Earlier this year, we had a lull in malware traffic for about three weeks after the Necurs botnet quite suddenly stopped sending out junk. History repeated itself on October 6th when we experienced another drop in malware traffic. Today, that dive in traffic might be over, ending this streak. The Locky malware has kicked it in to high gear again this morning dishing out around 14 million virus emails so far.


The attached zip file unzips in to 130kb .js file. This file is again similar to the tactics used in JavaScript malware this year where the file itself is heavily obfuscated to avoid detection. When executed, it goes through its normal encryption phase. With many variants out there, we often see the same variety of extensions being used on the encrypted files. If you have a file named family_photos.jpg, ransomware may go back and name it something like M5096-GT654-GHT.locky. This variant is using a similar name format as the others we have seen, but the extension this time is .shit. Presumably this extension was chosen just because they can use whatever extension they desire.


After encryption, I found an HTML file on the desktop with the ransom note as well as receive an image popup with the information on how to pay the ransom using Tor. This is pretty standard practice once the file encryption process is done.


Leading Microsoft Exchange Server and Office 365 resource site, MSExchange.org, announced today that AppRiver’s Secure Hosted Exchange was selected first runner-up in the Exchange Hosting category of the MSExchange.org Readers’ Choice Awards.

“Our Reader’s Choice Awards give visitors to our site the opportunity to vote for the products they view as the very best in their respective category,” said Sean Buttigieg, MSExchange.org manager. “MSExchange.org users are specialists in their field who encounter various solutions for Exchange Server at the workplace.  Their vote serves as a solid peer-to-peer recommendation of the winning product.”

MSExchange.org conducts regular polls to discover which product is preferred by Exchange administrators in a particular category of third-party solutions for Microsoft Exchange Server and Office 365. The awards draw a huge response per category and are based entirely on the visitors’ votes.

Please visit our Secure Hosted Exchange page to learn more about Exchange from AppRiver.

This week’s Threat Thursday focuses on a social engineering campaign in an attempt to impersonate the United States Postal Service. Our security research team at AppRiver first spotted this phishing blast late last week. In the campaign, an email contains fraudulent information about a package delivery. The message states that there is an issue with the package and in order to resolve this, the email recipient must click on the link provided.


The cyber criminals use URL obfuscation in the message to deceive recipients into thinking the link provided is an official USPS.com file download. Upon closer look, the URL points to an exploited Google Docs link. Not much else is known about the campaign other than the usual red flags (spoofed sender address, compromised sending IP address etc.) Our team has seen various samples of this campaign including similar ones utilizing FedEx and UPS as the targeted company along with different verbiage directing users to the malicious payload. Users are advised to take extreme caution when receiving unexpected emails from shipping companies that contain generic and ominous messages regarding issues with package delivery. Pay close attention to the message itself, looking for clues like URL obfuscation and questionable verbiage to help determine the legitimacy of a message. When in doubt, it never hurts to call the shipping company to obtain details regarding an expected package delivery.


AppRiver’s SecureTide engine has various rules in place to stop this phishing campaign. at the time of this writing, an estimated 9300 emails have been blocked from reaching customer’s inboxes. We will continue to monitor for future variants.

Our friends in the Southeastern United States can’t seem to catch a break. First it was Hermine, now it’s Matthew. And with Hurricane Nicole predicted to nudge Matthew back to Florida’s arms, we’d like to first and foremost wish all of our friends in the storm’s path to be safe and to take all of the safety precautions you can. After you’ve made sure that you and your family are safe, it’s time to make sure your email is too.

Bad weather can create a perfect storm for business, which is why AppRiver would like to remind all of our friends in the storm’s hot zones about our free Digital Disaster Preparedness Service (DDPS). First made available in 2005, DDPS is a service designed to prevent businesses from losing email in the event of a mail server outage. We’re offering it at no charge to our friends who may be in the path of Hurricane Matthew, as well as any other sort of imminent threat, such as wildfires, flooding, etc.

Hurricane Image

So what exactly is the DDPS? DDPS is a special offering to businesses that lie within the cone of uncertainty in advance of a hurricane or other natural disaster. The cloud-based service averts email loss and bounced messages by redirecting an organization’s email to one of AppRiver’s secure data centers, while also blocking any spam and virus messages. Once the danger passes and connectivity is restored, AppRiver will forward all outage-period email back to the company’s servers, free of charge.

Registration is simple and typically takes less than 10 minutes to complete. Businesses need only contact AppRiver to receive step-by-step instructions for redirecting their email to AppRiver. Almost immediately, AppRiver will begin monitoring the company`s server activity. When AppRiver detects a loss in connectivity with the email server, its service will begin queuing the business’ incoming messages in one of its safely located, hardened data centers until the business’s servers are able to receive email again.

And while hurricanes can be forecast days before landfall, fires and power outages are harder to predict. Businesses who are not located in the cone of a hurricane, but would like to protect themselves from other disasters might also consider trying AppRiver’s Email Continuity Service risk-free for 30 days.

For more information on AppRiver’s DDPS, please visit: https://www.appriver.com/solutions/by-need/disaster-preparedness/

For more information on AppRiver’s Email Continuity Service, please visit https://www.appriver.com/services/email-continuity/