Published:

March 26, 2018 - A user at the University was on the receiving end of a ransomware attack when they received the following email with a Word document attached.

A user at the University was on the receiving end of a ransomware attack when they received the following email with a Word document attached:

From: xzgx@www.conexpro.cl “Maria Garcia”

Subject: Attached Resume

Good Morning, I’m absolutely interested in a internship. See my attached CV and get back to me ASAP. The file is password protected to protect against identity theft. The password is “resume” Best regards!

Included in the email was a file named mye.doc. Since the user had solicited resumes for interns, the contents of the email did not raise any warnings. When opened with the included password, the user was prompted to enable macros in Microsoft Word. Once enabled, the embedded macros in the document downloaded a malicious program that encrypted files on the user’s C:, H:, and I: drives. Once the files were encrypted, a message popped up on the user’s screen informing them that they were the victim of ransomware, with instructions on where to send payment to have their files decrypted. These types of attacks can result in significant damage and disruptions, but thanks to preventative measures put in place by Adelphi IT, the loss in this case was minimal.

Malicious actors targeting specific users in an effort to either retrieve usernames and passwords, or to infect PCs with ransomware, is not a new tactic. The potential risk to the University is why Adelphi IT enacted a phishing awareness program in 2017 that includes simulated phishing attacks. The most important part of any phishing awareness program is to make users aware of telltale signs of phishing. In this case, despite the user’s work finding interns and the email’s claim to contain a candidate’s resume, several red flags still exist:

  • The email address contained what appears to be a random four-character username (“xzgx”).
  • The claim that the file was “password protected to protect against identity theft” created a false sense of trust in the contents.
  • When opened without enabling macros in Word, the file displayed a fraudulent Microsoft warning advising the user to enable macros. Macros in Microsoft Office documents are disabled by default because of the security risks posed by them.

Please remain cautious when opening attached documents. If a user ever receives an unsolicited document from a fellow Adelphi employee and they are unsure about whether it is safe to open, they should reach out to the employee by phone to verify the legitimacy of the email. If a user ever receives such a document from an external source that they cannot contact through other means, the file should be forwarded either to the Help Desk, or Information Security at abuse@adelphi.edu, with a warning that they do not trust the safety or legitimacy of the file.


For further information, please contact:

Information Security
p – 516.877.3340
e – abuse@adelphi.edu

Contact
Phone Number
More Info
Location
Levermore Hall, 205
Search Menu