Canadian University Hit with Ransomware Through Fake COVID-19 Survey
Table of Contents
- By Dawna M. Roberts
- Published: Oct 29, 2020
- Last Updated: Mar 20, 2023
Throughout the COVID-19 pandemic, hackers have waged countless ransomware attacks—the latest was delivered via a fake COVID-19 survey, and the victim was a Canadian university.
The Attack
Malwarebytes reported yesterday that their threat assessors had noticed quite a few phishing attacks aimed at universities. They credit the Silent Librarian APT group with the attacks. On October 19, they found a new ransomware device aimed at the University of British Columbia (UBC) using a fake COVID-19 survey to deliver its payload.
When Malwarebytes contacted the UBC, they explained that they were already aware of the phishing campaign, and they shared additional details with the threat assessors so they could publish the findings to warn others. Thankfully, due to the university's cybersecurity team's quick action, no one was negatively affected by the ransomware attack.
How Hackers Did It
The interesting thing about this ransomware attack is that it does not use traditional malware. Instead, the hacker embedded code into a Word document using macros, which then encrypted the data and threatened the user to pay ransom to recover their files.
Another unique feature of this incident is that the threat actor created an email address with mailpoof.com so they could register Box.net and DropBox accounts. So instead of actually sending the fake survey via email, the criminal uploaded it to their Box and DropBox accounts and used these platforms to house the tainted document.
The hacker sent the email to university recipients claiming to be a manager and demanding that they fill out the survey. The actual email text read:
"Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a mandatory survey with you that must be completed by Monday. It asks a few questions about how you believe our company responded to the pandemic regarding remote working and much more. Please fill it out ASAP!
You will also find a form at the end that you can fill out if you need any necessities! Necessities include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees who fill out the form for free! Simply sign your initials and put what you need as well as the quantity! In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be difficult!"
The Details Explained
Upon opening the form stored in Box.net or DropBox, the user saw a message saying that the document required a signature and to click the "Enable Editing" button at the top bar and then "Enable Content" as well. By doing this, the payload was delivered.
According to UBC, thankfully, fewer than 100 people received the link. The only people that could access it had to have registered accounts with those services.
According to Malwarebytes, "The phishing document uses template injection to download and execute a remote template (template.dotm) weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org)."
Along with the original document, security experts found four other remote templates with similar code. They also noted some Swedish language in artifacts found in the repository, indicating that perhaps the criminals were familiar with that language.
"Opening the phishing document will trigger notification via the canarytokens.com website. Typically, people use this type of service to get alerted for a particular event. This can be very useful as an early warning notification system that an intruder has had access to a network. In this case, the attacker is probably interested in how many people opened the document and perhaps where they are from," Malwarebytes commented.
How the Ransomware Works
The type of ransomware attack used was Vaggen. Upon deployment, the malicious software begins encrypting the user's files with a .VAGGEN extension. After completion, a ransom note displays on the Desktop, demanding 80 USD in Bitcoin.
The ransom amount is relatively low compared to most ransomware attacks. That, combined with the simple code, leads threat assessors to assume that the attacker is not a sophisticated player or part of any organized hacker group. That being said, they do credit the cybercriminal with a "well-conceived phishing attack and a well-designed template with a nice touch of adding canary tokens."
It is unclear if the UBC was the only target and the odd combination of facets about this incident makes it unclear what the true motive was.
How to Protect Against Ransomware
Malwarebytes is one of many distributors of antivirus/anti-malware software that helps detect, block, and protect users against ransomware attacks and other types of threats. Other things to keep in mind are:
- Never click a link in an email.
- Don't trust that emails came from where they appear to have.
- Always keep your devices updated with the latest security patches.
- Install good antivirus/anti-malware software and run deep scans often.
- Do not enable macros in Word or Excel unless you know where the file came from.