Cybercriminals have been using ransomware for quite a while now and while Cyrptolocker has captured most of the headlines lately, there are still plenty of other variants making the rounds. One of those variants we are currently seeing takes a simple(yet effective) approach to lure its victims.
This malicious email campaign utilizes several subject lines such as “You look terrible on this photo” or “Shame on you” and is accompanied by only a smiley face in the message body. Each message has an attached file designed to look at first glance like only a JPG image. Malware distributors are certainly never short on social engineering tactics but this type of simple and intriguing technique will always work to some extent.
The attachments are actually .zip files that contain a malicious .scr file which leads to the install of a Trojan Downloader. After gaining a foothold on the machine this malware currently reaches out to one of several domains with a (.su) tld and downloads more malicious files from the remote server. Currently this process leads to the install of a fake AV style ransomware. Once installed the program will lock the machines apps and generate pop-ups designed to mimic a legitimate AV program. The pop-up demands payment that will remove the infection. The computer is unusable until either payment is made or the user gets wise and removes the malware.
This type of ransomware has been in circulation for years but can be just as troublesome for some users as the now infamous Cryptolocker can be. Take for example, the unwitting user that suffers this infection and believes that the alerts are from their (actual) AV provider. In many cases the user will reach for their credit card and submit the required payment without hesitation, thinking that they are paying an actual AV provider. Most of the time paying the ransom will unlock your machine for the time being… However, the backdoor to your machine still remains in place and there is nothing to stop this process from repeating again or some other form of malware being installed at the cybercriminals whim. Also, in this process you have not only made a payment to the criminals but have also divulged your credit card information. Of course there are many users who would recognize this ransomware technique (as a scam) and take the appropriate steps to remove the infection.