New Trends in Ransom Email Attacks

Recently, HKCERT has received scores of reports of ransom emails. It suspected that cyber criminals were using local email addresses collected from the past information leakage incidents to launch large-scale attacks for profit. To raise public vigilance on such email attacks, HKCERT wishes to share its observations with everyone.

For a start, these ransom emails often pretend to be sent from the “hacked” email accounts of the recipients and are made up of one or multiple photos to evade detection by the junk mail filter. Also, the Bitcoin address for ransom payment now comes in a QR code. Meanwhile, the email content is of wide variety. For example, the email senders claimed they have infected the recipients’ computers with malware upon visits of adult sites, or would release their sex videos to the Internet. Also, some said they exploited a vulnerability in the router to hack into the recipients’ IT systems. In some cases, the senders went as far as to say that they had complete control of the recipients’ computers and their malware could evade the detection of anti-virus software. In addition, some professed to be hired by the Dark Web and in the process of hacking into the recipients’ computers. If the recipients were willing to pay a ransom, then they would consider to stop the hacking activity.

Actually, the above email content were all made up with the aim to force the recipients to comply and pay the ransom. The so-called hacking activity never or will not happen. Also, such ransom emails, like phishing email attacks, are sent randomly with no particular and fixed targets. As for why such attacks occur, it may have to do with data breach incidents at websites which allow the victims’ email address being used for registration to end up in the hands of the cyber criminals.

Even so, everyone should not take the issue lightly and must do their utmost in information security. On top of regularly updating their mobile phones or computer systems and installing security software. If email service users suspect their accounts might have been compromised, they must immediately change the passwords and apply not-easily-cracked passwords and two-factor authentication to access online services, while remembering to change the passwords from time to time. In addition, upon receipt of ransom and other suspicious emails, they must not open any attachment or click any link in the email, and are advised to do an offline backup.