Understanding and Protecting Against Email Malware

By João Machado, Cybersecurity Analyst at RCTS CERT

In the digital age, cybersecurity is a top priority for any organisation. It’s crucial to understand the threats that your organisation faces and how to mitigate them. One of these is malware, which often finds its way into organisations through seemingly harmless emails.

This malicious activity can be attributed to various factors, including the exploitation of network vulnerabilities, data breaches, geographical influences, and even age and device ownership.

What is Malware?

Malware, an abbreviation for malicious software, encompasses any software intentionally designed to cause harm or gain unauthorised access to a computer system. It acts like a digital parasite, stealthily attaching itself to your system without your knowledge and subsequently wreaking havoc.

Among the various types of malware, ransomware emerges as a particularly menacing variant. It is engineered to restrict access to a computer system or personal files until a ransom is paid. The ramifications of such attacks can be financially burdensome, encompassing not only the ransom payment but also significant expenses related to data retrieval and system restoration.

The Hidden Threat in Your Organisation’s Inbox

Each day, a staggering number of emails traverse the globe. Among these, concealed within seemingly innocuous files such as documents, spreadsheets, images, and PDFs, are emails harbouring malicious intent.

At RCTS CERT, we analyse dozens of emails daily, almost all of them have some malware associated, either in the attachment or some link to a fake website that deploys the malware.

This year alone we already identified 509 new domains, 79 new IP addresses and more than 430 new hashes of confirmed malware, and we will receive more until the year ends. These numbers highlight the scale of the threat that email malware poses to organisations, despite their size.

Ransomware cases in the Portuguese Academia

In 2022, The Universidade da Beira Interior (UBI), located in Covilhã, Portugal, fell victim to a ransomware attack. Detected on a Monday, the attack partially compromised some administrative areas of the university. The attackers used ransomware to encrypt machines within the UBI domain and demanded a ransom, which UBI did not pay. Despite creating some constraints, the attack did not affect classes.

The university took immediate measures to minimise impact and assess the extent of the damage. Some systems were recovered quickly, but there was no prediction as to when everything would be fully restored. It remains unclear whether the attackers had access to data from students and staff.

Earlier this year, another member of our community (Instituto Politécnico de Leiria) was attacked using the Akira ransomware family. This novel ransomware family targets corporate networks by encrypting sensitive files and demanding large sums of money.

Akira uses a unique double extortion tactic. It first steals victims’ critical data and then encrypts devices and files. The ransomware is designed to encrypt data, create a ransom note, and delete Windows Shadow Volume copies on affected devices. It modifies filenames of all encrypted files by appending them with the “.akira” extension.

Identifying Malicious Emails: A Guide for Your IT Team

Here are some red flags that you should watch out for:

• Unforeseen Attachments: An email containing an unexpected attachment should raise suspicion and might indicate malicious intent.
• Generic Greetings: Many phishing emails commence with impersonal greetings like “Dear Customer,” signalling potential threats.
• Urgent Action Required: Emails that induce urgency or demand immediate action should be treated with skepticism.
• Dubious Sender’s Address: Verify the authenticity of the sender’s address, as cybercriminals often employ minor alterations to known email addresses to deceive recipients.
• Perilous Links and Call-to-action Buttons: The inclusion of malicious links is a hallmark of malicious emails. Exercise caution and refrain from clicking on links or call-to-action buttons immediately.

Steps to Protect Your Organisation

Here are some steps you can take to protect your organisation:

1. Install Anti-Malware Software: This software can detect and remove malware from your system.
2. Educate Your Workforce: Ensure your employees are well-informed about the risks associated with suspicious emails and the importance of not opening them.
3. Keep Your Systems Updated: Regularly updating your systems can protect against known vulnerabilities.

Remember, as decision-makers as well as end users, it’s everyone’s responsibility to stay vigilant and protect our organisations from malware threats. Share this post with others in your organisation to spread awareness about email malware.

About the author

João Pedro Martins Machado is a Cybersecurity Analyst at RCTS CERT with two years of experience, specialising in the protection of critical networks and information systems. Armed with a degree in Computer Engineering, João plays a pivotal role in analyzing security incidents, conducting comprehensive security audits, and maintaining the robust security posture of FCCN. His passion for uncovering vulnerabilities and ethical hacking fuels his dedication to the cybersecurity field. Outside work, you may find him giving handball training, playing with his dogs, or engaging in cybersecurity challenges on Try Hack Me.

Also this year GÉANT joins the European Cyber Security Month, with the campaign ‘Become A Cyber Hero‘. Read articles from cyber security experts within our community and download resources from our awareness package on connect.geant.org/csm23