Posted on: December 11, 2015 View Alerts

Systems Affected

Overview

The Guyana National Computer Incident Response Team has been made aware of a Ransomware incident experienced by a major government organisation. This alert serves to inform you of this threat and seeks to highlight the recommended steps that should be taken to minimize the risks of being a victim of Ransomware. Ransomware is a type of malware that encrypts your data files and demands payment in return for the key to decrypt your files.

Description

The ransomware was able to gain entry to the organisation’s network via spam email. Malicious emails were delivered to multiple users with subjects relating to “Payments and Invoices”. Users are tricked into opening these emails because of the subject captions. Examples of email headers are:

From: Dionne Hall [HallDionne2079 at myvzw.com]
Sent: Thursday, December10, 2015 4:53 AM
To: John Dow
Subject: copy_invoice_4181711 from DataCorp Inc
Attachment: copy_invoice_41818711.zip

From: Marjorie Anthony [Anthony Marjorie501 at intred.it]
Sent: Friday, December 11, 2015 3:35 AM
To: Jane Dow
Subject: Reference Number #09921533, Last Payment Notice
Attachment: copy_payment_09921533.zip

Suggested Action

GNCIRT recommends the following steps to be taken to minimise the risk of infection:

• Alert all staff to exercise caution when opening emails
• Pay special attention to emails from unknown email addresses, emails with attachments and emails appearing to suggest payments, receipts and invoices.
• Observe emails that appear to come from known associates with minor variations to their names and email addresses
• Also be aware of attachments with file extensions that do not match the respective document types eg. Executable files (.exe, .js, .bat, etc) masquerading as office documents (.docx, .xlsx, .odt, .pptx, etc).
• Make regular backups of your data files to limit the loss of data. Daily backups of critical files should be
done by the Systems Administrator.
• Backups should be securely stored away from the computer systems. Flash drives and backup drives should
not be left connected to computer systems.

GNCIRT recommends the following steps be taken to mitigate the impact if infected:

• Do not pay any ransom demands
• Disconnect the impacted system/s from the network immediately and quarantine same in a secured location
• Halt usage of impacted system/s to minimize loss of data
• Attempt to identify which variant of ransomware you are infected with
• Notify the Guyana National Computer Incident Response Team

References