November 12, 2016

A flood of Ransomware in email attachments in early November 2016

November 12, 2016

Since the first week of November there has been a virtual flood of malicious email scams that have Ransomware in both .doc and .zip attachments.

The subjects vary from hour to hour and day to day. They include all of the following Subjects (with more to come):


  1. Emailing: _[digits]_[more digits]

  2. Virtual card

  3. Order

  4. "No subject"

  5. [Scan] 2016-1111 11:45:05 (time and date varies)

  6. Document from Paulette (name varies)

  7. Receipt 6940-30676 (numbers vary)

  8. unauthorized access

  9. DSCF54499.pdf (numbers vary and is really a zip file)

  10. DSCF54499.tiff (numbers vary and is really a zip file)

  11. DSCF54499.gif (numbers vary and is really a zip file)

  12. Account temporarily suspended

  13. Your Amazon.com order has dispatched (#890-6219873-3176850) (numbers vary)

  14. Your parcel has arrived

  15. Statement

  16. Suspicious movements

  17. We could not deliver your parcel, #0000331783 (numbers vary)

  18. Financial documents


The file sizes of these messages varies between about 3kb, up to about 15kb for zip files and over 200 kb for office documents, which contain a diversionary document that opens as the Trojan is downloaded in the background. The most common file sizes range from 10.5 to 12.5 kb for the zip files.

Some of these scams contain specially crafted wording to try to trick busy office workers to open the attachments. Others had nothing visible, other than the paperclip indicating that there was an attachment.

All of these attachments contain either JavaScript (.js), or Windows Script File (.wsf) inside a zip file, or Office Macro scripts inside a .doc or .docx file to force a download of a Trojan Horse file known as the Locky Ransomware. An unprotected Windows computer could be automatically infected by opening and unzipping the zip files, or by enabling Macros in MS Word, or in any other .doc reader that uses the MS Word Macro script language.

I want to point out that if you use Trend Micro Internet Security (any flavor), you are protected against these scams and Ransomware threats. I use Trend Micro and pay by the year. I feel it is well worth the money for the peace of mind.

Posted by Wiz at 4:08 PM |

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

Blog Links

Sponsored Message

I recommend Malwarebytes to protect your computers and Android devices from malicious code attacks. Malwarebytes detects and blocks spyware, viruses and ransomware, as well as rootkits. It removes malware from an already infected device. Get an 18 month subscription to Malwarebytes here.

If you're a fan of Robert Jordan's novels, you can buy boxed sets of The Wheel Of Time, here.

As an Amazon and Google Associate, I earn commissions from qualifying purchases.

CIDR to IPv4 Address Range Utility Tool | IPAddressGuide
CIDR to IPv4 Conversion



Search


About the author
Wiz FeinbergWiz's Blog is written by Bob "Wiz" Feinberg, an experienced freelance computer consultant, troubleshooter and webmaster. Wiz's specialty is in computer and website security. Wizcrafts Computer Services was established in 1996.

I produce this blog and website at my own expense. If you find this information valuable please consider making a donation via PayPal.

Follow @Wizcrafts on Twitter, where I post short updates on security issues, spam trends and things that just eat at my craw.

Follow Wizcrafts on Twitter

Malwarebytes' Anti-Malware is the most frequently recommended malware removal tool in malware removal forums, like Bleeping Computers. It is extremely effective for removing fake/rogue security alerts, Bots, Spyware and the most prevalent and current malware threats in the wild. Learn about Malwarebytes Anti-Malware.

MailWasher Pro is an effective spam filter that protects your desktop email client. Using a combination of blacklists and built-in and user configurable filters, MailWasher Pro recognizes and deletes spam before you download it. MailWasher Pro reveals the actual URL of any links in a message, which protects you from most Phishing scams. Try it free for 30 days.

Categories

Tag Cloud

Recent Posts

Popular Posts

Archives

Subscribe to this blog's feed
Creative Commons License This weblog is licensed under a Creative Commons License.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.
Powered by Movable Type

back to top ^