Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

REN-ISAC Threat Notification: Email Ransom Scheme

From: "Milford, Kim" <kmilford () IU EDU>
Date: Fri, 5 Jan 2018 18:43:46 +0000
====================================================================
SHARING GUIDELINE: TLP: AMBER [1]  The following information must not be
publicly released. Information may be shared with members of your own
organization, and with clients or customers who need to know the information
to protect themselves or prevent further harm.
====================================================================
 
Please be aware of a recent and ongoing ransom/threat campaign targeting
universities, requesting payment in Bitcoin [2].  The message is along the
lines of "pay up or be blown up" (bomb threat), with distribution via Proton
Mail.  Proton Mail is a Switzerland-based service offering free and paid
highly secure email.  Per their own statement, “As ProtonMail is outside of
US and EU jurisdiction, only a court order from the Cantonal Court of Geneva
or the Swiss Federal Supreme Court can compel us to release the extremely
limited user information we have.”  If sent via Proton Mail, tracing by way
of headers will prove to be fruitless.  
 
Victim institutions are encouraged to notify law enforcement per normal
reporting protocols and share information in REN-ISAC channels.  Or feel
free to forward threat emails, along with headers, to soc () ren-isac net
<mailto:soc () ren-isac net> , and the information will be provided to the FBI
for investigative follow up as deemed necessary.

Since this is a criminal activity, if you receive the threat message, feel
free to also reach out to Proton Mail to see if they can assist you:
 
Proton Technologies AG
Chemin du Pré-Fleuri, 3
CH-1228 Plan-les-Ouates, Genève, Switzerland abuse () protonmail ch
<mailto:abuse () protonmail ch>  security () protonmail ch
<mailto:security () protonmail ch>  legal () protonmail ch
<mailto:legal () protonmail ch> 
 
[1]  https://www.us-cert.gov/tlp 
[2] Bitcoin wallet (indicator): 18k92wkSk5SnQbCyAG6NhYJrajukGdYpF4.  This
wallet has no BTC in it and no transactions on record.  You can review the
blockchain for that address at:
https://blockchain.info/address/18k92wkSk5SnQbCyAG6NhYJrajukGdYpF4
 

Kim Milford

Executive Director
REN-ISAC
kmilford () ren-isac net <mailto:kmilford () ren-isac net> 
O:   317-278-4815
M:  317-625-7800

Attachment: smime.p7s
Description:

Previous By Date Next
Previous By Thread Next

Current thread: