Phishers Dream Email tool used to Embed Ransomware in Danish Company

screen-dump of Email appender tool that enables attackers bypass email security filters 

• Cyber attacker convincingly blends in an email conversations between client and supplier
• Employee opens ransomware infected email attachment
• Ransomware infects 2.500 computer and 350 server and demands 20 - 40 millions in ransom payments. 
• Email appender tool likely culprit in enabling cyber attack on danish farm supply company.

In recent security news, reports of an email tool called "email appender" that enables attackers to bypass email security controls and embed malicious emails in-front of your employee inboxes, according to Knowbe4.

Quick facts on the email appender tool

• available for sale to cyber attackers on the dark web
• able to circumvent email scanners, filters and other security solutions
• dubbed "every phishers dream"
• Email appender enables attacker to set the Sender address, email contents, and include attachments via a point and cliek interface
• Downside of the tool: attacker needs access to your login details without which email appender is useless.

After reading about email appender, it dawned on me that this probably is the tool used in enabling an attacker to so convincingly blend-in an email conversation leaving no doubts among the participants that the attackers unauthorized access.

A danish farm supply company that experienced a ransomware attack in April 2020 immediately after the government had closed the country due to the Covid-19 pandemic.

The ransomware attackers were asking for an 8-figure sum - somewhere between 20 - 40 million danish kroner but the company decided not to engage in a negotiation with the attackers, according to the group director.

So how does this ransomware attack unfold?

1. Ransomware attack begins

On a sunday morning, an it-system monitoring alarm goes off at the company premises. Upon investigation, it appears that servers and employee workstations are locked with a ransomware note with instructions regarding the attackers demands including the ransomware amount to be paid to get the data back. 

2. Ransomware attack happens at most vulnerable moment when government locked down everything including asking employees to work from home due to Covid19 pandemic.

According to the danish company group director, the attack came in via an email conversation at the time when the company was most vulnerable. The email conversation between the company employees and an external supplier whose systems were hacked. From this cyber incident, the company has learnt how to stop such a weakness and has installed monitoring on every computer. 

"Hackerne kom ind, hvor vi var mest sårbare, nemlig i en mailkorrespondance mellem vores medarbejder og en leverandør, der var hacket. I dag ved vi, at det hul skal stoppes bedre, så vi også har overvågning på hver enkelt PC".

In further detailed analysis of email the attackers used indicates that the attackers had indeed done their homework. A typical spear-phishing attack that left no indications of the attacker to the client or supplier employees.

"Vi har set mailkorrespondancen og hackerne blander sig i samtalen på en meget overbevisende måde med et sprog i den jargon, som medarbejderen og leverandøren i forvejen bruger. På et tidspunkt modtager medarbejderen en fil fra leverandørens hackede mailkonto. Og den fil åbner vores medarbejder".

The attackers introduced themselves in the email conversation in a convincing way using the same language the company employee was using with its supplier. The employee clicked and opened an email with an attachment from the hacked supplier email account, as reported by landbrugavisen.

3. Ransomware damage

In the dags following the attack, the ransomware spreads throughout the 2.500 computer og 350 server. Luckily the ransomware was not able to lock off client banking information and computers controlling the operations of the firm. Thus enabling the firm to continue operating through the attack, according the report.

Bottom line

An attackers have access to email appender which lets them embed malicious emails directly into user inboxes. A ransomware attack can be very disruptive, costly and often happens when you are most vulnerable. Authorities and security experts encourage companies not to pay the ransom but rather invest in ensuring that protective measures are in place to minimize the risk of a ransomware attack to succeed, such as taking backups and ensuring that they work and implementing multi-factor authentication. 

Leave us a comment about the story.

Read more:

• 15 companies that were caught pants down and decided to pay the ransom to get their data back