RansomCloud Attack Encrypts Cloud-Based Electronic mails

June 16, 2018


Ransomware might be more generally used to encrypt files on business networks, even though that doesn’t mean consumers are in the clear. Cybercriminals might target companies because of the higher possible rewards for a successful attack, even though a new ransomware strain has been created that emphasizes how weak consumers are to ransomware attacks.

In this instance, the ransomware strain was created by a white hat hacker as an evidence of idea for a new attack method. Instead of encrypting files stored on computers, the ransomware encrypts data in cloud-based electronic mail accounts, such as Yahoo, Gmail, and Office 365. The attack has been given the title ‘ransomcloud.’

The ransomcloud attack works with all cloud electronic mail suppliers that let third-party application control through OAuth.

As is usual with ransomware attacks on companies, the attack begins with a phishing electronic mail. The electronic mail is supposedly sent by a well-known business – Microsoft for example. The electronic mail has all the usual branding, color schemes and text styles used by that business. The electronic mail is almost indistinguishable from a real message.

Instead of a safety alert, this phishing electronic mail offers the user the chance to sign up for further security from spam electronic mail. As with other phishing electronic mail temptations, the goal is to persuade the user to unveil their electronic mail login identifications, which in this instance occurs by providing the attacker an OAuth token.

In this instance, the electronic mail is promoting a facility known as AntiSpamPro, which seems to have been dispatched by Microsoft. The electronic mail receiver is requested to click a hyperlink in the electronic mail to obtain a free copy of the antispam software. Clicking the link will present a popup – with the Microsoft logo – which asks the user to allow the app to access their electronic mail account. This is a sensible request given that the solution will need to have electronic mail account access to be capable to obstruct spam messages. In the end, the content of messages would have to be checked to decide whether electronic mails are authentic or junk.

Clicking on the Accept button will provide the program access to the cloud electronic mail account, after which it’s game over. Letting the app access to electronic mail results in the placement of the ransomware payload which encrypts all electronic mails in real-time.

The headers are left unchanged, even though the message body encrypted. A message is then transmitted to the inbox – the only message that is not encrypted– saying a ransom should be paid to get back the encrypted messages.

In this instance, ransomware is positioned, even though simply giving the attacker electronic mail account access is bad enough. Any confidential information in the account might be retrieved and used for malevolent purposes like in spear phishing campaigns. The account might be used to send phishing electronic mails to all the user’s contacts. Since the electronic mails would come from a known contact, the possibility of the actions requested in the electronic mail being followed would be considerably higher.

The attack method has not been examined in the wild, however, that might not be the case for long. If a white hat hacker can create this attack method, there is nothing obstructing a black hat hacker from doing the same.