A new IRS-themed rapid ransomware email scam has been detected that uses the threat of significant financial penalties for late tax payments to fool victims into installing ransomware.
Tax season is well underway and cybercriminals have been increasing their efforts to obtain tax credentials to file fraudulent tax returns in the names of their victims. Businesses are the prime targets, as a successful scam can see the tax credentials of hundreds or thousands of employees obtained from a single response to an scam email.
However, it is not only tax fraudsters that are taking advantage of tax season. Ransomware attacks are also likely, as has been highlighted by a recently uncovered email scam that impersonates the IRS.
The purpose of this scam is to install Rapid ransomware. Rapid ransomware is a relatively new ransomware variant first detected in January 2018. In contrast to many ransomware variants that encrypt files and then terminate, rapid ransomware remains active after encryption and will encrypt any further files that are created on the infected device.
In addition to encrypting files, the ransomware deletes Windows shadow volume copies and disables automatic repair to hamper any attempts to restore files without paying the ransom. There is currently no decryptor for Rapid ransomware. Recovery will depend on backups being available or the ransom demand must be paid.
IRS Spoofed to Spread Rapid Ransomware
The Rapid ransomware email scam is similar to many other scams conducted during tax season. The emails are well written and plausible. There is urgency to encourage rapid action and a threat of financial penalties if the emails are ignored.
The emails have the subject line: ‘Please Note – IRS Urgent Message 164’ and contain a zipped notification attachment which email recipients are required to open to obtain further information.
In the body of the email, the recipient is led to believe they have significant tax arrears related to a property. The recipient is told that no action is taken by the IRS when tax arrears are cleared within 4-6 months of their due date, but since the recipient’s tax is 7 months out of date they are liable for a fine. They are told that if they do not respond to the email within one day and attempt to rectify the situation, ‘significant charges and fines may apply’. They are also told to open and study the attached document. The zip file contains a Word file containing a macro. If allowed to run, the macro downloads a PowerShell file, which in turn downloads Rapid ransomware.
Security aware individuals should be able to identify signs that the email is not genuine. First, the email is addressed ‘Dear Customer.’ In the event of the IRS contacting an individual about tax arrears, it would be likely that the email would be addressed using the individual’s name. However, such a situation would not occur. The IRS has confirmed in numerous warnings about phishing emails that it does not initiate contact about tax arrears via email. Further, tax arrears are serious, but not so serious that a response of 1 day would be given for a response.
The scammers behind this campaign have made some glaring mistakes in their campaign. The email address spoofed has the domain nottscc.gov.uk. While the email address looks official, it relates to Nottinghamshire County Council in the UK and the IRS is the American tax agency. However, many devices do not show the full domain so this may not be noticed. Another major error is the use of German language in the Word document, including instructions for enabling the macro.
Scam Highlights Need for Spam Filters and Security Awareness Training
Due to the errors made by the scammers, in particular the use of German and a UK local government email address – this email scam should be easily detected by employees and consumers, but such mistakes are not always made. The email is plausible, and otherwise it would be likely that many individuals would be fooled by such a scam.
For businesses, these scams can prove incredibly costly. In this case, there is no set ransom payment. Victims need to email the scammers to find out how to pay the ransom and how much is being charged. If the emails come from a business domain, the ransom payment would likely be increased. Further, ransomware can spread laterally within a network and result in file encryption on multiple endpoints and servers. With ransoms typically charged for each infected device, the costs can be considerable.
This Rapid ransomware email scam highlights the need for spam protections to be put in place to prevent malicious emails from being delivered. With SpamTitan implemented, more than 99.9% of spam email is blocked, preventing employees from having their phishing email identification skills tested.
It is also important to provide security awareness training to employees to teach them the skills they need to identify scams such as this. Not all email scams will be as easy to detect as this one. Training goes a long way toward ensuring that when emails slip past security defenses they are quickly identified by the workforce.