unfortunately, the number of victims continues to rise.  Think about it…every business is a potential victim; so, until everyone knows how to spot this scam, we will keep hearing more horror stories.

The following are some things to keep in mind when you review an email asking you to move money on behalf of your company:

  1. Is the message really from the person that it appears to be from? Review the headers carefully. What is the reply-to address? Was the message actually sent from a lookalike domain name, such as PHlSHME.com with the letter L in place of the letter I?
  1. Does the tone and writing style of the author match what you know of the purported sender of the message?
  1. Are you being asked to reply directly to the message, instead of crafting a new email message? Are you being pressured to keep the transaction to yourself for some reason? Does the email message have a strong sense of urgency?
  1. Is there a link to click or an attachment to open, supposedly containing the wire instructions? As part of this scam, wiring instructions are typically sent to the victim in a subsequent message, after they have initially hooked you into responding.  Usually they are in the body of the follow-up message, but sometimes they are in a PDF attachment.
  1. Don’t think that the receiving bank will necessarily be overseas. Money mules in the United States are operating domestic bank accounts, helping to launder the money while sometimes thinking they are performing a legitimate work-from-home service.
  1. Be willing to stand your ground when something seems ‘off’ about a request. Demand that you personally speak to the person requesting the urgent wire transfer.  When you save the company millions, the CEO will be glad you bugged her for a moment.

And below are some Action Items that you can take today to help prevent becoming the next victim:

  1. Enable two-factor authentication on your email account. If your email provider does not offer this, change providers.
  1. Establish a DMARC record on your company domain so that messages spoofing your real domain do not get delivered.
  1. Use different passwords for each online service; use a password manager if needed.
  1. Require dual approval and out-of-band authentication for all wires. Understand that wire transfers are one of the most risky transactions and usually cannot be recalled because they are designed to provide immediate access to and an irrevocable settlement of funds.
  1. The PhishMe Simulator/Reporter combination conditions your employees to spot and submit fraudulent email messages. Contact PhishMe to sign up for Simulator and Reporter so that you can start shoring up your first line of defense.

If you realize that you may have fallen for this scam, call your bank immediately.  Also call your local FBI office and ask for assistance (Find contact information here.) Even if you never wired the money, report the attempt by filing a complaint form with IC3 because this helps the NCFTA track and correlate attacks, improving the likelihood of an eventual prosecution.

*Links to the full FBI PSAs:

Behavioral Conditioning, Not Awareness, Is the Answer to Phishing

BY AARON HIGBEE AND SCOTT GREAUX

You don’t stop phishing attacks by raising user awareness. A recent study conducted by a German university confirms what we at PhishMe have known all along: Focusing on awareness isn’t the point. The real solution is behavioral conditioning.

The study, conducted by Friedrich-Alexander University (FAU) of Erlangen-Nuremberg, Germany, used 1,700 students to simulate spear phishing attacks. An August 31 Ars Technica article published preliminary results of the study showing at least 50% of students clicked simulated phishes, even though they understood the risks.

With its headline, “So Much for Counter-phishing Training: Half of People Click Anything Sent to Them,” the article appears to suggest training is pointless. But we see it differently. While the article confirms what our own research has revealed – that awareness isn’t the problem – the proper conclusion to draw isn’t that training is futile. PhishMe tends to agree with this sentiment and encourages organizations to focus on conditioning their employees to identify and report security risks.

We focus our training on conditioning human behavior, and the results speak for themselves. Our customers spend 22 seconds reviewing phishing education, and yet their susceptibility to phishing decreases significantly. Why? It’s the experience we put them through that changes behavior. Even when they are aware of the risks, as studies show, they are susceptible to opening email from unknown users and clicking suspicious links. But conditioned through the real-world examples we provide in our simulations, users are much less likely to click.

Enterprise Relevance

The FAU study focused on students, who were sent emails and Facebook messages with links purporting to be for photos from a New Year’s Eve party held a week before the study. “Links sent resolved to a webpage with the message ‘access denied,’ but the site logged the clicks by each student.”

