RansomCloud Attack Encrypts Cloud-Based Emails

Ransomware may be more commonly used to encrypt files on business networks, although that does not mean consumers are in the clear. Cybercriminals may target businesses due to the higher potential rewards for a successful attack, although a new ransomware strain has been developed that highlights how vulnerable consumers are to ransomware attacks.

In this case, the ransomware strain was developed by a white hat hacker as a proof of concept for a new attack method. Rather than encrypt files stored on computers, the ransomware encrypts data in cloud-based email accounts, such as Gmail, Yahoo, and Office 365. The attack has been given the name ‘ransomcloud.’

The ransomcloud attack works with all cloud email providers that allow third party application control via OAuth.

As is typical with ransomware attacks on businesses, the attack starts with a phishing email. The email is supposedly sent by a well-known company – Microsoft for instance. The email has all the regular branding, color schemes and text styles used by that company. The email is virtually indistinguishable from a genuine communication.

Rather than a security warning, this phishing email offers the user the opportunity to sign up for additional protection from spam email. As with other phishing email lures, the aim is to convince the user to disclose their email login credentials, which in this case occurs by giving the attacker an OAuth token.

In this example, the email is promoting a service called AntiSpamPro, which appears to have been sent by Microsoft. The email recipient is requested to click a hyperlink in the email to get a free copy of the antispam software. Clicking the link will launch a popup – with the Microsoft logo – which asks the user to authorize the app to access their email account. This is a reasonable request given that the solution will need to have email account access to be able to block spam messages. After all, the content of messages would need to be checked to determine whether emails are genuine or spam.

Clicking on the Accept button will give the program access to the cloud email account, after which its game over. Allowing the app access to email results in the deployment of the ransomware payload which encrypts all emails in real-time.

The headers are left intact, although the message body encrypted. A message is then sent to the inbox – the only message that is not encrypted– saying a ransom must be paid to recover the encrypted messages.

In this case, ransomware is deployed, although simply giving the attacker email account access is bad enough. Any sensitive information in the account could be accessed and used for malicious purposes such as in spear phishing campaigns. The account could be used to send phishing emails to all the user’s contacts. Since the emails would come from a known contact, the chance of the actions requested in the email being followed would be substantially higher.

The attack method has not been observed in the wild, but that may not be the case for long. If a white hat hacker can develop this attack method, there is nothing stopping a black hat hacker from doing the same.

Author: NetSec Editor