Ransomware Attack Using Fake Zoom Meeting Invitation

Background

Zoom is a web-based communications platform that allows people to communicate in real-time over the internet.  As the pandemic worsened throughout 2020 and companies sent their employees home to work remote, the usage of Zoom exploded globally.  And as usual, cyber criminals took notice.  The IRONSCALES research team has recently noticed an alarming new type of ransomware attack that leverages fake Zoom meeting links to initiate a ransomware attack. 

The Attack: Method & Payload

An employee receives an email with a link allegedly containing zoom meeting information (meeting password and ID) from a very generic sender name (“Dave” in this example, because who doesn’t have a Dave in their office, right?). 

The “Zoom Meeting Information” part in the email body contains a link:

https://files.zohoexternal.com/public/workdrive-external/download/ox0dh4f6d5e2025b64e13ac188d90fa50ee9f/VhPWYg

Traditional security scanners and detection tools will not flag this link as suspicious.  Should the recipient click, an infected Excel worksheet named “Zoom-Meeting.xls” is automatically downloaded with a malware called an Artemis Trojan. The Artemis trojan is a kind of malware that prevents users from using their computer, including preventing the user from accessing or changing their local files.

This is the first step of a ransomware attack.  A successful deployment of the malware would encrypt the end user’s data, allowing the attackers to demand whatever type of payment they would like from the infected user’s company.

In 2020, victims of ransomware attacked paid an estimated sum of $350 million.  These payments impacted the bottom line of the victim companies and ruined their reputation with their customers.  A handful of the impacted companies were even forced to close their doors for good.  The financial pain doesn’t end with paying the ransom.  For companies who can survive that part of the attack will still need to spend millions of dollars to rebuild their databases, assess their security posture using outside consultants and rebuild their security infrastructure to ensure these attacks don’t work again in the future. 

Tips for prevention:

  • Don’t open links or attachments from an unknown origin.
  • In this incident we can notice there are typos and bad grammar which is an indication for phishing attempts. (“Meeing” instead of “Meeting”)
  • Very generic email body with no personal note is also a good indication for a phishing attack.
  • Verify the sender domain. In this incident the sender domain is “gilcoagentgroup.com”, this website doesn’t exist so it’s a red flag.
  • Sender display name is very generic (“Dave”), if you don’t know the sender, don’t trust them.
  • Train your employees. Create or use a cyber security awareness test periodically to make your employees well-trained and be on guard for a phishing attack.
  • Invest in your company cyber security technology to prevent the phishing attempts before they will get to your inbox.

To learn more about IRONSCALES’ award-winning anti-phishing solution, please sign up for a demo today at https://ironscales.com/get-a-demo/.