Cybercriminals now hiding undetectable ransomware inside JPG images

cypac1
May 16
2 min read

The bad guys found a security loophole this week and are exploiting it, hard. They're mass sending out phishing emails with 2 attachments: a JPG (image file) and a decoy document (Word doc or PDF). If you open the image, it will download ransomware and brick your system.

This two-file approach evades detection as security tools often fail to correlate the paired files as malicious, rendering them invisible to over 90% of antivirus engines. Also, since most people are familiar with and trust JPG image files, considering them to be safe, we are more likely to open them.

The Takeaway

Cybersecurity software companies are currently scrambling to update their methods of detection for this new attack method. Meanwhile, the FBI’s Cyber Division has issued a bulletin urging businesses to:

1) Train staff to not to open unsolicited attachments, even from known contacts.

2) Deploy endpoint detection tools that monitor for suspicious file interactions such as an EDR and SOC/SEIM Live Monitoring.

3) Segment networks to limit ransomware spread.

This latest exploit really highlights these cybercriminals' growing level of sophistication. By weaponizing common file types, they're taking advantage of technological gaps and our human psychology.

Stay safe out there.

-Attila

PS. I'll be live on PBS this Thursday the 22nd at 7:30pm HST. The show is called Insights and I'll be there with other Cybersecurity experts to talk about the latest threats facing our community and what to do about them.

New - the Positivity Box

Tired of hearing about negative, fearful and disturbing cybersecurity news? Me too. You may be surprised to learn that good things happen in IT security. Let's celebrate them!

An indictment was unsealed over this past week, charging four foreign nationals with operating botnet services that targeted thousands of wireless internet routers. The conspirators allegedly amassed more than $46 million from selling access to infected routers, which were used to facilitate ransomware and other cyber attacks. Codenamed Operation Moonlander, the domain names associated with the botnet were seized by the United States pursuant to a seizure warrant and the overseas servers controlling the botnet were shut down by foreign law enforcement partners. Go get 'em boys!