Dropbox becomes a vehicle for ransomware

Cloud storage services like Dropbox have made it simple to store and share files with family, friends, and coworkers. Unsurprisingly, unscrupulous individuals have also managed to pervert those features to spread malware, in particular, the kind that holds your files hostage until you pay a sweet fee, as narrated by anti-phishing company PhishMe.

It starts almost innocently enough but already has enough markings of a phishing expedition. Unfortunately, those who become unwitting victims of this kind of social engineering methods are those unaware of the telltale signs of scams. An email regarding an incoming fax, invoice, or other serious-looking subject matter is usually received, accompanied by a Dropbox link to download a zip file that contains a Windows Screensaver or .scr file. Unknown to many, Windows treats executable programs (.exe) and Windows screensavers the same way, and so this innocent looking Dropbox file is actually a malware in disguise.

What happens next, if the user runs the program, that is, is the usual nightmare of most ransomware incidents. A variant of the ransomware trojan CryptoLocker takes hold of certain types of files on the computer, encrypts them so as not to be readable through ordinary means, and stashes the key on a remote server. And then it informs the unfortunate users, using a browser popup to add insult to injury, that their files have been encrypted. Amusingly, in some cases the choice of words make it seem that the perpetrators are doing you a service by letting you regain access to your own files.

Of course, that comes with a price, which ranges from a few dollars to thousands. In this particular strain of the malware, PhishMe says that users have been initially asked for $500. If you do ignore the demands, the price is doubled to $1,000. It may all sound too bad to be true, but according to PhishMe, more than 300,000 computers have been infected. Though this number also includes researchers and fake entities, even if you only consider half of that total to be actual individuals, that is still one too many victims to fathom.

Dropbox can hardly be blamed for such absues of its services, though it would normally act swiftly on reports of malicious behavior. In the end, though, the user is still the last line of defense. It may sound preachy, but it doesn't make it any less true.