Dangerous Spam RansomWare Email

Recently, we've seen a wave of dangerous "RansomWare" spam. RansomWare is a virus that locks you out of the files on your computer (by encrypting them) and then tries to extort money out of you to unlock them. It can also infect and encrypt files on computers networked to yours.

The virus is usually contained in a file attached to an email message. Typically, the email claims that it's from a financial institution or other business, like Lloyds of London, Dun & Bradstreet, the Better Business Bureau, etc.

The scammer tries to get you to run the virus by urging you to open the attachment, claiming it contains scanned documents or for some other reason.

How to Spot Email with CryptoLocker and Other RansomWare

The attachment that the scammer wants you to open is a ".zip" file. Inside the zip file is an executable (usually a ".exe") file with the virus that will infect your computer if you run it. DON'T OPEN THE ATTACHMENT OR CLICK ON IT.

To trick you into thinking it's safe, the scammer usually names the executable file inside the zip file something like "deposit.pdf.exe" or "document001.pdf.exe". Keep in mind that attachment names can change with different waves of the attack, so it's best to be careful of any attachments, regardless of the name.

Although we haven't seen it in this attack, in the past scammers have added a bunch of spaces before the ".exe" in the filename, like:

"deposit.pdf                                                              .exe"

so the ".exe" doesn't appear on your screen and you think it's a PDF file.

Don't rely on your antivirus software to detect this or other malware attached to email. Not all of them can detect all viruses.

Other blogs are reporting the financial variant of this malware. We've already seen other variants that also appear to have the CryptoLocker virus attached. So, also be careful if you get an email that claims to have any of the following attached:

  • Xerox "scanned documents"
  • UPS/Fedex "tracking" emails
  • ADP payroll

Always remember that reputable companies do not send unexpected emails with ".zip" or ".exe" attachments that you need to open or programs that you need to run.

What RansomWare Will Do to You

If you click or run the attachment, the virus, trojan horse, or other malware inside of it can wreak havoc on your computer and on any computers networked to it. Because the RansomWare scammer wants money, this type of malware tends to encrypt important files in your computer so you can't read them

Then it displays a message telling you your files are encrypted and that you have a certain amount of time to pay a ransom to get the key that will unlock them. The message looks like this:

Spam Ransomware CryptoLocker

If you get that screen, it's probably too late. Some people are reporting that they regained access to their files after paying the ransom (sometimes hundreds of dollars).

Making things worse for those already victimized, one of our threat analysts says that authorities have been quickly cracking down on this scam. To try and prevent further infections, they've been taking down the servers responsible for sending it out. People who were victimized by emails sent from those servers can't get the encryption keys they need to unlock their files. They may never be able to access those files again.

We Blocked This Attack Before It Hit

Customers have been asking us if we are aware of this threat and if we're blocking it. Because of the unique way that SpamStopsHere works (spam profile database, content filters and 24/7/365 live threat analysis), we were ready to block this threat before it even hit.

We can often predict what the next wave of spam will look like and we've had several filters in place for a while that recognize this type of scam. Our antispam filters block all emails with an attached zip file that contains ".exe" or other potentially dangerous executable files, so our customers should never see these types of attacks.

As an extra layer of security, we add specific filters to block new campaigns. That ensures they're blocked by different methods in our multi-layer filtering system.

So, even though we were already blocking this new threat, we wrote additional filters as soon as we saw it. Those filters should help us block this campaign and the inevitable future variations on it.

For More Info

Our spam review team, along with our proprietary Spamalyzer 3.0, analyzes and blocks email threats for our customers 24/7/365. That's a claim almost no other antispam provider can make. Click here for more about SpamStopsHere and our 24/7/365 live support