We all see and hear about UK organisations being ‘hacked’. But it may have never happened to us, so there is a tendency to not sit up and pay attention.
Sectors that are commonly targeted by hacker gangs include healthcare, education, public sector and manufacturing. But hacking is not exclusive to these sectors. All businesses, non-profits, charities, and other types of organisations should be taking measures to protect themselves from the effects of a successful hack. More about that shortly.
What happened?
In this particular instance, researchers at Cyber Security firm Proofpoint identified an email campaign in September 2024 impersonating the UK postal service, Royal Mail. The purpose of the campaign was to deliver a ransomware variant known as Prince Ransomware.
Prince Ransomware is a freely available variant of malware (malicious software). It is advertised as designed for ‘educational purposes’.
Interestingly, this hacking campaign did not just use the typical method of sending phishing emails sent to thousands of email addresses. The hackers also used contact forms on company websites to make sure their messages were delivered. Why would they do that? Often, organisations will make sure their contact form emails bypass spam filtering because they are perceived as ‘trusted’. Also, contact form submissions are often delivered to multiple people.
What made this campaign particularly vicious, was that once the ransomware encrypted the victims files, there was no decryption mechanism to recover encrypted files, there was no data exfiltration (data theft), so the intention was purely destructive, rather than lucrative.
What did the email look like?
It is worth knowing how these emails were crafted. The more we learn what to look for in a phishing email, then the more likely we are to identify them correctly, and hit the delete button sooner.
Below is a sample screen shot of one of these emails.
The email contained a sender or reply-to Proton email address. Each email sent used a different address, making the attack harder to detect.
The email was fully branded with Royal Mail’s logo and an authentic looking disclaimer.
The email had a message about an unsuccessful delivery attempt, compelling the recipient to print the attached shipping invoice and take it to a Royal Mail location to collect their delivery.
The email contained a PDF attachment called invoice.pdf.
Example email:
The PDF attachment was fully branded, and the wording compelled the recipient to click a link.
The link downloaded a ZIP file hosted on a Dropbox account.
Example PDF:
The ZIP file contained another ZIP file called ‘invoice.zip’. This second ZIP file was password protected. Why? To prevent Threat Detection mechanisms from being able to open the ZIP file for automatic testing.
The password to open the invoice.zip file was included as a text file in the parent ZIP file, in a file called ‘privacy notice.txt’
Example view of the ZIP file downloaded from Dropbox:
Once the user opened the invoice.zip file with the included password, they would have seen a shortcut (LNK) file. If they double clicked on it, then the malware would begin to run.
You can read more about how the malware used PowerShell, Scheduled Tasks, and how it disguised it’s intent here on Proofpoint’s web site. (https://www.proofpoint.com/us/blog/threat-insight/security-brief-royal-mail-lures-deliver-open-source-prince-ransomware) .
The end result of a successful delivery of this email would be the total loss of business files on that computer, server, or cloud file storage system. That would be a very difficult scenario to deal with.
What were the tell-tales?
We should learn from these examples, and we should be training others too.
The reason hackers continue to use email to deliver their malware is because it continues to be successful. People are manipulated and compelled to click links or open attachments.
In this example, how can we tell the email is at the very least, suspicious?
Firstly, the email came from a Proton Mail email address, but it was branded as Royal Mail. At the very least, an email branded as Royal Mail should be coming from a royalmail.com email address.
Secondly, for those recipients who received the email via a contact form submission on their web site, this should have been another red flag that this was not genuine. Often, contact form submissions come from a specific internal email address, or the submission is wrapped in a notification from your web site, making it clear that this was a online enquiry of some type.
Third, the message was compelling. If the recipient was not expecting a delivery of some type, they should be extremely cautious about accepting this email as fact. Hackers rely on the fact that people do not want to miss out on something, and they don’t want any hassle from something that was missed. What if a family member or friend sent them a surprise gift? Often, curiosity is used to coerce someone to click further… just in case.
Fourth, what about the link in the PDF attachment? It took the user to a Dropbox shared file. There isn't anything wrong with Dropbox. In fact, it is a great service. But why would Royal Mail host the delivery information on Dropbox.com and not RoyalMail.com? A simple hover of the mouse pointer over the link would expose the destination of that link. The recipient should be aware enough to realise this is not genuine from the link URL.
Finally, let's examine the ZIP file downloaded from the PDF link. Its complexity might make users question its value. Why is a password needed to open another ZIP file? Why is the password provided with the invoice or shipping details? While users may not grasp the technicalities, one would hope they are concerned enough by now to seek a second opinion on this file's legitimacy.
Regardless of how the email was delivered, directly or indirectly, users should be trained to identify the tell-tale signs of malicious emails. Currently (October 2024), 91% of successful hacks start with a phishing email.
How can we protect ourselves?
I’ll give you the simple answer first.
Get a decent Cyber Security Service from a trusted IT or Cyber Security provider (like PS Tech 😊).
We provider an extremely comprehensive service to train your people, prevent hacks from being successful, protect systems and data, rapidly detect incidents and respond to those detections. This seriously improves your resilience to cyber-attacks, massively reduces the risks. More importantly, it reduces your worry and stress, as you have a trusted partner doing this for you, 24/7/365.
When we onboard customers, we go through a cyber security audit process to identify where risks currently are, and how bad that risk is. We will provide a comprehensive report with recommendations for improvement.
What if you are looking to do this for yourself? Here’s some headline tips:
- Train your people in Security Awareness. This is more than just identifying dodgy emails. There are many areas where improved Security Awareness will help to protect your business systems and data.
- Keep your software up to date. Don’t just rely on automatic updates. Identify what software you have installed across your IT estate and make sure it is needed, current, and supported.
- Encourage people to use strong, unique passwords. Provide your people a tool to help them to do that easily.
- Enforce 2FA (2-Factor Authentication) or MFA (Multi-Factor Authentication on EVERYTHING!
- Use systems to detect dodgy emails or messages before they get to your staff’s inboxes.
- Back up your systems and data. The intention of the Prince Ransomware attack was data destruction. Data backups are your only way to recover from such an attack. Make sure you backup what’s in the cloud too (Microsoft 365, Google Workspace, Dropbox etc.), as these systems are just as vulnerable as your computers and servers. Then, review and test your backups regularly.
- Have a plan. When disaster strikes, what do you do? A plan will help you to stay focused and recover faster from a security incident.
We hope you found this article useful.
If you would like a chat about your cyber security, you can arrange that on our website at no cost. There is no commitment or expectation. But, we’d love to be able to help take the worry of your organisations cyber security off your mind.
