Ransomware Attacks Are Becoming More Common. But Are They Always Real?

Welcome to StrRAT.

Alyssa Lerner First
3 min readMay 24, 2021


Ransomware, a type of attack where hackers encrypt data and then charge a ransom to decrypt and return it, has already caused all kinds of problems in 2021.

The most famous recent incident is probably the Colonial Pipeline hack, which led the company to close for several days a pipeline that carries almost half the fuel for the east coast of the United States. Although security experts generally frown upon paying the ransom demands in these situations because it encourages more attacks, the company ultimately paid close to $5 million for the return of their data.

And last week, Microsoft announced that they’d discovered a massive email campaign designed to hit victims with ransomware demands. But in this case, the information hadn’t actually been locked up.

Giovanni Domenico Tiepolo’s depiction of the original Trojan horse in an eighteenth century painting. (Public domain.)

The Microsoft security team revealed the specifics of the campaign in a series of tweets. It turns out this attack is a new, more sophisticated iteration of malware known as StrRAT — specifically, this is StrRAT 1.5.

RAT stands for Remote Access Trojan, meaning it’s a Trojan horse-style piece of malware that can give hackers control of the victim’s computer. The attack involves sending emails that look both relatively normal and somewhat important, with subject lines like “Outgoing Payments,” and with a PDF attached.

Except it isn’t really just a harmless PDF. If you open the attachment, it runs a Java-based program on your computer that sets up a backdoor for attackers to get in and do whatever they want. That’s the Trojan horse — it’s an innocent-looking file that actually contains a much more dangerous payload.

The attack also executes what looks like a ransomware attack, making it seem like your files have been encrypted and you can’t access them anymore.

But it’s all a lie.

All the attack does is change your filename extensions to .crimson, which to the untrained eye makes them look wrong and keeps them from automatically opening with the appropriate programs. You can easily fix this by changing the extension back to what it’s supposed to be — for example, .docx for a Word document — but there’s no reason an average user would know to do that.

Now that antivirus companies know about this attack, they can update their programs to defend against it. According to Microsoft, Microsoft 365 Defender has already done that.

But as always, the best defense against this sort of thing is to avoid any odd-looking emails, and never open any attachments unless you’re sure you know what they are.

And if you are targeted by a ransomware attack, it’s worth connecting with security experts to make sure your stuff really is encrypted before you decide what to do next. Because in cases like StrRAT, you might be able to get your files back much more easily than you think.



Alyssa Lerner First

Software developer and science/tech writer. Python, Ruby on Rails, JavaScript, React/Redux, Java. Fascinated by the amazing stories behind today’s tech.