Mutually logo

Beware of ransomware hiding in shortcuts

Beware of ransomware hiding in shortcuts

Thanks to Graham Chantry and Richard Cohen of SophosLabs for their work behind the scenes on this issue, and for encouraging us to warn you about it.

Even if you haven’t been hit by ransomware yourself, you probably know someone who has.

Most ransomware gets straight to work as soon as it infects your computer: it scrambles some or all of your files and then callously offers to sell you a tool to unscramble them.

If you have a recent backup (one that wasn’t scrambled along with everything else!), you should be able to recover without paying, hopefully without too much trouble.

But if you don’t, and you want your data back, you have little choice but to pay up.

From time to time, the crooks make mistakes, and decryption experts find a loophole so that you can unscramble for free, but that’s unusual.

As a result, many victims end up paying the money, even though it pains them to do it, no matter how hard they try to find another way to recover their files.

Most ransomware hitches a ride into your home, or into your business, and onto your computer, in email attachments.

Here are some recent examples:

As you see here, ransomware crooks like attaching ZIP files, inside which they put the malicious file they really want to you to open, such as a Word document or a JavaScript file.

Technically, they don’t need to do this: they could simply email you a DOCX or a JS file directly, which would typically put you two clicks closer to danger. (That’s because you wouldn’t need to open the ZIP file first, and then the file inside it.)

However, placing their malicious payloads inside ZIP files serves three purposes.

Firstly, ZIPs look unexceptionable, especially if the malware is in a .JS file, a type you don’t usually see in email.

Secondly, many organisations have more liberal rules about ZIPs in email than they do about files that are more directly dangerous, because of those two extra clicks away harm that a ZIP places you.

Thirdly, opening the ZIP takes you a “visual step” away from your email program when the time comes to access the booby-trapped file inside.

Once the ZIP is open, you will usually end up in a Windows Explorer window, giving you a file view that somehow makes the malware file seem like a regular local file you might be inclined to trust, rather than an unsolicited attachment that was part of an email from outside.

Although ransomware can be delivered in many ways, including EXE files (programs), Excel spreadsheets, PDFs, batch files and more, the crooks have used two main types of payload in recent months:

  • Word documents. Most documents you receive contain text and perhaps a few images, and are perfectly safe, but Word files can contain macros, or embedded program commands. Word macros are more than powerful enough to download and install malware, often ransomware.
  • JavaScript files. These look innocent because they show up with an icon that looks like a scroll of paper, as though they were harmless text files that are safe to open. However, .JS files are full-blooded programs that can do anything a regular .EXE file (program) can do.

But there’s another malware-friendly attachment type that we’re seeing more and more lately, to the point that SophosLabs specially asked us to tell you about it: the LNK file.

LNKs, more properly Shell Link Binary Files, have been around for years, and malware writers have used them on and off for all that time, because they’re a handy way of dressing up one file as another.

You probably know them best as “shortcuts” that you use as a quick way of opening popular apps or often-used files, such as this example:

On the left is a file called MyDoc.pdf, and on the right a file that looks the same, except for the tiny arrow at the bottom left of the icon that denotes a link or shortcut.

Apart from the arrow overlaid on the icon, the files look the same; the differences are obvious only if you list the files in a command prompt or use Right click | Properties to reveal their details:

Notice here that we’ve carefully told Explorer to show file name extensions, otherwise MyDoc.pdf would show up simply as MyDoc, but the LNK file nevertheless appears with the name of the file to which it links, not as MyDoc.pdf.lnk, as you might reasonably expect.

We recommend that you set up all your Windows computers to show file extensions. An extension is an integral part of the filename, and affects how Windows treats the file. Suppressing extensions may look a bit neater, but it needlessly hides information that might otherwise give you early warning of a security trick.

Worse still, a LNK file can be configured to show up with a misleading name, with an unrelated icon of your choice, and to run any command, like this one:

The LNK file itself is called INVOICE.PDF.lnk, and it’s configured to run a command prompt (using cmd.exe) that creates a JavaScript file called s.js and then runs it.

Nevertheless, it appears on the desktop as if it were a PDF file called INVOICE.PDF, even though it has no connection with any PDF content, and no link to any PDF-related application.

Clicking on it doesn’t open a PDF file at all, as you might think, but instead runs the s.js file created by the command prompt shown above, which in this case innocently pops up a message box using the WScript.Echo() function:

We first wrote about malware using this trick back in early 2009, and we offered this advice:

Don’t be tricked into opening a shortcut file from an untrusted source, falsely assuming the LNK must be harmless because it can only point to items already on your system.

With that in mind, you’re probably not surprised to hear that cybercrooks are having another crack at LNK files, probably because we’ve collectively learned to be doubly cautious of unexpected documents and JavaScript files.

In particular, the fact that LNK files don’t follow the View file name extensions setting in File Explorer, and that they can show up with an icon that is at odds with their real behaviour, makes them very attractive for criminals.

The attachments in the three sample emails shown at the start of the article, for example, each contain a LNK file that uses a technique similar to the INVOICE.PDF trick shown above:

We can’t be sure exactly what ransomware would have been delivered in each of these examples.

Fortunately, the servers used by the crooks to deliver the next stage of the attack had all been taken down, apparently by vigilant hosting providers. (Several of the samples we tested produced “account suspended” messages, thus neutralising the malware.)

In at least one sample we examined, however, the next stage of the attack led to infection by malware known as RAA: ransomware that itself is entirely written in a scripting language.

Of course, LNK-based infections don’t have to end up in ransomware, because the crooks can vary the payload they deliver to suit their current criminal plans.

Indeed, they can adapt the payload victim by victim, based on details such as time of day, operating system version, geolocation, and more.

We’re guessing, however, that the majority of LNK-based attacks you’re likely to see will be aimed at squeezing money out of you through ransomware-style extortion.

What to do?

  • Tell Windows to show file extensions. Even though this doesn’t help with LNK files, we think that deliberately suppressing extensions merely introduces a needless risk.
  • Be cautious of unsolicited attachments. We know that this advice is easy to say to but hard to follow: how else to tell if a message is worth reading except by reading it? Watch out anyway. Emails claiming to know you, to have money to send, or to be issuing an invoice from a company you’ve never heard of, could have come from anywhere, and probably did.
  • Use a real-time anti-virus and web filter, and keep them updated. Sophos Home, for example (100% free for home use on Windows and Macs), blocks these malicious LNK files variously as Troj/LnkDldr-C or Mal/DownLnk-D, and will actively prevent them from running at all.
  • Never open LNK files that arrive by email. We can’t think of any situation in which you would need, or even want, to use a LNK file that came via email. The name and icon will probably be misleading, so keep your eyes peeled for the tiny arrow that Windows shows at the bottom left of the icon.
  • Review the list of file types you allow in email attachments. Many sysadmins block various well-known file types in email outright, such as EXE attachments (for security reasons) and multimedia files (to avoid accusations of piracy). Review the list whenever the crooks change their game.
  • Read our guidelines on How to stay protected against ransomware. The good news is that best practice against ransomware protects you from a vast catalogue of other security and availbility problems, too.
  • Listen to our Techknow podcast on Dealing with ransomware. The Techknow podcast series is an excellent “brush up” resource for coffee breaks, train trips and your regular commute.


Lost Password

Please enter your username or email address. You will receive a link to create a new password via email.

Privacy Preference Center