Ransomware and the End of Tax Season


DarkOwl Cybersecurity researchers are actively following an uptick in malicious activity around ransom malware as the 2015 tax season draws to a close.

Attackers, leveraging the stress and confusion generated by the end of tax season, are delivering crypto-ransomware malware to unsuspecting victims via phishing email campaigns. We have seen this increase in activity worldwide; just last month The Australian Business Review reported on CryptoLocker malware hitting local businesses in both Australia and Britain (1). The phishing scam emails typically incorporate wording threatening tax penalties for supposedly unpaid payroll or other taxes and point to links or attachments containing the hidden ransomware.

CryptoLocker and its cousins, CryptoDefense and CryptoWall, comprise an extremely lucrative business. This crypto-ransomware works by infecting a company’s computer system and restricting access to both the system and its data until a ransom is paid to the attacker. These ‘crypto’ forms of malware limit access to the ransomed files and data via encryption. Attackers typically extort anywhere from $300 - $900 from individuals to amounts well into the thousands of dollars (or bitcoin) from larger businesses such as hospitals and financial institutions.

In many ransomware cases, the situation’s urgency demands immediate system and data access restoration, such as in the case of a hospital or healthcare facility, leaving an organization with no option but to quickly pay the ransom. This inability of organizations to recover without succumbing to the demands of attackers leads to their continued funding and the success of these attacks.


Protect against phishing emails. They are the number one tool used by cyber criminals to deliver ransomware. Identify and avoid these malicious emails.

Identify a Potentially Malicious Email

Look for:

  • Poor grammar and spelling errors.
  • Links or email addresses which do not contain the company name the sender claims to represent, especially the “from” email address.
  • Timeframes, deadlines and/or countdowns – tools which urge victims to act now as the sender is in a hurry. These demands of urgency can lead the victim to disregard the logic of the request.

Avoid Becoming a Victim

  • Copy the email address into a note pad program to verify sender information. More technically advanced users can examine the email header information.
  • Do you know the sender? If you cannot verify, do not click on links or download attachments.
  • Hover your mouse over any links in the body of the email. Does the information shown match the information in the link? A mismatch in information indicates http manipulation/phishing.
  • Use common sense; common sense always prevails. 

If You Suspect Ransomware

  • Do not open a suspect email.
  • Do not click on any suspect links.
  • Do not click on or preview attachments.
  • Contact IT immediately, even before the email is deleted.
  • Trust but verify. 
  • All organizations can learn more about the prevention, detection and, if necessary, remediation of these phishing scams and crypto-ransom malware through DarkOwl Cybersecurity’s OPSEC training offerings.