A flood of Ransomware in email attachments in early November 2016
November 12, 2016
Since the first week of November there has been a virtual flood of malicious email scams that have Ransomware in both .doc and .zip attachments.
The subjects vary from hour to hour and day to day. They include all of the following Subjects (with more to come):
- Emailing: _[digits]_[more digits]
- Virtual card
- Order
- "No subject"
- [Scan] 2016-1111 11:45:05 (time and date varies)
- Document from Paulette (name varies)
- Receipt 6940-30676 (numbers vary)
- unauthorized access
- DSCF54499.pdf (numbers vary and is really a zip file)
- DSCF54499.tiff (numbers vary and is really a zip file)
- DSCF54499.gif (numbers vary and is really a zip file)
- Account temporarily suspended
- Your Amazon.com order has dispatched (#890-6219873-3176850) (numbers vary)
- Your parcel has arrived
- Statement
- Suspicious movements
- We could not deliver your parcel, #0000331783 (numbers vary)
- Financial documents
The file sizes of these messages varies between about 3kb, up to about 15kb for zip files and over 200 kb for office documents, which contain a diversionary document that opens as the Trojan is downloaded in the background. The most common file sizes range from 10.5 to 12.5 kb for the zip files.
Some of these scams contain specially crafted wording to try to trick busy office workers to open the attachments. Others had nothing visible, other than the paperclip indicating that there was an attachment.
All of these attachments contain either JavaScript (.js), or Windows Script File (.wsf) inside a zip file, or Office Macro scripts inside a .doc or .docx file to force a download of a Trojan Horse file known as the Locky Ransomware. An unprotected Windows computer could be automatically infected by opening and unzipping the zip files, or by enabling Macros in MS Word, or in any other .doc reader that uses the MS Word Macro script language.
I want to point out that if you use Trend Micro Internet Security (any flavor), you are protected against these scams and Ransomware threats. I use Trend Micro and pay by the year. I feel it is well worth the money for the peace of mind.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.