As is so often the case, it all begins with a seemingly innocuous e-mail. This one contains a job application, at the moment usually from someone named Lena Kretschmer, containing an image, a well-written cover letter and a ZIP file. At first glance, everything seems okay, but once you open the ZIP file the attack is under way. The PowerShell opens, after which the malware is downloaded from the Internet—and then it overwrites all data with zeros. If your data isn’t backed up, you’re out of luck. It’s gone. The e-mail itself appears well-crafted, but a healthy dose of scepticism will tell you that something is amiss:
- Job applications are handled by the HR department, which is usually not very large. Why would this application be sent to you? It’s an entirely valid question to ask.
- The e-mail address used is firstname.lastname@example.org. The domain name is a strange combination of German and English, and a brief online search doesn’t turn up any related websites. That’s another red flag.
- The ZIP file named “Unterlagen_Lena_Kretschmer.zip” is only 1.5 KB. If it really contained a CV, employer references and a headshot as the e-mail claims, would it really be that small?
These points show how crucial it is to train workers in IT security. It’s as true as ever that employee actions still pose a huge security risk for companies. Failing to provide sufficient and, more importantly, regular training amounts to unwittingly creating unnecessary gateways that could even jeopardise your business model.
What to do if you opened the file.
In the worst-case scenario, there’s not much you can do. The first step is to remove your device from the network as quickly as possible and report the incident to your IT department so that they can take the required next steps. These include restoring data from backups (provided they exist), informing the rest of the staff and putting @stadtmailer.com on the e-mail blacklist to block any further messages from this address. A well-managed security service provider will have already done this for you.
Even if you immediately delete the e-mail without opening the file, you should still notify your IT department. Your co-workers may have received the message as well and they should be specifically warned to refrain from clicking on the attachment. Of course, there are also technical ways to counter GermanWiper.
Your best lines of defence against GermanWiper.
- At e-mail level: a blacklist will prevent the e-mail from even arriving in work inboxes. Sandboxing can also help, whereby the file is automatically opened in a virtual environment and checked to see if it is harmful.
- Endpoint detection & response or anti-exploit protection: these technologies prevent the script from being executed when the file is opened, thanks to behaviour-based (instead of pattern-based) analysis, which detects that the sequence ZIP file → PowerShell → script is abnormal and therefore dangerous.
- Download filter/web filter: this checks http/https-encrypted connections. The actual executable malware is prevented from downloading by the firewall or web gateway. When using this technology, make sure that you check not only incoming but also outgoing connections.
- Antivirus software: this fourth line of defence springs to action when the ZIP file has been opened. Provided its patterns have been updated, any pattern-based antivirus software should be able to catch the attack. However, AI-based detection, for example by Blackberry Cylance, offers even better protection as it detects not only known threats, but also as-yet unknown attacks. Cylance can see from miles away that a file contains malware and it doesn’t require an online connection or any pattern updates.
Combining these measures can help your company effectively protect itself against malware and sidestep not just GermanWiper but also many other types of cyber attacks.