Cyber Incident? Get Help

Security Alert: Phishing Link Leads to Ransomware Download

Coalition Blog Security Alert: Phishing Link Leads to Ransomware Download

Coalition Incident Response, Inc. (CIR), a technical digital forensic and incident response firm and Coalition affiliate, has observed a targeted social engineering campaign to trick employees into downloading a ransomware payload. In a divergence from the common uses of phishing emails, a threat actor sent emails falsely claiming to have stolen sensitive company information, asking recipients to click on a malicious link to verify the data. Normally, the malicious link would be leveraged to harvest the user's credentials, allowing the attacker to gain access to their email inbox, but in this instance clicking the link deploys ransomware.

In mid-August 2023, CIR received a notification from a policyholder who had received communications from a threat actor alleging to have stolen their data. After attempting to obtain proof of exfiltration from the threat actor, the policyholder received a link to a list of the files the threat actors had allegedly stolen. However, the email did not include a list of stolen files but rather a link to a script to run a ransomware payload and encrypt the policyholder's device. Thankfully, the policyholder did not click the phishing link and contacted Coalition instead.

Over the next several days, the threat actor sent multiple copies of the same email to different employees at the organization. CIR also has information that indicates the Coalition policyholder was not the only organization to receive the same phishing email, which points to this being a larger, targeted campaign.

In all likelihood, the threat actor's primary motivation is financial gain through social engineering. The threat actor has yet to provide proof that they have exfiltrated any data, instead continuing to harass employees and escalate the situation. This means the best defense is vigilance combined with security controls. 

Keep threat actors away: Use caution before clicking

Phishing is most commonly associated with impersonation: A threat actor gains access to the email account of a coworker or vendor and poses as them to trick users into taking action. However, phishing takes many forms, and it can also involve threat actors sending targeted emails, such as allegations that they have stolen company data. 

The most common motivation behind phishing attacks is to steal credentials to commit other cybercrimes or redirect payments into bank accounts they control. While this threat actor appears to be financially motivated, they are using a variation of the phishing tactics most employees have been trained to avoid. 

Coalition recommends reminding employees of the dangers of phishing, the variety of forms phishing can take, and that they use security controls to help reduce the impact of these phishing attacks: 

  • Educate and train employees: Security awareness training can teach employees what to look out for and remind them to always report suspicious communications. 

  • Use email filtering: Email is a crucial tool for collaboration, but it is highly susceptible to cyber attacks. Email filtering can filter inbound and outbound traffic to scan and potentially screen out malicious attachments or links.

  • Backup critical data: In the event of an adverse cyber incident, having offline backups of critical business data can help expedite the recovery process. As a best practice, use a regular backup schedule and periodically test backup copies. 

  • Make an Incident Response Plan: Review and, if necessary, update your incident response plan so you know what steps to take in the event of an adverse cyber incident.

Coalition policyholders who have received any emails alleging their data was exfiltrated and that they must pay a threat actor should forward the email to CIR for review. As a best practice, always avoid clicking on any suspicious links or downloading attachments from unknown sources.

Additional phishing prevention controls are outlined in Coalition's Phishing Education at a Glance — a free download.

Coalition Security Services

Staying ahead of cyber risks can be daunting. Coalition policyholders can sign up for around-the-clock monitoring with our Managed Detection and Response Services (MDR).

MDR, from Coalition Security Services, monitors the endpoints — computers, phones, and IoT devices — on a network for anomalous behavior and responds in an effort to mitigate or altogether prevent a cyber incident. Our MDR offering allows us to block the signature from the ransomware strain associated with this email campaign and respond should employees click on malicious links.

Learn more about MDR from Coalition Security Services.


Coalition Incident Response, Inc. provides "Coalition Security Services," which involves cybersecurity services offered to clients before, during, and after the occurence of a cyber event. These services include: Incident & Breach Coaching, Digital & Cloud Forensics, Ransomware Forensic Investigations, Log Analysis at Scale, Business Email Compromise (BEC) Investigations and more. For more information, you can contact [insert contact email]. 
Coalition Incident Response, Inc. 
548 Market St #94729 
San Francisco, California 94104-5401USA
© 2023 Coalition, Inc. All rights reserved.