It’s dangerous to use research results conducted on a student population to Enterprise workers. We have several problems with the approach as described. For starters, it wasn’t created by people in the trenches who understand real-world threats, but by academics in a computer science department. We already know the bait used by the study’s authors works on students, as well as consumers, but is far less effective with enterprise users. Yet, readers of the Ars Technica article are concluding the study’s results apply to enterprise environments.

We know that because we’ve started to get messages with their reactions. So we feel an obligation to point out the study didn’t use a realistic scenario, from an enterprise point of view. Real-world enterprise phishes are more likely to be emails pretending to be files from a scanner, a document with a job evaluation, or a message that someone has signed for a package addressed to the user.

There’s also a difference of perspective between students and enterprise users. Students, whose primary experience with computing revolves around mobile devices such as tablets and smartphones, don’t worry about cyber risks. Clicking a link from a smartphone isn’t going to compromise the device because such devices are nearly impervious to attacks. But click the link from a computer, and the story is quite different.

It also appears the FAU study focused only on clicking links, but phishing threats aren’t limited to one vector. Others include data entry, password credentials, clicking attachments, and email conversations that don’t involve links or attachments. Replicating some of these vectors in a real-world simulation is a bigger challenge than the method used by the study.

Focus on Reporting

A PhishMe-commissioned study found 94% of office workers know what phishing is and the risk it presents to organizations. The study also found that 94% of office workers know how to report suspicious emails in their organization. And that’s where the focus of training needs to be – reporting. When users are conditioned to report suspicious email, even if they do so after already clicking on it – maybe they had a lapse – the reporting is still valuable because it helps your security operations teams.

Learning to identify suspicious emails through conditioning is far more effective than general efforts to raise awareness. PhishMe simulator provides customers with templates that include the exact content used by threat actors.  By deriving content from our Phishing Intelligence platform we provide experiences that are relevant to enterprise users.   This method allows customers to condition users to spot potential phishes, avoid interacting with them, and report them to their security teams.

While we appreciate the FAU’s study’s confirmation of what our own research has shown about awareness, we fear it may lead enterprises to make decisions based on the erroneous conclusion that training doesn’t matter. This perspective could lead to the compromise of a network with disastrous results. To avoid such an outcome, we at PhishMe stand ready to work with any academic institution or researcher that could benefit from our experience in the trenches to produce meaningful research about phishing.

Cyber Crime: The Unreported Offense

On July 22, 2016 the UK’s Office for National Statistics released crime details for the year ending March 2016.  For the first time, this data included information about fraud and computer misuse offenses, which was compiled in the National Crime Survey for the first time in October 2015. While the police recorded 4.5 million offenses from March 2015 to March 2016, the survey indicates there were likely 3.8 million fraud instances and 2 million computer misuse instances during that same year, with the vast majority of these crimes being unreported to law enforcement.  The report has caused for a new call for additional cyber crime reporting at all levels.  In the UK, consumers and businesses alike are encouraged to submit suspicious activities and cases of loss to ActionFraud: the National Fraud & Cyber Crime Reporting Center.  ActionFraud also offers a Business Reporting Tool for bulk submissions by businesses of both fraud and scam emails.*

Earlier in July, the UK’s National Crime Agency also released their report “Cyber Crime Assessment 2016.”   The primary point made by the NCA report is the “need for a stronger law enforcement and business partnership to fight cyber crime.”

NCA Cyber Crime Assessment 2016The NCA report called special attention to the sophisticated abilities of international crime groups, making them “the most competent and dangerous cyber criminals targeting UK businesses.”  These groups are behind the most sophisticated financial crimes malware.

“This malware is a substantial source of financial crime in the UK, with three variants: DRIDEX, NEVERQUEST and DYRE /DYREZA, appearing frequently and responsible for many hundreds of thousands of individual crimes in 2015.”

The report also highlights the danger of ransomware and Distributed Denial of Service (DDoS) attacks.

While arrests were made in the DRIDEX case, the same botnet is now the leading source of the Locky ransomware family, the focus of more than 50 PhishMe Intelligence reports in the past month alone!

