Fake Dropbox "Please verify..." Email Downloads Ransomware
We’re blocking a massive Locky ransomware campaign with fake Dropbox emails using subjects like “Please verify your email address”. The delivery mechanism has several steps designed to fool spam filters and victims into downloading and executing a malicious javascript file that infects your machine and locks your files.
With threat investigator Greg C. and threat analyst Todd S.
What the Email Looks Like
The subject line is "Please verify your email address " followed by your actual email address (rather than your name). The message claims to be from Dropbox and refers to you again by your email address. It then asks you to verify your email address before your "signup" is complete, by clicking a large "Verify your email" button. Do NOT click it.
This might trick not only people who have Dropbox accounts, but also those who don't and might wonder if a scammer signed up in their name. If you're looking at the email in a browser, hovering over the button reveals a suspicious URL (not dropbox.com) that ends in "dropbox.html". Someone in a rush or not paying attention might click it.
How We Blocked this Dropbox/Locky Spam
Over 1.4 million of these Dropbox Locky emails hit our filter servers, with an amazing blocking rate of over 99.9999%. Our customers didn't have to do anything to stop it.
Several complex phrase filters are blocking it, as well as at least one content filter that's designed to block fake Cloud-based storage attacks. We already had filters in place from previous campaigns that blocked this new one, something SpamStopsHere does often. Nonetheless, we added some more filtering that should help block future variations when they hit.
Important Threat Indicators
Regardless of how good (or not) your spam filter is, your coworkers should always be on the alert for signs that an email is spam. This campaign includes some indicators:
- Unexpected “Verify your email” for an account you may or may not have
- Greeting uses part of your email address, rather than your name
- Hovering over the “click-me” button reveals a non-dropbox URL
- The link downloads a javascript file (hopefully you'll never get that far)
How the Ransomware Infects Your Computer
The “Verify Your Email” button goes to a malicious file called “dropbox.html” on likely a hacked website. The domain varies from email to email, so just blocking that URL won’t do much. The dropbox.html landing page displays “Please wait while we prepare your files for download...”
While you’re reading that, an iframe (html element) on the page that links to a drop.php file is initiating the download of a malicious javascript file (e.g., “Dropbox-MSGCODE-xxxxxxxx.js”). The javascript download only seems to work if the browser's User-Agent says it's running on Windows.
Depending on your browser and security settings, you may or may not see a download warning like the following:
Locky Ransomware Infection and Encryption
If you open or run the javascript file (don’t), it downloads and runs Locky ransomware. The javascript starts the process, downloading the payload from a known Locky distribution site, Necurs botnet. Within seconds, your files are being encrypted.
This new Locky variant is using the ".lukitus" extension and changes the Windows background image. As with past Locky variants, the ransomware tells you to install a Tor Browser and navigate to a .onion URL to pay the ransom using your “personal identification” code:
About SpamStopsHere
To find out more about SpamStopsHere, check out our simple pricing and start a FREE 30-Day trial, visit our website, or contact us anytime via phone (800-458-3348 | 734-426-7500), chat or email.. We're always here. 24/7/365.