carbonite logo

Commonly searched topics:

backupcloud backupaccount sign in

Article · Oct 3, 2017

Tricks of the trade: Phishing emails behind notorious ransomware scams

Color illustration representing email phishing.

Cybercriminals use phishing emails with malicious links or attachments to distribute ransomware more than any other method. Their goal is to fool unwitting victims into downloading the nasty, file-encrypting malware so they'll be forced to pay a ransom in exchange for the decryption key.

CSO Magazine last year found that 93% of all phishing emails contain ransomware. To protect yourself and your business, it's important to know what emails and tricks to avoid. Here's a look at phishing emails that have been commonly used to spread CryptoLocker, CryptoWall, Locky and other notorious forms of ransomware.

Distributors of CryptoLocker ransomware used fake emails from police to snare victims. In one example, shown below, the distributors use a phony message from Australian Federal Police informing the potential victim of a traffic violation. Similar police phishing messages were used in other regions. CryptoLocker ransomware was automatically downloaded if victims clicked the link in the email.

Many victims fell prey to these messages because police phishing can create anxiety or panic and force people into action. Victims see the email and want to prove that they don't really owe any money, so they click the link to obtain more details and the ransomware attack begins.

Phishing email example

In 2014, CryptoWall was distributed via email messages that contained a malicious attachment. Once the attachment was opened, CryptoWall encrypted the victim’s data with a 2048-bit RSA key. The CryptoWall phishing message below is one of the least sophisticated examples here. It comes with an attachment but provides no information on what is contained in the attachment. This form of phishing relies mostly on the victim’s curiosity as to what the file could contain that is so important. If you see an email like this, do not click on the attachment.

Phishing email example

CTB-Locker ransomware used messages similar to the police phishing scam to entice victims into clicking on an embedded link. In this case, the email was designed to look like it came from the Federal Trade Commission (FTC). Victims who clicked the link launched a ransomware infection that encrypted their computer data and removed their shadow copies.

Phishing email example

Distributors of Petya, Mischa and GoldenEye ransomware used fake job applications to trick recruiters and HR professionals into downloading the malicious code. They designed the phishing emails to be generic enough that they could be referring to any open position. The goal was to force victims to open the attachment to see which job the "applicant" was talking about. GoldenEye used a slightly different tactic, a .pdf file with the cover letter and a macro-enabled .xlsm file that loaded the ransomware.

Phishing email example

Locky was heavily distributed by large criminal enterprises that used phishing messages. The one below claims that the victim made a payment on an account. The victim can view the payment confirmation in the attached zip file. Unfortunately for victims, the zip contained fake transaction information and a Locky ransomware loader.

Phishing email example

As with Locky, the distributors of TeslaCrypt used a .zip attachment to attack their victims. In the case below, the phishing message claims that payment for services is overdue and threatens legal action if the victim does not pay. Victims who opened the .zip file found a Microsoft Word document with macros that installed the ransomware.

Phishing email example

Ransomware phishing messages entice computer users into opening attachments or clicking links containing malicious code by appealing to their curiosity, creating anxiety or panic, or by offering them something of value such as money or a free vacation.

Be skeptical of emails you receive and do not click links or open attachments unless you are absolutely certain it was sent from a trusted individual or business. You should also disable macros in Microsoft Office, because many forms of ransomware automatically take advantage of this functionality. Disabling Microsoft Office macros prevents such code from running.

Lastly, keep a backup of your data just in case someone does click an infected link or open malicious files. Backing up your data to an offsite location, such as the cloud, ensures that you can get your data back following an attack without paying the ransom.

Get more expert advice on how to beat ransomware today.


Eric Vanderburg

Eric Vanderburg is an information security executive and author known for his insight on cybersecurity, privacy, data protection and storage. Some have called him the “Sheriff of the Internet” because his cybersecurity team at JurInnov protects companies from cyberthreats, investigates data breaches, and provides guidance on safe computing. Eric is passionate about sharing cybersecurity and technology news, insights and best practices. He regularly presents on security topics and maintains a security blog. You can find him throughout the day posting valuable and informative content on his social media channels.

Related content