Statements made in March by Sir Bernard Hogan-Howe, the police commissioner of the Metropolitan Police of London, received mixed reviews when he said that banks that refunded their customers after cyber incidents were “rewarding them for bad behavior” instead of teaching them to be safer online.  The GCHQ suggested that 80% of consumer-facing cyber crime could be stopped just by choosing safer passwords and keeping one’s systems updated with current security patches.

The NCA report points out, however, that it isn’t just consumers who are not pulling their weight in the fight against cyber crime.  Businesses also have a responsibility to do more.   The report urges corporate board of directors to make sure that their information technology teams are not merely checking the boxes required of compliance regulations, but taking an active role in assisting the cause by ensuring that their businesses are reporting cyber crime incidents.  As widely seen in the United States, one may be compliant with PCI, Sarbanes Oxley, HIPAA, and other regulatory standards yet still be extremely vulnerable to the type of sophisticated cyber attacks presented by these sophisticated international crime groups.Moving beyond Box-Ticking cyber security

“Directors also have an important role in addressing the under-reporting of cyber crime which continues to obscure the full understanding of, and hence responses to, cyber crime in the UK. In particular, we urge businesses to report when they are victims of cyber crime and to share more intelligence, both with law enforcement and with each other.”

– NCA Strategic Cyber Industry Group

Dridex, NeverQuest, Dyre, Ransomware – Meet PhishMe Reporter & Triage

At PhishMe, we are intimately familiar with the prevalence of the malware families discussed in the UK government’s reports.  We provide detailed intelligence reports to our customers about all of those malware families, which are among the most common email-based threats that we encounter as we scrub through millions of each emails each day to identify the greatest threats and get human-driven analysis about those threats back out to our customers.

We support the security strategy and defense posture recommended by the NCA Strategic Cyber Industry Group.  Our industry must move from reactive, check-box security mentality to a proactive method of gathering and analyzing security incident reporting.  PhishMe customers not only have the ability for every employee to become part of the solution to “under-reporting” with a click of the mouse on the “Report Phishing” button, but also to share that information back to PhishMe to allow us to provide indicators that help protect ALL customers and to help inform our law enforcement partners.

PhishMe Reporter

The PhishMe Reporter Button

PhishMe Triage provides a single place for all of those employee reports to be integrated, if your business would like to answer the call to do more information sharing about these top malicious threats. By providing a dashboard-driven interface to all employee-reported malicious emails, the security team can quickly spot the most dangerous trends, confirm the facts, and report to law enforcement, as recommended in the UK’s National Crime Agency report.

In addition, PhishMe Intelligence customers received over 2,500 malware email campaign reports in addition to more than 600,000 individual phishing reports that can be used as an intelligence feed to strengthen your corporate defenses against these malicious actors.

We look forward to partnering with our UK-customers, and all of our customers, who choose to take an active stance in the fight against cyber crime by answering the call for increased vigilance and reporting.

 

* – U.S. businesses are encouraged to report cyber crime and fraud to the FBI’s Internet Crime & Complaint Center, IC3.gov.

 

RockLoader Delivers New Bart Encryption Ransomware

Another ransomware tool has been added to the ever-growing encryption ransomware market with the introduction of the Bart encryption ransomware. Named by its creators in its ransom payment interface as well as in the extension given to its encrypted files, the Bart encryption ransomware has leveraged some distinctive mechanisms for delivery during its early deployments. Furthermore, this ransomware shares some interface elements that evoke the same look and feel used by the Locky encryption ransomware ransom payment interface. In many ways the Bart encryption ransomware is a very mainstream encryption ransomware in both the files it targets for encryption (a full list of these file extensions is included at the end of this post) as well as its demand for a sizable Bitcoin ransom. However, a number of elements related to this encryption ransomware are noteworthy when viewed through the lens of recent developments in the phishing threat landscape.

PhishMe Ranked #1 ‘Best Place to Work’ by Washington Business Journal

PhishMe is proud to announce it has been honored as the best large company to work for in the Washington D.C area, following a prestigious annual employee engagement survey. The Washington Business Journal ranked PhishMe #1 in the ‘large companies’ category, the first time the organization has been honored with the title, having surveyed 85 local firms.