'Resume' Spam Used to Spread CryptoWall 3.0 Ransomware

“*Hello, my name is XXXXX. Resume attached. I look forward to seeing you. Sincerely yours, XXXXX*”

With a short, simple message sent via email, a curious recipient could be lured to look into and access an attachment that was designed to look like a resume. And with one click of a download button, the recipient's system can be infected with ransomware. The method used may be simple, but the effect could be crippling.

A new spam run was recently spotted involving a ransomware http://www.trendmicro.com/vinfo/us/security/definition/ransomware#The_Evolution_to_CryptoLocker-carrying attachment. The scheme invites the recipient to download and view the sender’s resume (my_resume_pdf_id_1422-7311.scr), which leads to the execution of a malicious file. Once downloaded and executed, the affected system is locked down and displays a message that notifies the victim that the files are encrypted with RSA-2048 https://en.wikipedia.org/wiki/RSA_(cryptosystem) using CryptoWall 3.0 http://blog.trendmicro.com/trendlabs-security-intelligence/cryptowall-3-0-ransomware-partners-with-fareit-spyware/. Ultimately, this means that the documents and data stored in the system can no longer be accessed unless the victim pays the cybercriminal.

CryptoWall 3.0

Crypto-ransomware http://blog.trendmicro.com/trendlabs-security-intelligence/threat-refinement-ensues-with-crypto-locker-shotodor-backdoor/, widely-publicized as the more lethal descendant of ransomware, possesses advanced encrypting capabilities that make files unusable unless a ransom is paid. Last year, a crypto-ransomware variant, CryptoWall, made noise as the final payload of spammed messages http://blog.trendmicro.com/trendlabs-security-intelligence/social-engineering-watch-upatre-malware-abuses-dropbox-links/ that directly opens a Tor website used to extort money from its victim.

CryptoWall 3.0 is another evolved variant that uses hardcoded URLs that are heavily obfuscated to evade detection. This buys the malware more time to communicate to a C&C server and acquire the RSA public key needed to carry out its file encryption tactics. The C&C server is different from its payment page, which still uses Tor, to ensure that such transactions will continue running without interference from the authorities. CryptoWall 3.0 also employs “smarter” measures of deleting the target system’s shadow copies to prevent attempts of restoring files to its previous state—leaving a victim without any other option but to pay up. Read the source story here http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/-resume-spam-used-to-spread-cryptowall-3-0-ransomware

Dave Safley

Technology King Pin ;) 

Real Time Web Analytics